| From 066770ac1c69ee5b484bb82581b22ad0423b004d Mon Sep 17 00:00:00 2001 |
| From: Donald Sharp <sharpd@nvidia.com> |
| Date: Thu, 21 Jul 2022 08:11:58 -0400 |
| Subject: [PATCH] bgpd: Make sure hdr length is at a minimum of what is |
| expected |
| |
| Ensure that if the capability length specified is enough data. |
| |
| Signed-off-by: Donald Sharp <sharpd@nvidia.com> |
| (cherry picked from commit ff6db1027f8f36df657ff2e5ea167773752537ed) |
| |
| CVE: CVE-2022-37032 |
| |
| Upstream-Status: Backport |
| [https://github.com/FRRouting/frr/commit/066770ac1c69ee5b484bb82581b22ad0423b004d] |
| |
| Signed-off-by: Yi Zhao <yi.zhao@windriver.com> |
| --- |
| bgpd/bgp_packet.c | 8 ++++++++ |
| 1 file changed, 8 insertions(+) |
| |
| diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c |
| index 7613ccc7d..a5f065a15 100644 |
| --- a/bgpd/bgp_packet.c |
| +++ b/bgpd/bgp_packet.c |
| @@ -2621,6 +2621,14 @@ static int bgp_capability_msg_parse(struct peer *peer, uint8_t *pnt, |
| "%s CAPABILITY has action: %d, code: %u, length %u", |
| peer->host, action, hdr->code, hdr->length); |
| |
| + if (hdr->length < sizeof(struct capability_mp_data)) { |
| + zlog_info( |
| + "%pBP Capability structure is not properly filled out, expected at least %zu bytes but header length specified is %d", |
| + peer, sizeof(struct capability_mp_data), |
| + hdr->length); |
| + return BGP_Stop; |
| + } |
| + |
| /* Capability length check. */ |
| if ((pnt + hdr->length + 3) > end) { |
| zlog_info("%s Capability length error", peer->host); |
| -- |
| 2.25.1 |
| |