| From 9ecacf2176d2bac4b90e17d49facb8712c1b467a Mon Sep 17 00:00:00 2001 |
| From: Donatas Abraitis <donatas@opensourcerouting.org> |
| Date: Sun, 20 Aug 2023 22:15:27 +0300 |
| Subject: [PATCH 2/2] bgpd: Don't read the first byte of ORF header if we are |
| ahead of stream |
| |
| Reported-by: Iggy Frankovic iggyfran@amazon.com |
| Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org> |
| |
| Upstream-Status: Backport [https://github.com/FRRouting/frr/commit/9b855a692e68e0d16467e190b466b4ecb6853702] |
| |
| CVE: CVE-2023-41360 |
| |
| Signed-off-by: Robert Yang <liezhi.yang@windriver.com> |
| --- |
| bgpd/bgp_packet.c | 3 ++- |
| 1 file changed, 2 insertions(+), 1 deletion(-) |
| |
| diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c |
| index 3c2e73c59..f1d0e54c0 100644 |
| --- a/bgpd/bgp_packet.c |
| +++ b/bgpd/bgp_packet.c |
| @@ -2375,7 +2375,8 @@ static int bgp_route_refresh_receive(struct peer *peer, bgp_size_t size) |
| * and 7 bytes of ORF Address-filter entry from |
| * the stream |
| */ |
| - if (*p_pnt & ORF_COMMON_PART_REMOVE_ALL) { |
| + if (p_pnt < p_end && |
| + *p_pnt & ORF_COMMON_PART_REMOVE_ALL) { |
| if (bgp_debug_neighbor_events(peer)) |
| zlog_debug( |
| "%pBP rcvd Remove-All pfxlist ORF request", |
| -- |
| 2.35.5 |
| |