| From f316975cedd8ef17d47b56be0d3d21711fe44a25 Mon Sep 17 00:00:00 2001 |
| From: Donald Sharp <sharpd@nvidia.com> |
| Date: Wed, 2 Nov 2022 13:24:48 -0400 |
| Subject: [PATCH] bgpd: Ensure that bgp open message stream has enough data to |
| read |
| |
| If a operator receives an invalid packet that is of insufficient size |
| then it is possible for BGP to assert during reading of the packet |
| instead of gracefully resetting the connection with the peer. |
| |
| Signed-off-by: Donald Sharp <sharpd@nvidia.com> |
| (cherry picked from commit 766eec1b7accffe2c04a5c9ebb14e9f487bb9f78) |
| |
| CVE: CVE-2022-43681 |
| |
| Upstream-Status: Backport |
| [https://github.com/FRRouting/frr/commit/766eec1b7accffe2c04a5c9ebb14e9f487bb9f78] |
| |
| Signed-off-by: Jonas Gorski <jonas.gorski@bisdn.de> |
| --- |
| bgpd/bgp_packet.c | 19 +++++++++++++++++++ |
| 1 file changed, 19 insertions(+) |
| |
| diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c |
| index bcd47e32d453..5225db29fe09 100644 |
| --- a/bgpd/bgp_packet.c |
| +++ b/bgpd/bgp_packet.c |
| @@ -1176,8 +1176,27 @@ static int bgp_open_receive(struct peer *peer, bgp_size_t size) |
| || CHECK_FLAG(peer->flags, PEER_FLAG_EXTENDED_OPT_PARAMS)) { |
| uint8_t opttype; |
| |
| + if (STREAM_READABLE(peer->curr) < 1) { |
| + flog_err( |
| + EC_BGP_PKT_OPEN, |
| + "%s: stream does not have enough bytes for extended optional parameters", |
| + peer->host); |
| + bgp_notify_send(peer, BGP_NOTIFY_OPEN_ERR, |
| + BGP_NOTIFY_OPEN_MALFORMED_ATTR); |
| + return BGP_Stop; |
| + } |
| + |
| opttype = stream_getc(peer->curr); |
| if (opttype == BGP_OPEN_NON_EXT_OPT_TYPE_EXTENDED_LENGTH) { |
| + if (STREAM_READABLE(peer->curr) < 2) { |
| + flog_err( |
| + EC_BGP_PKT_OPEN, |
| + "%s: stream does not have enough bytes to read the extended optional parameters optlen", |
| + peer->host); |
| + bgp_notify_send(peer, BGP_NOTIFY_OPEN_ERR, |
| + BGP_NOTIFY_OPEN_MALFORMED_ATTR); |
| + return BGP_Stop; |
| + } |
| optlen = stream_getw(peer->curr); |
| SET_FLAG(peer->sflags, |
| PEER_STATUS_EXT_OPT_PARAMS_LENGTH); |
| -- |
| 2.40.1 |
| |