| Patrick Williams | 2194f50 | 2022-10-16 14:26:09 -0500 | [diff] [blame^] | 1 | From 066770ac1c69ee5b484bb82581b22ad0423b004d Mon Sep 17 00:00:00 2001 |
| 2 | From: Donald Sharp <sharpd@nvidia.com> |
| 3 | Date: Thu, 21 Jul 2022 08:11:58 -0400 |
| 4 | Subject: [PATCH] bgpd: Make sure hdr length is at a minimum of what is |
| 5 | expected |
| 6 | |
| 7 | Ensure that if the capability length specified is enough data. |
| 8 | |
| 9 | Signed-off-by: Donald Sharp <sharpd@nvidia.com> |
| 10 | (cherry picked from commit ff6db1027f8f36df657ff2e5ea167773752537ed) |
| 11 | |
| 12 | CVE: CVE-2022-37032 |
| 13 | |
| 14 | Upstream-Status: Backport |
| 15 | [https://github.com/FRRouting/frr/commit/066770ac1c69ee5b484bb82581b22ad0423b004d] |
| 16 | |
| 17 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> |
| 18 | --- |
| 19 | bgpd/bgp_packet.c | 8 ++++++++ |
| 20 | 1 file changed, 8 insertions(+) |
| 21 | |
| 22 | diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c |
| 23 | index 7613ccc7d..a5f065a15 100644 |
| 24 | --- a/bgpd/bgp_packet.c |
| 25 | +++ b/bgpd/bgp_packet.c |
| 26 | @@ -2621,6 +2621,14 @@ static int bgp_capability_msg_parse(struct peer *peer, uint8_t *pnt, |
| 27 | "%s CAPABILITY has action: %d, code: %u, length %u", |
| 28 | peer->host, action, hdr->code, hdr->length); |
| 29 | |
| 30 | + if (hdr->length < sizeof(struct capability_mp_data)) { |
| 31 | + zlog_info( |
| 32 | + "%pBP Capability structure is not properly filled out, expected at least %zu bytes but header length specified is %d", |
| 33 | + peer, sizeof(struct capability_mp_data), |
| 34 | + hdr->length); |
| 35 | + return BGP_Stop; |
| 36 | + } |
| 37 | + |
| 38 | /* Capability length check. */ |
| 39 | if ((pnt + hdr->length + 3) > end) { |
| 40 | zlog_info("%s Capability length error", peer->host); |
| 41 | -- |
| 42 | 2.25.1 |
| 43 | |