CVE-2022-37032: An out-of-bounds read in the BGP daemon of FRRouting FRR before 8.4 may lead to a segmentation fault and denial of service. This occurs in bgp_capability_msg_parse in bgpd/bgp_packet.c.
Reference: https://nvd.nist.gov/vuln/detail/CVE-2022-37032 Patch from: https://github.com/FRRouting/frr/commit/066770ac1c69ee5b484bb82581b22ad0423b004d Signed-off-by: Yi Zhao <[email protected]> --- ...dr-length-is-at-a-minimum-of-what-is.patch | 43 +++++++++++++++++++ .../recipes-protocols/frr/frr_8.3.1.bb | 1 + 2 files changed, 44 insertions(+) create mode 100644 meta-networking/recipes-protocols/frr/frr/0001-bgpd-Make-sure-hdr-length-is-at-a-minimum-of-what-is.patch diff --git a/meta-networking/recipes-protocols/frr/frr/0001-bgpd-Make-sure-hdr-length-is-at-a-minimum-of-what-is.patch b/meta-networking/recipes-protocols/frr/frr/0001-bgpd-Make-sure-hdr-length-is-at-a-minimum-of-what-is.patch new file mode 100644 index 000000000..52b39c1e8 --- /dev/null +++ b/meta-networking/recipes-protocols/frr/frr/0001-bgpd-Make-sure-hdr-length-is-at-a-minimum-of-what-is.patch @@ -0,0 +1,43 @@ +From 066770ac1c69ee5b484bb82581b22ad0423b004d Mon Sep 17 00:00:00 2001 +From: Donald Sharp <[email protected]> +Date: Thu, 21 Jul 2022 08:11:58 -0400 +Subject: [PATCH] bgpd: Make sure hdr length is at a minimum of what is + expected + +Ensure that if the capability length specified is enough data. + +Signed-off-by: Donald Sharp <[email protected]> +(cherry picked from commit ff6db1027f8f36df657ff2e5ea167773752537ed) + +CVE: CVE-2022-37032 + +Upstream-Status: Backport +[https://github.com/FRRouting/frr/commit/066770ac1c69ee5b484bb82581b22ad0423b004d] + +Signed-off-by: Yi Zhao <[email protected]> +--- + bgpd/bgp_packet.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c +index 7613ccc7d..a5f065a15 100644 +--- a/bgpd/bgp_packet.c ++++ b/bgpd/bgp_packet.c +@@ -2621,6 +2621,14 @@ static int bgp_capability_msg_parse(struct peer *peer, uint8_t *pnt, + "%s CAPABILITY has action: %d, code: %u, length %u", + peer->host, action, hdr->code, hdr->length); + ++ if (hdr->length < sizeof(struct capability_mp_data)) { ++ zlog_info( ++ "%pBP Capability structure is not properly filled out, expected at least %zu bytes but header length specified is %d", ++ peer, sizeof(struct capability_mp_data), ++ hdr->length); ++ return BGP_Stop; ++ } ++ + /* Capability length check. */ + if ((pnt + hdr->length + 3) > end) { + zlog_info("%s Capability length error", peer->host); +-- +2.25.1 + diff --git a/meta-networking/recipes-protocols/frr/frr_8.3.1.bb b/meta-networking/recipes-protocols/frr/frr_8.3.1.bb index c69720e6f..1abea6345 100644 --- a/meta-networking/recipes-protocols/frr/frr_8.3.1.bb +++ b/meta-networking/recipes-protocols/frr/frr_8.3.1.bb @@ -13,6 +13,7 @@ SRC_URI = "git://github.com/FRRouting/frr.git;protocol=https;branch=stable/8.3 \ file://0001-configure-Check-for-readline-function-instead-of-mai.patch \ file://0001-ospfd-Adding-SUPPORT_OSPF_API-define-in-ospf_spf.c.patch \ file://0001-bgpd-avoid-notify-race-between-io-and-main-pthreads.patch \ + file://0001-bgpd-Make-sure-hdr-length-is-at-a-minimum-of-what-is.patch \ file://frr.pam \ " -- 2.25.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#99153): https://lists.openembedded.org/g/openembedded-devel/message/99153 Mute This Topic: https://lists.openembedded.org/mt/94296301/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
