2 files changed, 72 insertions, 0 deletions

diff --git a/meta-networking/recipes-protocols/frr/frr/CVE-2022-36440.patch b/meta-networking/recipes-protocols/frr/frr/CVE-2022-36440.patch
new file mode 100644
index 0000000000..c06de49eb3
--- /dev/null
+++ b/meta-networking/recipes-protocols/frr/frr/CVE-2022-36440.patch
@@ -0,0 +1,71 @@
+From 02a0e45f66160f571196a105b217e1bb84d1a835 Mon Sep 17 00:00:00 2001
+From: Donald Sharp <sharpd@nvidia.com>
+Date: Fri, 30 Sep 2022 08:51:45 -0400
+Subject: [PATCH] bgpd: Ensure FRR has enough data to read 2 bytes in
+ peek_for_as4_capability
+
+In peek_for_as4_capability the code is checking that the
+stream has at least 2 bytes to read ( the opt_type and the
+opt_length ).  However if BGP_OPEN_EXT_OPT_PARAMS_CAPABLE(peer)
+is configured then FRR is reading 3 bytes.  Which is not good
+since the packet could be badly formated.  Ensure that
+FRR has the appropriate data length to read the data.
+
+Signed-off-by: Donald Sharp <sharpd@nvidia.com>
+(cherry picked from commit 3e46b43e3788f0f87bae56a86b54d412b4710286)
+
+CVE: CVE-2022-36440
+CVE: CVE-2022-40302
+
+Upstream-Status: Backport
+[https://github.com/FRRouting/frr/commit/02a0e45f66160f571196a105b217e1bb84d1a835]
+
+Signed-off-by: Jonas Gorski <jonas.gorski@bisdn.de>
+---
+ bgpd/bgp_open.c | 27 +++++++++++++++++++++------
+ 1 file changed, 21 insertions(+), 6 deletions(-)
+
+diff --git a/bgpd/bgp_open.c b/bgpd/bgp_open.c
+index c2562c75d3fc..fe4c24a8c979 100644
+--- a/bgpd/bgp_open.c
++++ b/bgpd/bgp_open.c
+@@ -1116,15 +1116,30 @@ as_t peek_for_as4_capability(struct peer *peer, uint16_t length)
+                uint8_t opt_type;
+                uint16_t opt_length;
+ 
+-               /* Check the length. */
+-               if (stream_get_getp(s) + 2 > end)
++               /* Ensure we can read the option type */
++               if (stream_get_getp(s) + 1 > end)
+                        goto end;
+ 
+-               /* Fetch option type and length. */
++               /* Fetch the option type */
+                opt_type = stream_getc(s);
+-               opt_length = BGP_OPEN_EXT_OPT_PARAMS_CAPABLE(peer)
+-                                    ? stream_getw(s)
+-                                    : stream_getc(s);
++
++               /*
++                * Check the length and fetch the opt_length
++                * If the peer is BGP_OPEN_EXT_OPT_PARAMS_CAPABLE(peer)
++                * then we do a getw which is 2 bytes.  So we need to
++                * ensure that we can read that as well
++                */
++               if (BGP_OPEN_EXT_OPT_PARAMS_CAPABLE(peer)) {
++                       if (stream_get_getp(s) + 2 > end)
++                               goto end;
++
++                       opt_length = stream_getw(s);
++               } else {
++                       if (stream_get_getp(s) + 1 > end)
++                               goto end;
++
++                       opt_length = stream_getc(s);
++               }
+ 
+                /* Option length check. */
+                if (stream_get_getp(s) + opt_length > end)
+-- 
+2.40.1
+
diff --git a/meta-networking/recipes-protocols/frr/frr_8.2.2.bb b/meta-networking/recipes-protocols/frr/frr_8.2.2.bb
index 80f4729e1f..2da870ae4e 100644
--- a/meta-networking/recipes-protocols/frr/frr_8.2.2.bb
+++ b/meta-networking/recipes-protocols/frr/frr_8.2.2.bb
@@ -13,6 +13,7 @@ SRC_URI = "git://github.com/FRRouting/frr.git;protocol=https;branch=stable/8.2 \
            file://CVE-2022-37035.patch \
            file://CVE-2022-37032.patch \
            file://CVE-2022-42917.patch \
+           file://CVE-2022-36440.patch \
            file://frr.pam \
               "