2 files changed, 140 insertions, 0 deletions
diff --git a/meta-networking/recipes-protocols/frr/frr/CVE-2023-38802.patch b/meta-networking/recipes-protocols/frr/frr/CVE-2023-38802.patch
new file mode 100644
index 0000000000..f9fdacfdbb
--- /dev/null
+++ b/meta-networking/recipes-protocols/frr/frr/CVE-2023-38802.patch
@@ -0,0 +1,139 @@
+From 46817adab03802355c3cce7b753c7a735bdcc5ae Mon Sep 17 00:00:00 2001
+From: Donatas Abraitis <donatas@opensourcerouting.org>
+Date: Thu, 13 Jul 2023 22:32:03 +0300
+Subject: [PATCH] bgpd: Use treat-as-withdraw for tunnel encapsulation
+ attribute
+Before this path we used session reset method, which is discouraged by rfc7606.
+Handle this as rfc requires.
+Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
+(cherry picked from commit bcb6b58d9530173df41d3a3cbc4c600ee0b4b186)
+CVE: CVE-2023-38802
+Upstream-Status: Backport
+[https://github.com/FRRouting/frr/commit/46817adab03802355c3cce7b753c7a735bdcc5ae]
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ bgpd/bgp_attr.c | 61 ++++++++++++++++++++-----------------------------
+ 1 file changed, 25 insertions(+), 36 deletions(-)
+diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
+index 058fae23c..1c0803cfd 100644
+--- a/bgpd/bgp_attr.c
+++ b/bgpd/bgp_attr.c
+@@ -1301,6 +1301,7 @@ bgp_attr_malformed(struct bgp_attr_parser_args *args, uint8_t subcode,
+        case BGP_ATTR_LARGE_COMMUNITIES:
+        case BGP_ATTR_ORIGINATOR_ID:
+        case BGP_ATTR_CLUSTER_LIST:
+       case BGP_ATTR_ENCAP:
+        case BGP_ATTR_OTC:
+                return BGP_ATTR_PARSE_WITHDRAW;
+        case BGP_ATTR_MP_REACH_NLRI:
+@@ -2434,26 +2435,21 @@ bgp_attr_ipv6_ext_communities(struct bgp_attr_parser_args *args)
+ }
+ 
+ /* Parse Tunnel Encap attribute in an UPDATE */
+-static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */
+-                         bgp_size_t length, /* IN: attr's length field */
+-                         struct attr *attr, /* IN: caller already allocated */
+-                         uint8_t flag,      /* IN: attr's flags field */
+-                         uint8_t *startp)
+static int bgp_attr_encap(struct bgp_attr_parser_args *args)
+ {
+-       bgp_size_t total;
+        uint16_t tunneltype = 0;
+-
+-       total = length + (CHECK_FLAG(flag, BGP_ATTR_FLAG_EXTLEN) ? 4 : 3);
+       struct peer *const peer = args->peer;
+       struct attr *const attr = args->attr;
+       bgp_size_t length = args->length;
+       uint8_t type = args->type;
+       uint8_t flag = args->flags;
+ 
+        if (!CHECK_FLAG(flag, BGP_ATTR_FLAG_TRANS)
+            || !CHECK_FLAG(flag, BGP_ATTR_FLAG_OPTIONAL)) {
+-               zlog_info(
+-                       "Tunnel Encap attribute flag isn't optional and transitive %d",
+-                       flag);
+-               bgp_notify_send_with_data(peer, BGP_NOTIFY_UPDATE_ERR,
+-                                         BGP_NOTIFY_UPDATE_ATTR_FLAG_ERR,
+-                                         startp, total);
+-               return -1;
+               zlog_err("Tunnel Encap attribute flag isn't optional and transitive %d",
+                        flag);
+               return bgp_attr_malformed(args, BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
+                                         args->total);
+        }
+ 
+        if (BGP_ATTR_ENCAP == type) {
+@@ -2461,12 +2457,11 @@ static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */
+                uint16_t tlv_length;
+ 
+                if (length < 4) {
+-                       zlog_info(
+                       zlog_err(
+                                "Tunnel Encap attribute not long enough to contain outer T,L");
+-                       bgp_notify_send_with_data(
+-                               peer, BGP_NOTIFY_UPDATE_ERR,
+-                               BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, startp, total);
+-                       return -1;
+                       return bgp_attr_malformed(args,
+                                                 BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
+                                                 args->total);
+                }
+                tunneltype = stream_getw(BGP_INPUT(peer));
+                tlv_length = stream_getw(BGP_INPUT(peer));
+@@ -2496,13 +2491,11 @@ static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */
+                }
+ 
+                if (sublength > length) {
+-                       zlog_info(
+-                               "Tunnel Encap attribute sub-tlv length %d exceeds remaining length %d",
+-                               sublength, length);
+-                       bgp_notify_send_with_data(
+-                               peer, BGP_NOTIFY_UPDATE_ERR,
+-                               BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, startp, total);
+-                       return -1;
+                       zlog_err("Tunnel Encap attribute sub-tlv length %d exceeds remaining length %d",
+                                sublength, length);
+                       return bgp_attr_malformed(args,
+                                                 BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
+                                                 args->total);
+                }
+ 
+                /* alloc and copy sub-tlv */
+@@ -2550,13 +2543,10 @@ static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */
+ 
+        if (length) {
+                /* spurious leftover data */
+-               zlog_info(
+-                       "Tunnel Encap attribute length is bad: %d leftover octets",
+-                       length);
+-               bgp_notify_send_with_data(peer, BGP_NOTIFY_UPDATE_ERR,
+-                                         BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
+-                                         startp, total);
+-               return -1;
+               zlog_err("Tunnel Encap attribute length is bad: %d leftover octets",
+                        length);
+               return bgp_attr_malformed(args, BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
+                                         args->total);
+        }
+ 
+        return 0;
+@@ -3396,8 +3386,7 @@ enum bgp_attr_parse_ret bgp_attr_parse(struct peer *peer, struct attr *attr,
+                case BGP_ATTR_VNC:
+ #endif
+                case BGP_ATTR_ENCAP:
+-                       ret = bgp_attr_encap(type, peer, length, attr, flag,
+-                                            startp);
+                       ret = bgp_attr_encap(&attr_args);
+                        break;
+                case BGP_ATTR_PREFIX_SID:
+                        ret = bgp_attr_prefix_sid(&attr_args);
+-- 
+2.25.1
diff --git a/meta-networking/recipes-protocols/frr/frr_8.4.4.bb b/meta-networking/recipes-protocols/frr/frr_8.4.4.bb
index 826b687806..38be4a2c5a 100644
--- a/meta-networking/recipes-protocols/frr/frr_8.4.4.bb
+++ b/meta-networking/recipes-protocols/frr/frr_8.4.4.bb
@@ -15,6 +15,7 @@ SRC_URI = "git://github.com/FRRouting/frr.git;protocol=https;branch=stable/8.4 \
           file://CVE-2023-3748.patch \
           file://CVE-2023-41358.patch \
           file://CVE-2023-41360.patch \
+           file://CVE-2023-38802.patch \
           "
 SRCREV = "45e36c0c00a517ad1606135b18c5753e210cfc0d"

diff --git a/meta-networking/recipes-protocols/frr/frr/CVE-2023-38802.patch b/meta-networking/recipes-protocols/frr/frr/CVE-2023-38802.patch new file mode 100644 index 0000000000..f9fdacfdbb --- /dev/null +++ b/meta-networking/recipes-protocols/frr/frr/CVE-2023-38802.patch
@@ -0,0 +1,139 @@
		1	From 46817adab03802355c3cce7b753c7a735bdcc5ae Mon Sep 17 00:00:00 2001
		2	From: Donatas Abraitis <donatas@opensourcerouting.org>
		3	Date: Thu, 13 Jul 2023 22:32:03 +0300
		4	Subject: [PATCH] bgpd: Use treat-as-withdraw for tunnel encapsulation
		5	attribute
		6
		7	Before this path we used session reset method, which is discouraged by rfc7606.
		8
		9	Handle this as rfc requires.
		10
		11	Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
		12	(cherry picked from commit bcb6b58d9530173df41d3a3cbc4c600ee0b4b186)
		13
		14	CVE: CVE-2023-38802
		15
		16	Upstream-Status: Backport
		17	[https://github.com/FRRouting/frr/commit/46817adab03802355c3cce7b753c7a735bdcc5ae]
		18
		19	Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
		20	---
		21	bgpd/bgp_attr.c \| 61 ++++++++++++++++++++-----------------------------
		22	1 file changed, 25 insertions(+), 36 deletions(-)
		23
		24	diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
		25	index 058fae23c..1c0803cfd 100644
		26	--- a/bgpd/bgp_attr.c
		27	+++ b/bgpd/bgp_attr.c
		28	@@ -1301,6 +1301,7 @@ bgp_attr_malformed(struct bgp_attr_parser_args *args, uint8_t subcode,
		29	case BGP_ATTR_LARGE_COMMUNITIES:
		30	case BGP_ATTR_ORIGINATOR_ID:
		31	case BGP_ATTR_CLUSTER_LIST:
		32	+ case BGP_ATTR_ENCAP:
		33	case BGP_ATTR_OTC:
		34	return BGP_ATTR_PARSE_WITHDRAW;
		35	case BGP_ATTR_MP_REACH_NLRI:
		36	@@ -2434,26 +2435,21 @@ bgp_attr_ipv6_ext_communities(struct bgp_attr_parser_args *args)
		37	}
		38
		39	/* Parse Tunnel Encap attribute in an UPDATE */
		40	-static int bgp_attr_encap(uint8_t type, struct peer peer, / IN */
		41	- bgp_size_t length, /* IN: attr's length field */
		42	- struct attr attr, / IN: caller already allocated */
		43	- uint8_t flag, /* IN: attr's flags field */
		44	- uint8_t *startp)
		45	+static int bgp_attr_encap(struct bgp_attr_parser_args *args)
		46	{
		47	- bgp_size_t total;
		48	uint16_t tunneltype = 0;
		49	-
		50	- total = length + (CHECK_FLAG(flag, BGP_ATTR_FLAG_EXTLEN) ? 4 : 3);
		51	+ struct peer *const peer = args->peer;
		52	+ struct attr *const attr = args->attr;
		53	+ bgp_size_t length = args->length;
		54	+ uint8_t type = args->type;
		55	+ uint8_t flag = args->flags;
		56
		57	if (!CHECK_FLAG(flag, BGP_ATTR_FLAG_TRANS)
		58	\|\| !CHECK_FLAG(flag, BGP_ATTR_FLAG_OPTIONAL)) {
		59	- zlog_info(
		60	- "Tunnel Encap attribute flag isn't optional and transitive %d",
		61	- flag);
		62	- bgp_notify_send_with_data(peer, BGP_NOTIFY_UPDATE_ERR,
		63	- BGP_NOTIFY_UPDATE_ATTR_FLAG_ERR,
		64	- startp, total);
		65	- return -1;
		66	+ zlog_err("Tunnel Encap attribute flag isn't optional and transitive %d",
		67	+ flag);
		68	+ return bgp_attr_malformed(args, BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
		69	+ args->total);
		70	}
		71
		72	if (BGP_ATTR_ENCAP == type) {
		73	@@ -2461,12 +2457,11 @@ static int bgp_attr_encap(uint8_t type, struct peer peer, / IN */
		74	uint16_t tlv_length;
		75
		76	if (length < 4) {
		77	- zlog_info(
		78	+ zlog_err(
		79	"Tunnel Encap attribute not long enough to contain outer T,L");
		80	- bgp_notify_send_with_data(
		81	- peer, BGP_NOTIFY_UPDATE_ERR,
		82	- BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, startp, total);
		83	- return -1;
		84	+ return bgp_attr_malformed(args,
		85	+ BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
		86	+ args->total);
		87	}
		88	tunneltype = stream_getw(BGP_INPUT(peer));
		89	tlv_length = stream_getw(BGP_INPUT(peer));
		90	@@ -2496,13 +2491,11 @@ static int bgp_attr_encap(uint8_t type, struct peer peer, / IN */
		91	}
		92
		93	if (sublength > length) {
		94	- zlog_info(
		95	- "Tunnel Encap attribute sub-tlv length %d exceeds remaining length %d",
		96	- sublength, length);
		97	- bgp_notify_send_with_data(
		98	- peer, BGP_NOTIFY_UPDATE_ERR,
		99	- BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, startp, total);
		100	- return -1;
		101	+ zlog_err("Tunnel Encap attribute sub-tlv length %d exceeds remaining length %d",
		102	+ sublength, length);
		103	+ return bgp_attr_malformed(args,
		104	+ BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
		105	+ args->total);
		106	}
		107
		108	/* alloc and copy sub-tlv */
		109	@@ -2550,13 +2543,10 @@ static int bgp_attr_encap(uint8_t type, struct peer peer, / IN */
		110
		111	if (length) {
		112	/* spurious leftover data */
		113	- zlog_info(
		114	- "Tunnel Encap attribute length is bad: %d leftover octets",
		115	- length);
		116	- bgp_notify_send_with_data(peer, BGP_NOTIFY_UPDATE_ERR,
		117	- BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
		118	- startp, total);
		119	- return -1;
		120	+ zlog_err("Tunnel Encap attribute length is bad: %d leftover octets",
		121	+ length);
		122	+ return bgp_attr_malformed(args, BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
		123	+ args->total);
		124	}
		125
		126	return 0;
		127	@@ -3396,8 +3386,7 @@ enum bgp_attr_parse_ret bgp_attr_parse(struct peer peer, struct attr attr,
		128	case BGP_ATTR_VNC:
		129	#endif
		130	case BGP_ATTR_ENCAP:
		131	- ret = bgp_attr_encap(type, peer, length, attr, flag,
		132	- startp);
		133	+ ret = bgp_attr_encap(&attr_args);
		134	break;
		135	case BGP_ATTR_PREFIX_SID:
		136	ret = bgp_attr_prefix_sid(&attr_args);
		137	--
		138	2.25.1
		139


diff --git a/meta-networking/recipes-protocols/frr/frr_8.4.4.bb b/meta-networking/recipes-protocols/frr/frr_8.4.4.bb index 826b687806..38be4a2c5a 100644 --- a/meta-networking/recipes-protocols/frr/frr_8.4.4.bb +++ b/meta-networking/recipes-protocols/frr/frr_8.4.4.bb
@@ -15,6 +15,7 @@ SRC_URI = "git://github.com/FRRouting/frr.git;protocol=https;branch=stable/8.4 \
15	file://CVE-2023-3748.patch \	15	file://CVE-2023-3748.patch \
16	file://CVE-2023-41358.patch \	16	file://CVE-2023-41358.patch \
17	file://CVE-2023-41360.patch \	17	file://CVE-2023-41360.patch \
		18	file://CVE-2023-38802.patch \
18	"	19	"
19		20
20	SRCREV = "45e36c0c00a517ad1606135b18c5753e210cfc0d"	21	SRCREV = "45e36c0c00a517ad1606135b18c5753e210cfc0d"