| Message ID | 20230828104918.471061-1-yi.zhao@windriver.com |
|---|---|
| State | Under Review |
| Headers | show |
| Series | [meta-networking,master,mickledore] frr: Security fix CVE-2023-3748 | expand |
does this also apply to master? if so then it should be routed through master On Mon, Aug 28, 2023 at 3:49 AM Yi Zhao <yi.zhao@eng.windriver.com> wrote: > > CVE-2023-3748: > A flaw was found in FRRouting when parsing certain babeld unicast hello > messages that are intended to be ignored. This issue may allow an > attacker to send specially crafted hello messages with the unicast flag > set, the interval field set to 0, or any TLV that contains a sub-TLV > with the Mandatory flag set to enter an infinite loop and cause a denial > of service. > > Reference: > https://nvd.nist.gov/vuln/detail/CVE-2023-3748 > > Patch from: > https://github.com/FRRouting/frr/commit/ae1e0e1fed77716bc06f181ad68c4433fb5523d0 > > Signed-off-by: Yi Zhao <yi.zhao@windriver.com> > --- > .../frr/frr/CVE-2023-3748.patch | 54 +++++++++++++++++++ > .../recipes-protocols/frr/frr_8.4.4.bb | 1 + > 2 files changed, 55 insertions(+) > create mode 100644 meta-networking/recipes-protocols/frr/frr/CVE-2023-3748.patch > > diff --git a/meta-networking/recipes-protocols/frr/frr/CVE-2023-3748.patch b/meta-networking/recipes-protocols/frr/frr/CVE-2023-3748.patch > new file mode 100644 > index 000000000..4a8a7e1af > --- /dev/null > +++ b/meta-networking/recipes-protocols/frr/frr/CVE-2023-3748.patch > @@ -0,0 +1,54 @@ > +From e61593f2ded104c4c7f01eb93e2b404e93e0c560 Mon Sep 17 00:00:00 2001 > +From: harryreps <harryreps@gmail.com> > +Date: Fri, 3 Mar 2023 23:17:14 +0000 > +Subject: [PATCH] babeld: fix #11808 to avoid infinite loops > + > +Replacing continue in loops to goto done so that index of packet buffer > +increases. > + > +Signed-off-by: harryreps <harryreps@gmail.com> > + > +CVE: CVE-2023-3748 > + > +Upstream-Status: Backport > +[https://github.com/FRRouting/frr/commit/ae1e0e1fed77716bc06f181ad68c4433fb5523d0] > + > +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> > +--- > + babeld/message.c | 6 +++--- > + 1 file changed, 3 insertions(+), 3 deletions(-) > + > +diff --git a/babeld/message.c b/babeld/message.c > +index 7d45d91bf..2bf233796 100644 > +--- a/babeld/message.c > ++++ b/babeld/message.c > +@@ -439,7 +439,7 @@ parse_packet(const unsigned char *from, struct interface *ifp, > + debugf(BABEL_DEBUG_COMMON, > + "Received Hello from %s on %s that does not have all 0's in the unused section of flags, ignoring", > + format_address(from), ifp->name); > +- continue; > ++ goto done; > + } > + > + /* > +@@ -451,7 +451,7 @@ parse_packet(const unsigned char *from, struct interface *ifp, > + debugf(BABEL_DEBUG_COMMON, > + "Received Unicast Hello from %s on %s that FRR is not prepared to understand yet", > + format_address(from), ifp->name); > +- continue; > ++ goto done; > + } > + > + DO_NTOHS(seqno, message + 4); > +@@ -469,7 +469,7 @@ parse_packet(const unsigned char *from, struct interface *ifp, > + debugf(BABEL_DEBUG_COMMON, > + "Received hello from %s on %s should be ignored as that this version of FRR does not know how to properly handle interval == 0", > + format_address(from), ifp->name); > +- continue; > ++ goto done; > + } > + > + changed = update_neighbour(neigh, seqno, interval); > +-- > +2.25.1 > + > diff --git a/meta-networking/recipes-protocols/frr/frr_8.4.4.bb b/meta-networking/recipes-protocols/frr/frr_8.4.4.bb > index b87c3e78b..f32b52f33 100644 > --- a/meta-networking/recipes-protocols/frr/frr_8.4.4.bb > +++ b/meta-networking/recipes-protocols/frr/frr_8.4.4.bb > @@ -12,6 +12,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ > SRC_URI = "git://github.com/FRRouting/frr.git;protocol=https;branch=stable/8.4 \ > file://frr.pam \ > file://0001-m4-ax_python.m4-check-for-python-x.y-emded.pc-not-py.patch \ > + file://CVE-2023-3748.patch \ > " > > SRCREV = "45e36c0c00a517ad1606135b18c5753e210cfc0d" > -- > 2.25.1 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#104632): https://lists.openembedded.org/g/openembedded-devel/message/104632 > Mute This Topic: https://lists.openembedded.org/mt/101007225/1997914 > Group Owner: openembedded-devel+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [raj.khem@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- >
On 8/29/23 01:05, Khem Raj wrote: > does this also apply to master? if so then it should be routed through master Yes. It also applies to master. //Yi > > On Mon, Aug 28, 2023 at 3:49 AM Yi Zhao <yi.zhao@eng.windriver.com> wrote: >> CVE-2023-3748: >> A flaw was found in FRRouting when parsing certain babeld unicast hello >> messages that are intended to be ignored. This issue may allow an >> attacker to send specially crafted hello messages with the unicast flag >> set, the interval field set to 0, or any TLV that contains a sub-TLV >> with the Mandatory flag set to enter an infinite loop and cause a denial >> of service. >> >> Reference: >> https://nvd.nist.gov/vuln/detail/CVE-2023-3748 >> >> Patch from: >> https://github.com/FRRouting/frr/commit/ae1e0e1fed77716bc06f181ad68c4433fb5523d0 >> >> Signed-off-by: Yi Zhao <yi.zhao@windriver.com> >> --- >> .../frr/frr/CVE-2023-3748.patch | 54 +++++++++++++++++++ >> .../recipes-protocols/frr/frr_8.4.4.bb | 1 + >> 2 files changed, 55 insertions(+) >> create mode 100644 meta-networking/recipes-protocols/frr/frr/CVE-2023-3748.patch >> >> diff --git a/meta-networking/recipes-protocols/frr/frr/CVE-2023-3748.patch b/meta-networking/recipes-protocols/frr/frr/CVE-2023-3748.patch >> new file mode 100644 >> index 000000000..4a8a7e1af >> --- /dev/null >> +++ b/meta-networking/recipes-protocols/frr/frr/CVE-2023-3748.patch >> @@ -0,0 +1,54 @@ >> +From e61593f2ded104c4c7f01eb93e2b404e93e0c560 Mon Sep 17 00:00:00 2001 >> +From: harryreps <harryreps@gmail.com> >> +Date: Fri, 3 Mar 2023 23:17:14 +0000 >> +Subject: [PATCH] babeld: fix #11808 to avoid infinite loops >> + >> +Replacing continue in loops to goto done so that index of packet buffer >> +increases. >> + >> +Signed-off-by: harryreps <harryreps@gmail.com> >> + >> +CVE: CVE-2023-3748 >> + >> +Upstream-Status: Backport >> +[https://github.com/FRRouting/frr/commit/ae1e0e1fed77716bc06f181ad68c4433fb5523d0] >> + >> +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> >> +--- >> + babeld/message.c | 6 +++--- >> + 1 file changed, 3 insertions(+), 3 deletions(-) >> + >> +diff --git a/babeld/message.c b/babeld/message.c >> +index 7d45d91bf..2bf233796 100644 >> +--- a/babeld/message.c >> ++++ b/babeld/message.c >> +@@ -439,7 +439,7 @@ parse_packet(const unsigned char *from, struct interface *ifp, >> + debugf(BABEL_DEBUG_COMMON, >> + "Received Hello from %s on %s that does not have all 0's in the unused section of flags, ignoring", >> + format_address(from), ifp->name); >> +- continue; >> ++ goto done; >> + } >> + >> + /* >> +@@ -451,7 +451,7 @@ parse_packet(const unsigned char *from, struct interface *ifp, >> + debugf(BABEL_DEBUG_COMMON, >> + "Received Unicast Hello from %s on %s that FRR is not prepared to understand yet", >> + format_address(from), ifp->name); >> +- continue; >> ++ goto done; >> + } >> + >> + DO_NTOHS(seqno, message + 4); >> +@@ -469,7 +469,7 @@ parse_packet(const unsigned char *from, struct interface *ifp, >> + debugf(BABEL_DEBUG_COMMON, >> + "Received hello from %s on %s should be ignored as that this version of FRR does not know how to properly handle interval == 0", >> + format_address(from), ifp->name); >> +- continue; >> ++ goto done; >> + } >> + >> + changed = update_neighbour(neigh, seqno, interval); >> +-- >> +2.25.1 >> + >> diff --git a/meta-networking/recipes-protocols/frr/frr_8.4.4.bb b/meta-networking/recipes-protocols/frr/frr_8.4.4.bb >> index b87c3e78b..f32b52f33 100644 >> --- a/meta-networking/recipes-protocols/frr/frr_8.4.4.bb >> +++ b/meta-networking/recipes-protocols/frr/frr_8.4.4.bb >> @@ -12,6 +12,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ >> SRC_URI = "git://github.com/FRRouting/frr.git;protocol=https;branch=stable/8.4 \ >> file://frr.pam \ >> file://0001-m4-ax_python.m4-check-for-python-x.y-emded.pc-not-py.patch \ >> + file://CVE-2023-3748.patch \ >> " >> >> SRCREV = "45e36c0c00a517ad1606135b18c5753e210cfc0d" >> -- >> 2.25.1 >> >> >> -=-=-=-=-=-=-=-=-=-=-=- >> Links: You receive all messages sent to this group. >> View/Reply Online (#104632): https://lists.openembedded.org/g/openembedded-devel/message/104632 >> Mute This Topic: https://lists.openembedded.org/mt/101007225/1997914 >> Group Owner: openembedded-devel+owner@lists.openembedded.org >> Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [raj.khem@gmail.com] >> -=-=-=-=-=-=-=-=-=-=-=- >>
diff --git a/meta-networking/recipes-protocols/frr/frr/CVE-2023-3748.patch b/meta-networking/recipes-protocols/frr/frr/CVE-2023-3748.patch new file mode 100644 index 000000000..4a8a7e1af --- /dev/null +++ b/meta-networking/recipes-protocols/frr/frr/CVE-2023-3748.patch @@ -0,0 +1,54 @@ +From e61593f2ded104c4c7f01eb93e2b404e93e0c560 Mon Sep 17 00:00:00 2001 +From: harryreps <harryreps@gmail.com> +Date: Fri, 3 Mar 2023 23:17:14 +0000 +Subject: [PATCH] babeld: fix #11808 to avoid infinite loops + +Replacing continue in loops to goto done so that index of packet buffer +increases. + +Signed-off-by: harryreps <harryreps@gmail.com> + +CVE: CVE-2023-3748 + +Upstream-Status: Backport +[https://github.com/FRRouting/frr/commit/ae1e0e1fed77716bc06f181ad68c4433fb5523d0] + +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + babeld/message.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/babeld/message.c b/babeld/message.c +index 7d45d91bf..2bf233796 100644 +--- a/babeld/message.c ++++ b/babeld/message.c +@@ -439,7 +439,7 @@ parse_packet(const unsigned char *from, struct interface *ifp, + debugf(BABEL_DEBUG_COMMON, + "Received Hello from %s on %s that does not have all 0's in the unused section of flags, ignoring", + format_address(from), ifp->name); +- continue; ++ goto done; + } + + /* +@@ -451,7 +451,7 @@ parse_packet(const unsigned char *from, struct interface *ifp, + debugf(BABEL_DEBUG_COMMON, + "Received Unicast Hello from %s on %s that FRR is not prepared to understand yet", + format_address(from), ifp->name); +- continue; ++ goto done; + } + + DO_NTOHS(seqno, message + 4); +@@ -469,7 +469,7 @@ parse_packet(const unsigned char *from, struct interface *ifp, + debugf(BABEL_DEBUG_COMMON, + "Received hello from %s on %s should be ignored as that this version of FRR does not know how to properly handle interval == 0", + format_address(from), ifp->name); +- continue; ++ goto done; + } + + changed = update_neighbour(neigh, seqno, interval); +-- +2.25.1 + diff --git a/meta-networking/recipes-protocols/frr/frr_8.4.4.bb b/meta-networking/recipes-protocols/frr/frr_8.4.4.bb index b87c3e78b..f32b52f33 100644 --- a/meta-networking/recipes-protocols/frr/frr_8.4.4.bb +++ b/meta-networking/recipes-protocols/frr/frr_8.4.4.bb @@ -12,6 +12,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ SRC_URI = "git://github.com/FRRouting/frr.git;protocol=https;branch=stable/8.4 \ file://frr.pam \ file://0001-m4-ax_python.m4-check-for-python-x.y-emded.pc-not-py.patch \ + file://CVE-2023-3748.patch \ " SRCREV = "45e36c0c00a517ad1606135b18c5753e210cfc0d"
CVE-2023-3748: A flaw was found in FRRouting when parsing certain babeld unicast hello messages that are intended to be ignored. This issue may allow an attacker to send specially crafted hello messages with the unicast flag set, the interval field set to 0, or any TLV that contains a sub-TLV with the Mandatory flag set to enter an infinite loop and cause a denial of service. Reference: https://nvd.nist.gov/vuln/detail/CVE-2023-3748 Patch from: https://github.com/FRRouting/frr/commit/ae1e0e1fed77716bc06f181ad68c4433fb5523d0 Signed-off-by: Yi Zhao <yi.zhao@windriver.com> --- .../frr/frr/CVE-2023-3748.patch | 54 +++++++++++++++++++ .../recipes-protocols/frr/frr_8.4.4.bb | 1 + 2 files changed, 55 insertions(+) create mode 100644 meta-networking/recipes-protocols/frr/frr/CVE-2023-3748.patch