File Quagga-CVE-2023-41358-bgpd-NLRIs.bsc1214735.patch of Package quagga.30717

From 980ee75e303310fbdfdccc33f46392a927ca9463 Mon Sep 17 00:00:00 2001
From: Donatas Abraitis <donatas@opensourcerouting.org>
Date: Tue, 22 Aug 2023 22:52:04 +0300
Subject: [PATCH] bgpd: Do not process NLRIs if the attribute length is zero
Upstream: yes
References: CVE-2023-41358,bsc#1214735,https://github.com/FRRouting/frr/pull/14260

Adopted CVE-2023-41358 fix implemented by Donatas Abraitis for frr, see:
 - https://github.com/FRRouting/frr/issues/14289
 - https://github.com/FRRouting/frr/pull/14260

```
The issue is that we try to process NLRIs even if the attribute length is 0.

Later bgp_update() will handle route-maps and a crash occurs because all the
attributes are NULL, including aspath, where we dereference.

According to the RFC 4271:

A value of 0 indicates that neither the Network Layer
         Reachability Information field nor the Path Attribute field is
         present in this UPDATE message.

But with a fuzzed UPDATE message this can be faked. I think it's reasonable
to skip processing NLRIs if both update_len and attribute_len are 0.

Reported-by: Iggy Frankovic <iggyfran@amazon.com>
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
```
Signed-off-by: Marius Tomaschewski <mt@suse.com>

diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c
index 56e27dc6..9b064003 100644
--- a/bgpd/bgp_packet.c
+++ b/bgpd/bgp_packet.c
@@ -1798,7 +1798,7 @@ bgp_update_receive (struct peer *peer, bgp_size_t size)
   /* Network Layer Reachability Information. */
   update_len = end - stream_pnt (s);
 
-  if (update_len)
+  if (update_len && attribute_len)
     {
       /* Set NLRI portion to structure. */
       nlris[NLRI_UPDATE].afi = AFI_IP;
-- 
2.35.3