File Quagga-CVE-2023-41358-bgpd-NLRIs.bsc1214735.patch of Package quagga.30717
From 980ee75e303310fbdfdccc33f46392a927ca9463 Mon Sep 17 00:00:00 2001
From: Donatas Abraitis <donatas@opensourcerouting.org>
Date: Tue, 22 Aug 2023 22:52:04 +0300
Subject: [PATCH] bgpd: Do not process NLRIs if the attribute length is zero
Upstream: yes
References: CVE-2023-41358,bsc#1214735,https://github.com/FRRouting/frr/pull/14260
Adopted CVE-2023-41358 fix implemented by Donatas Abraitis for frr, see:
- https://github.com/FRRouting/frr/issues/14289
- https://github.com/FRRouting/frr/pull/14260
```
The issue is that we try to process NLRIs even if the attribute length is 0.
Later bgp_update() will handle route-maps and a crash occurs because all the
attributes are NULL, including aspath, where we dereference.
According to the RFC 4271:
A value of 0 indicates that neither the Network Layer
Reachability Information field nor the Path Attribute field is
present in this UPDATE message.
But with a fuzzed UPDATE message this can be faked. I think it's reasonable
to skip processing NLRIs if both update_len and attribute_len are 0.
Reported-by: Iggy Frankovic <iggyfran@amazon.com>
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
```
Signed-off-by: Marius Tomaschewski <mt@suse.com>
diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c
index 56e27dc6..9b064003 100644
--- a/bgpd/bgp_packet.c
+++ b/bgpd/bgp_packet.c
@@ -1798,7 +1798,7 @@ bgp_update_receive (struct peer *peer, bgp_size_t size)
/* Network Layer Reachability Information. */
update_len = end - stream_pnt (s);
- if (update_len)
+ if (update_len && attribute_len)
{
/* Set NLRI portion to structure. */
nlris[NLRI_UPDATE].afi = AFI_IP;
--
2.35.3