Headline
CVE-2023-47235: bgpd: A couple more bgpd crash fixes for malformed packets by ton31337 · Pull Request #14716 · FRRouting/frr
An issue was discovered in FRRouting FRR through 9.0.1. A crash can occur when a malformed BGP UPDATE message with an EOR is processed, because the presence of EOR does not lead to a treat-as-withdraw outcome.
Expand Up @@ -3391,10 +3391,13 @@ static int bgp_attr_check(struct peer *peer, struct attr *attr, uint8_t type = 0;
/* BGP Graceful-Restart End-of-RIB for IPv4 unicast is signaled as an * empty UPDATE. */ * empty UPDATE. Treat-as-withdraw, otherwise if we just ignore it, * we will pass it to be processed as a normal UPDATE without mandatory * attributes, that could lead to harmful behavior. */ if (CHECK_FLAG(peer->cap, PEER_CAP_RESTART_RCV) && !attr->flag && !length) return BGP_ATTR_PARSE_PROCEED; return BGP_ATTR_PARSE_WITHDRAW;
/* "An UPDATE message that contains the MP_UNREACH_NLRI is not required to carry any other path attributes.", though if MP_REACH_NLRI or NLRI Expand Down Expand Up @@ -3889,7 +3892,13 @@ enum bgp_attr_parse_ret bgp_attr_parse(struct peer *peer, struct attr *attr, aspath_unintern(&as4_path);
transit = bgp_attr_get_transit(attr); if (ret != BGP_ATTR_PARSE_ERROR) { /* If we received an UPDATE with mandatory attributes, then * the unrecognized transitive optional attribute of that * path MUST be passed. Otherwise, it’s an error, and from * security perspective it might be very harmful if we continue * here with the unrecognized attributes. */ if (ret == BGP_ATTR_PARSE_PROCEED) { /* Finally intern unknown attribute. */ if (transit) bgp_attr_set_transit(attr, transit_intern(transit)); Expand Down
Related news
Red Hat Security Advisory 2024-1152-03 - An update for frr is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Issues addressed include an out of bounds read vulnerability.
Red Hat Security Advisory 2024-1093-03 - An update for frr is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Issues addressed include an out of bounds read vulnerability.
Ubuntu Security Notice 6498-1 - It was discovered that FRR incorrectly handled certain BGP messages. A remote attacker could possibly use this issue to cause FRR to crash, resulting in a denial of service.