CVE-2023-47234: bgpd: A couple more bgpd crash fixes for malformed packets by ton31337 · Pull Request #14716 · FRRouting/frr

Expand Up @@ -3399,15 +3399,6 @@ static int bgp_attr_check(struct peer *peer, struct attr *attr, !length) return BGP_ATTR_PARSE_WITHDRAW;
/* "An UPDATE message that contains the MP_UNREACH_NLRI is not required to carry any other path attributes.", though if MP_REACH_NLRI or NLRI are present, it should. Check for any other attribute being present instead. */ if ((!CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_MP_REACH_NLRI)) && CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_MP_UNREACH_NLRI)))) return BGP_ATTR_PARSE_PROCEED;
if (!CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_ORIGIN))) type = BGP_ATTR_ORIGIN;
Expand All @@ -3426,6 +3417,16 @@ static int bgp_attr_check(struct peer *peer, struct attr *attr, && !CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_LOCAL_PREF))) type = BGP_ATTR_LOCAL_PREF;
/* An UPDATE message that contains the MP_UNREACH_NLRI is not required * to carry any other path attributes. Though if MP_REACH_NLRI or NLRI * are present, it should. Check for any other attribute being present * instead. */ if (!CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_MP_REACH_NLRI)) && CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_MP_UNREACH_NLRI))) return type ? BGP_ATTR_PARSE_MISSING_MANDATORY : BGP_ATTR_PARSE_PROCEED;
/* If any of the well-known mandatory attributes are not present * in an UPDATE message, then “treat-as-withdraw” MUST be used. */ Expand Down