net-misc/frr: learn to read bugs

2023-11-10 09:40:17 +01:00 · 2023-11-10 09:40:17 +01:00 · f6e95a24c5
parent 3098c7a99e
commit f6e95a24c5
1 changed files with 159 additions and 99 deletions
--- a/net-misc/frr/files/frr-9.0-bug-913242.patch
+++ b/net-misc/frr/files/frr-9.0-bug-913242.patch
@ -1,113 +1,173 @@
 diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
-index dcf0f4d47cfb..8c53191d680f 100644
+index 60e41ac1cc83..7badc6a17cbf 100644
 --- a/bgpd/bgp_attr.c
 +++ b/bgpd/bgp_attr.c
-@@ -1405,6 +1405,7 @@ bgp_attr_malformed(struct bgp_attr_parser_args *args, uint8_t subcode,
+@@ -2388,7 +2388,7 @@ int bgp_mp_reach_parse(struct bgp_attr_parser_args *args,
- 	case BGP_ATTR_LARGE_COMMUNITIES:
+ 
- 	case BGP_ATTR_ORIGINATOR_ID:
+ 		mp_update->afi = afi;
- 	case BGP_ATTR_CLUSTER_LIST:
+ 		mp_update->safi = safi;
-+	case BGP_ATTR_ENCAP:
+-		return BGP_ATTR_PARSE_EOR;
- 	case BGP_ATTR_OTC:
+		return bgp_attr_malformed(args, BGP_NOTIFY_UPDATE_MAL_ATTR, 0);
- 		return BGP_ATTR_PARSE_WITHDRAW;
+ 	}
- 	case BGP_ATTR_MP_REACH_NLRI:
+ 
-@@ -2635,26 +2636,21 @@ bgp_attr_ipv6_ext_communities(struct bgp_attr_parser_args *args)
+ 	mp_update->afi = afi;
@@ -3349,13 +3349,15 @@ bgp_attr_unknown(struct bgp_attr_parser_args *args)
 }
- /* Parse Tunnel Encap attribute in an UPDATE */
+ /* Well-known attribute check. */
-static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */
+-static int bgp_attr_check(struct peer *peer, struct attr *attr)
-			  bgp_size_t length, /* IN: attr's length field */
+static int bgp_attr_check(struct peer *peer, struct attr *attr,
-			  struct attr *attr, /* IN: caller already allocated */
+			  bgp_size_t length)
 -			  uint8_t flag,      /* IN: attr's flags field */
 -			  uint8_t *startp)
 +static int bgp_attr_encap(struct bgp_attr_parser_args *args)
 {
-	bgp_size_t total;
+ 	uint8_t type = 0;
- 	uint16_t tunneltype = 0;
+ 
 	/* BGP Graceful-Restart End-of-RIB for IPv4 unicast is signaled as an
 	 * empty UPDATE.  */
 -	if (CHECK_FLAG(peer->cap, PEER_CAP_RESTART_RCV) && !attr->flag)
 +	if (CHECK_FLAG(peer->cap, PEER_CAP_RESTART_RCV) && !attr->flag &&
 +	    !length)
 		return BGP_ATTR_PARSE_PROCEED;
 	/* "An UPDATE message that contains the MP_UNREACH_NLRI is not required
@@ -3407,7 +3409,7 @@ enum bgp_attr_parse_ret bgp_attr_parse(struct peer *peer, struct attr *attr,
 	enum bgp_attr_parse_ret ret;
 	uint8_t flag = 0;
 	uint8_t type = 0;
 -	bgp_size_t length;
 +	bgp_size_t length = 0;
 	uint8_t *startp, *endp;
 	uint8_t *attr_endp;
 	uint8_t seen[BGP_ATTR_BITMAP_SIZE];
@@ -3658,10 +3660,6 @@ enum bgp_attr_parse_ret bgp_attr_parse(struct peer *peer, struct attr *attr,
 			goto done;
 		}
 -		if (ret == BGP_ATTR_PARSE_EOR) {
 -			goto done;
 -		}
 -
-	total = length + (CHECK_FLAG(flag, BGP_ATTR_FLAG_EXTLEN) ? 4 : 3);
+ 		if (ret == BGP_ATTR_PARSE_ERROR) {
-+	struct peer *const peer = args->peer;
+ 			flog_warn(EC_BGP_ATTRIBUTE_PARSE_ERROR,
-+	struct attr *const attr = args->attr;
+ 				  "%s: Attribute %s, parse error", peer->host,
-+	bgp_size_t length = args->length;
+@@ -3734,7 +3732,7 @@ enum bgp_attr_parse_ret bgp_attr_parse(struct peer *peer, struct attr *attr,
 +	uint8_t type = args->type;
 +	uint8_t flag = args->flags;
 	if (!CHECK_FLAG(flag, BGP_ATTR_FLAG_TRANS)
 	    || !CHECK_FLAG(flag, BGP_ATTR_FLAG_OPTIONAL)) {
 -		zlog_info(
 -			"Tunnel Encap attribute flag isn't optional and transitive %d",
 -			flag);
 -		bgp_notify_send_with_data(peer, BGP_NOTIFY_UPDATE_ERR,
 -					  BGP_NOTIFY_UPDATE_ATTR_FLAG_ERR,
 -					  startp, total);
 -		return -1;
 +		zlog_err("Tunnel Encap attribute flag isn't optional and transitive %d",
 +			 flag);
 +		return bgp_attr_malformed(args, BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
 +					  args->total);
 	}
- 	if (BGP_ATTR_ENCAP == type) {
+ 	/* Check all mandatory well-known attributes are present */
-@@ -2662,12 +2658,11 @@ static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */
+-	ret = bgp_attr_check(peer, attr);
- 		uint16_t tlv_length;
+	ret = bgp_attr_check(peer, attr, length);
 	if (ret < 0)
 		goto done;
- 		if (length < 4) {
+diff --git a/bgpd/bgp_attr.h b/bgpd/bgp_attr.h
-			zlog_info(
+index 1c7e88a4f9e2..3db0863d3b5a 100644
-+			zlog_err(
+--- a/bgpd/bgp_attr.h
- 				"Tunnel Encap attribute not long enough to contain outer T,L");
+++ b/bgpd/bgp_attr.h
-			bgp_notify_send_with_data(
+@@ -364,7 +364,6 @@ enum bgp_attr_parse_ret {
-				peer, BGP_NOTIFY_UPDATE_ERR,
+ 	/* only used internally, send notify + convert to BGP_ATTR_PARSE_ERROR
-				BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, startp, total);
+ 	 */
-			return -1;
+ 	BGP_ATTR_PARSE_ERROR_NOTIFYPLS = -3,
-+			return bgp_attr_malformed(args,
+-	BGP_ATTR_PARSE_EOR = -4,
-+						  BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
+ };
-+						  args->total);
+ 
- 		}
+ struct bpacket_attr_vec_arr;
- 		tunneltype = stream_getw(BGP_INPUT(peer));
+diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c
- 		tlv_length = stream_getw(BGP_INPUT(peer));
+index ec692277b26b..f88e1e5afcbb 100644
-@@ -2699,13 +2694,11 @@ static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */
+--- a/bgpd/bgp_packet.c
 +++ b/bgpd/bgp_packet.c
@@ -2053,8 +2053,7 @@ static int bgp_update_receive(struct peer *peer, bgp_size_t size)
 	 * Non-MP IPv4/Unicast EoR is a completely empty UPDATE
 	 * and MP EoR should have only an empty MP_UNREACH
 	 */
 -	if ((!update_len && !withdraw_len && nlris[NLRI_MP_UPDATE].length == 0)
 -	    || (attr_parse_ret == BGP_ATTR_PARSE_EOR)) {
 +	if (!update_len && !withdraw_len && nlris[NLRI_MP_UPDATE].length == 0) {
 		afi_t afi = 0;
 		safi_t safi;
 		struct graceful_restart_info *gr_info;
@@ -2075,9 +2074,6 @@ static int bgp_update_receive(struct peer *peer, bgp_size_t size)
 			   && nlris[NLRI_MP_WITHDRAW].length == 0) {
 			afi = nlris[NLRI_MP_WITHDRAW].afi;
 			safi = nlris[NLRI_MP_WITHDRAW].safi;
 -		} else if (attr_parse_ret == BGP_ATTR_PARSE_EOR) {
 -			afi = nlris[NLRI_MP_UPDATE].afi;
 -			safi = nlris[NLRI_MP_UPDATE].safi;
 		}
- 		if (sublength > length) {
+ 		if (afi && peer->afc[afi][safi]) {
-			zlog_info(
+diff --git a/bgpd/bgp_open.c b/bgpd/bgp_open.c
-				"Tunnel Encap attribute sub-tlv length %d exceeds remaining length %d",
+index 0dd5463979ad..e7e3c2191a7a 100644
-				sublength, length);
+--- a/bgpd/bgp_open.c
-			bgp_notify_send_with_data(
+++ b/bgpd/bgp_open.c
-				peer, BGP_NOTIFY_UPDATE_ERR,
+@@ -940,8 +940,18 @@ static int bgp_capability_software_version(struct peer *peer,
-				BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, startp, total);
+ 		return -1;
 -			return -1;
 +			zlog_err("Tunnel Encap attribute sub-tlv length %d exceeds remaining length %d",
 +				 sublength, length);
 +			return bgp_attr_malformed(args,
 +						  BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
 +						  args->total);
 		}
 		/* alloc and copy sub-tlv */
@@ -2753,13 +2746,10 @@ static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */
 	if (length) {
 		/* spurious leftover data */
 -		zlog_info(
 -			"Tunnel Encap attribute length is bad: %d leftover octets",
 -			length);
 -		bgp_notify_send_with_data(peer, BGP_NOTIFY_UPDATE_ERR,
 -					  BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
 -					  startp, total);
 -		return -1;
 +		zlog_err("Tunnel Encap attribute length is bad: %d leftover octets",
 +			 length);
 +		return bgp_attr_malformed(args, BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
 +					  args->total);
 	}
- 	return 0;
+-	if (len) {
-@@ -3732,8 +3722,7 @@ enum bgp_attr_parse_ret bgp_attr_parse(struct peer *peer, struct attr *attr,
+	if (len > BGP_MAX_SOFT_VERSION) {
- 		case BGP_ATTR_VNC:
+		flog_warn(EC_BGP_CAPABILITY_INVALID_LENGTH,
- #endif
+			  "%s: Received Software Version, but the length is too big, truncating, from peer %s",
- 		case BGP_ATTR_ENCAP:
+			  __func__, peer->host);
-			ret = bgp_attr_encap(type, peer, length, attr, flag,
+		stream_get(str, s, BGP_MAX_SOFT_VERSION);
-					     startp);
+		stream_forward_getp(s, len - BGP_MAX_SOFT_VERSION);
-+			ret = bgp_attr_encap(&attr_args);
+		len = BGP_MAX_SOFT_VERSION;
- 			break;
+	} else if (len) {
- 		case BGP_ATTR_PREFIX_SID:
+ 		stream_get(str, s, len);
- 			ret = bgp_attr_prefix_sid(&attr_args);
+	}
 +
 +	if (len) {
 		str[len] = '\0';
 		XFREE(MTYPE_BGP_SOFT_VERSION, peer->soft_version);
 diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
 index 3ecffb99d171..d3a02a3df641 100644
 --- a/bgpd/bgp_attr.c
 +++ b/bgpd/bgp_attr.c
@@ -492,6 +492,7 @@ static bool bgp_attr_aigp_valid(uint8_t *pnt, int length)
 	uint8_t *data = pnt;
 	uint8_t tlv_type;
 	uint16_t tlv_length;
 +	uint8_t *end = data + length;
 	if (length < 3) {
 		zlog_err("Bad AIGP attribute length (MUST be minimum 3): %u",
@@ -500,7 +501,13 @@ static bool bgp_attr_aigp_valid(uint8_t *pnt, int length)
 	}
 	while (length) {
 +		size_t data_len = end - data;
 +
 		tlv_type = *data;
 +
 +		if (data_len - 1 < 2)
 +			return false;
 +
 		ptr_get_be16(data + 1, &tlv_length);
 		(void)data;
 diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c
 index c852203e5b66..ec692277b26b 100644
 --- a/bgpd/bgp_packet.c
 +++ b/bgpd/bgp_packet.c
@@ -1976,7 +1976,7 @@ static int bgp_update_receive(struct peer *peer, bgp_size_t size)
 	/* Network Layer Reachability Information. */
 	update_len = end - stream_pnt(s);
 -	if (update_len) {
 +	if (update_len && attribute_len) {
 		/* Set NLRI portion to structure. */
 		nlris[NLRI_UPDATE].afi = AFI_IP;
 		nlris[NLRI_UPDATE].safi = SAFI_UNICAST;
 diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c
 index bd17a2eec84e..c852203e5b66 100644
 --- a/bgpd/bgp_packet.c
 +++ b/bgpd/bgp_packet.c
@@ -2401,7 +2401,8 @@ static int bgp_route_refresh_receive(struct peer *peer, bgp_size_t size)
 				 * and 7 bytes of ORF Address-filter entry from
 				 * the stream
 				 */
 -				if (*p_pnt & ORF_COMMON_PART_REMOVE_ALL) {
 +				if (p_pnt < p_end &&
 +				    *p_pnt & ORF_COMMON_PART_REMOVE_ALL) {
 					if (bgp_debug_neighbor_events(peer))
 						zlog_debug(
 							"%pBP rcvd Remove-All pfxlist ORF request",