frr: Security fix CVE-2023-3748

CVE-2023-3748: A flaw was found in FRRouting when parsing certain babeld unicast hello messages that are intended to be ignored. This issue may allow an attacker to send specially crafted hello messages with the unicast flag set, the interval field set to 0, or any TLV that contains a sub-TLV with the Mandatory flag set to enter an infinite loop and cause a denial of service. Reference: https://nvd.nist.gov/vuln/detail/CVE-2023-3748 Patch from: ae1e0e1fed Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
2026-01-04 16:10:10 +00:00 · 2023-08-28 18:49:18 +08:00 · 2023-08-28 18:49:18 +08:00 · ee1026ab77
commit ee1026ab77
parent f74d5dfd69
2 changed files with 55 additions and 0 deletions
--- a/meta-networking/recipes-protocols/frr/frr/CVE-2023-3748.patch
+++ b/meta-networking/recipes-protocols/frr/frr/CVE-2023-3748.patch
@ -0,0 +1,54 @@
+From e61593f2ded104c4c7f01eb93e2b404e93e0c560 Mon Sep 17 00:00:00 2001
+From: harryreps <harryreps@gmail.com>
+Date: Fri, 3 Mar 2023 23:17:14 +0000
+Subject: [PATCH] babeld: fix #11808 to avoid infinite loops
+
+Replacing continue in loops to goto done so that index of packet buffer
+increases.
+
+Signed-off-by: harryreps <harryreps@gmail.com>
+
+CVE: CVE-2023-3748
+
+Upstream-Status: Backport
+[https://github.com/FRRouting/frr/commit/ae1e0e1fed77716bc06f181ad68c4433fb5523d0]
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ babeld/message.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/babeld/message.c b/babeld/message.c
+index 7d45d91bf..2bf233796 100644
+--- a/babeld/message.c
+++ b/babeld/message.c
+@@ -439,7 +439,7 @@ parse_packet(const unsigned char *from, struct interface *ifp,
+ 			debugf(BABEL_DEBUG_COMMON,
+ 			       "Received Hello from %s on %s that does not have all 0's in the unused section of flags, ignoring",
+ 			       format_address(from), ifp->name);
+-			continue;
+			goto done;
+ 		}
+ 
+ 		/*
+@@ -451,7 +451,7 @@ parse_packet(const unsigned char *from, struct interface *ifp,
+ 			debugf(BABEL_DEBUG_COMMON,
+ 			       "Received Unicast Hello from %s on %s that FRR is not prepared to understand yet",
+ 			       format_address(from), ifp->name);
+-			continue;
+			goto done;
+ 		}
+ 
+ 		DO_NTOHS(seqno, message + 4);
+@@ -469,7 +469,7 @@ parse_packet(const unsigned char *from, struct interface *ifp,
+ 			debugf(BABEL_DEBUG_COMMON,
+ 			       "Received hello from %s on %s should be ignored as that this version of FRR does not know how to properly handle interval == 0",
+ 			       format_address(from), ifp->name);
+-			continue;
+			goto done;
+ 		}
+ 
+ 		changed = update_neighbour(neigh, seqno, interval);
+-- 
+2.25.1
+
--- a/meta-networking/recipes-protocols/frr/frr_8.4.4.bb
+++ b/meta-networking/recipes-protocols/frr/frr_8.4.4.bb
@ -12,6 +12,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
 SRC_URI = "git://github.com/FRRouting/frr.git;protocol=https;branch=stable/8.4 \
           file://frr.pam \
           file://0001-m4-ax_python.m4-check-for-python-x.y-emded.pc-not-py.patch \
+           file://CVE-2023-3748.patch \
           "

 SRCREV = "45e36c0c00a517ad1606135b18c5753e210cfc0d"