quagga: patch CVE-2017-3224

Details: https://nvd.nist.gov/vuln/detail/CVE-2017-3224

Quagga is an abandoned project, but it is not without a successor.
Frr (or Frrouting) is a fork of Quagga, and they have fixed this
vulnerability. That patch from Frr was ported to Quagga.

The Frr patch mentions this CVE ID explicitly, and also Debian
has identified it as the correct patch[1].

[1]: https://security-tracker.debian.org/tracker/CVE-2017-3224

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>

meta-networking/recipes-protocols/quagga/files/CVE-2017-3224.patch

@@ -0,0 +1,90 @@
+From 5e54975af4c6429f5e7bf9a29ff8425e131e92ca Mon Sep 17 00:00:00 2001
+From: Chirag Shah <chirag@cumulusnetworks.com>
+Date: Fri, 25 Jan 2019 17:21:24 -0800
+Subject: [PATCH] ospfd: address CVE-2017-3224
+
+Based on the vulnerability mentioned in 793496 an attacker can craft an
+LSA with MaxSequence number wtih invalid links and not set age to MAX_AGE
+so the lsa would not be flush from the database.
+
+To address the issue, check incoming LSA is MaxSeq but Age is not set
+to MAX_AGE 3600, discard the LSA from processing it.
+Based on  RFC-2328 , When a LSA update sequence reaches MaxSequence
+number, it should be prematurely aged out from the database with age set
+to MAX_AGE (3600).
+
+Ticket:CM-18989
+Reviewed By:
+Testing Done:
+
+Signed-off-by: Chirag Shah <chirag@cumulusnetworks.com>
+
+CVE: CVE-2017-3224
+Upstream-Status: Inactive-Upstream [ported from frr, a fork: https://github.com/FRRouting/frr/commit/7791d3deab8f4bbee2ccdd98ea596617536bc681]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ ospfd/ospf_packet.c | 21 ++++++++++++++++-----
+ 1 file changed, 16 insertions(+), 5 deletions(-)
+
+diff --git a/ospfd/ospf_packet.c b/ospfd/ospf_packet.c
+index facba89..504df02 100644
+--- a/ospfd/ospf_packet.c
++++ b/ospfd/ospf_packet.c
+@@ -1936,9 +1936,20 @@ ospf_ls_upd (struct ospf *ospf, struct ip *iph, struct ospf_header *ospfh,
+       if (current == NULL ||
+ 	  (ret = ospf_lsa_more_recent (current, lsa)) < 0)
+ 	{
++          /* CVE-2017-3224 */
++          if (current && (lsa->data->ls_seqnum ==
++            htonl(OSPF_MAX_SEQUENCE_NUMBER)
++            && !IS_LSA_MAXAGE(lsa))) {
++              zlog_debug(
++                "Link State Update[%s]: has Max Seq but not MaxAge. Dropping it",
++                dump_lsa_key(lsa));
++
++              DISCARD_LSA(lsa, 4);
++              continue;
++          }
+ 	  /* Actual flooding procedure. */
+ 	  if (ospf_flood (oi->ospf, nbr, current, lsa) < 0)  /* Trap NSSA later. */
+-	    DISCARD_LSA (lsa, 4);
++	    DISCARD_LSA (lsa, 5);
+ 	  continue;
+ 	}
+ 
+@@ -1987,7 +1998,7 @@ ospf_ls_upd (struct ospf *ospf, struct ip *iph, struct ospf_header *ospfh,
+ 		if (NBR_IS_DR (nbr))
+ 		  listnode_add (oi->ls_ack, ospf_lsa_lock (lsa));
+ 
+-              DISCARD_LSA (lsa, 5);
++              DISCARD_LSA (lsa, 6);
+ 	    }
+ 	  else
+ 	    /* Acknowledge the receipt of the LSA by sending a
+@@ -1995,7 +2006,7 @@ ospf_ls_upd (struct ospf *ospf, struct ip *iph, struct ospf_header *ospfh,
+ 	       interface. */
+ 	    {
+ 	      ospf_ls_ack_send (nbr, lsa);
+-	      DISCARD_LSA (lsa, 6);
++	      DISCARD_LSA (lsa, 7);
+ 	    }
+ 	}
+ 
+@@ -2011,7 +2022,7 @@ ospf_ls_upd (struct ospf *ospf, struct ip *iph, struct ospf_header *ospfh,
+ 	  if (IS_LSA_MAXAGE (current) &&
+ 	      current->data->ls_seqnum == htonl (OSPF_MAX_SEQUENCE_NUMBER))
+ 	    {
+-	      DISCARD_LSA (lsa, 7);
++	      DISCARD_LSA (lsa, 8);
+ 	    }
+ 	  /* Otherwise, as long as the database copy has not been sent in a
+ 	     Link State Update within the last MinLSArrival seconds, send the
+@@ -2031,7 +2042,7 @@ ospf_ls_upd (struct ospf *ospf, struct ip *iph, struct ospf_header *ospfh,
+ 			  msec2tv (ospf->min_ls_arrival)) >= 0)
+ 		/* Trap NSSA type later.*/
+ 		ospf_ls_upd_send_lsa (nbr, current, OSPF_SEND_PACKET_DIRECT);
+-	      DISCARD_LSA (lsa, 8);
++	      DISCARD_LSA (lsa, 9);
+ 	    }
+ 	}
+     }

meta-networking/recipes-protocols/quagga/quagga.inc

@@ -34,7 +34,8 @@ SRC_URI = "https://github.com/Quagga/quagga/releases/download/quagga-${PV}/quagg
            file://ripd.service \
            file://ripngd.service \
            file://zebra.service \
-          "
+           file://CVE-2017-3224.patch \
+           "
 
 PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}"
 PACKAGECONFIG[cap] = "--enable-capabilities,--disable-capabilities,libcap"