diff --git a/meta-networking/recipes-protocols/quagga/files/CVE-2017-3224.patch b/meta-networking/recipes-protocols/quagga/files/CVE-2017-3224.patch new file mode 100644 index 0000000000..9d6765005a --- /dev/null +++ b/meta-networking/recipes-protocols/quagga/files/CVE-2017-3224.patch @@ -0,0 +1,90 @@ +From 5e54975af4c6429f5e7bf9a29ff8425e131e92ca Mon Sep 17 00:00:00 2001 +From: Chirag Shah +Date: Fri, 25 Jan 2019 17:21:24 -0800 +Subject: [PATCH] ospfd: address CVE-2017-3224 + +Based on the vulnerability mentioned in 793496 an attacker can craft an +LSA with MaxSequence number wtih invalid links and not set age to MAX_AGE +so the lsa would not be flush from the database. + +To address the issue, check incoming LSA is MaxSeq but Age is not set +to MAX_AGE 3600, discard the LSA from processing it. +Based on RFC-2328 , When a LSA update sequence reaches MaxSequence +number, it should be prematurely aged out from the database with age set +to MAX_AGE (3600). + +Ticket:CM-18989 +Reviewed By: +Testing Done: + +Signed-off-by: Chirag Shah + +CVE: CVE-2017-3224 +Upstream-Status: Inactive-Upstream [ported from frr, a fork: https://github.com/FRRouting/frr/commit/7791d3deab8f4bbee2ccdd98ea596617536bc681] +Signed-off-by: Gyorgy Sarvari +--- + ospfd/ospf_packet.c | 21 ++++++++++++++++----- + 1 file changed, 16 insertions(+), 5 deletions(-) + +diff --git a/ospfd/ospf_packet.c b/ospfd/ospf_packet.c +index facba89..504df02 100644 +--- a/ospfd/ospf_packet.c ++++ b/ospfd/ospf_packet.c +@@ -1936,9 +1936,20 @@ ospf_ls_upd (struct ospf *ospf, struct ip *iph, struct ospf_header *ospfh, + if (current == NULL || + (ret = ospf_lsa_more_recent (current, lsa)) < 0) + { ++ /* CVE-2017-3224 */ ++ if (current && (lsa->data->ls_seqnum == ++ htonl(OSPF_MAX_SEQUENCE_NUMBER) ++ && !IS_LSA_MAXAGE(lsa))) { ++ zlog_debug( ++ "Link State Update[%s]: has Max Seq but not MaxAge. Dropping it", ++ dump_lsa_key(lsa)); ++ ++ DISCARD_LSA(lsa, 4); ++ continue; ++ } + /* Actual flooding procedure. */ + if (ospf_flood (oi->ospf, nbr, current, lsa) < 0) /* Trap NSSA later. */ +- DISCARD_LSA (lsa, 4); ++ DISCARD_LSA (lsa, 5); + continue; + } + +@@ -1987,7 +1998,7 @@ ospf_ls_upd (struct ospf *ospf, struct ip *iph, struct ospf_header *ospfh, + if (NBR_IS_DR (nbr)) + listnode_add (oi->ls_ack, ospf_lsa_lock (lsa)); + +- DISCARD_LSA (lsa, 5); ++ DISCARD_LSA (lsa, 6); + } + else + /* Acknowledge the receipt of the LSA by sending a +@@ -1995,7 +2006,7 @@ ospf_ls_upd (struct ospf *ospf, struct ip *iph, struct ospf_header *ospfh, + interface. */ + { + ospf_ls_ack_send (nbr, lsa); +- DISCARD_LSA (lsa, 6); ++ DISCARD_LSA (lsa, 7); + } + } + +@@ -2011,7 +2022,7 @@ ospf_ls_upd (struct ospf *ospf, struct ip *iph, struct ospf_header *ospfh, + if (IS_LSA_MAXAGE (current) && + current->data->ls_seqnum == htonl (OSPF_MAX_SEQUENCE_NUMBER)) + { +- DISCARD_LSA (lsa, 7); ++ DISCARD_LSA (lsa, 8); + } + /* Otherwise, as long as the database copy has not been sent in a + Link State Update within the last MinLSArrival seconds, send the +@@ -2031,7 +2042,7 @@ ospf_ls_upd (struct ospf *ospf, struct ip *iph, struct ospf_header *ospfh, + msec2tv (ospf->min_ls_arrival)) >= 0) + /* Trap NSSA type later.*/ + ospf_ls_upd_send_lsa (nbr, current, OSPF_SEND_PACKET_DIRECT); +- DISCARD_LSA (lsa, 8); ++ DISCARD_LSA (lsa, 9); + } + } + } diff --git a/meta-networking/recipes-protocols/quagga/quagga.inc b/meta-networking/recipes-protocols/quagga/quagga.inc index d368311d13..3534114a22 100644 --- a/meta-networking/recipes-protocols/quagga/quagga.inc +++ b/meta-networking/recipes-protocols/quagga/quagga.inc @@ -34,7 +34,8 @@ SRC_URI = "https://github.com/Quagga/quagga/releases/download/quagga-${PV}/quagg file://ripd.service \ file://ripngd.service \ file://zebra.service \ - " + file://CVE-2017-3224.patch \ + " PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}" PACKAGECONFIG[cap] = "--enable-capabilities,--disable-capabilities,libcap"