frr: Security fix CVE-2022-37032

CVE-2022-37032: An out-of-bounds read in the BGP daemon of FRRouting FRR before 8.4 may lead to a segmentation fault and denial of service. This occurs in bgp_capability_msg_parse in bgpd/bgp_packet.c. Reference: https://nvd.nist.gov/vuln/detail/CVE-2022-37032 Patch from: 066770ac1c Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
2026-04-02 02:49:12 +00:00 · 2022-10-13 10:12:18 +08:00 · 2022-10-13 10:12:18 +08:00 · 9628ca83c2
commit 9628ca83c2
parent 6e2cfa4113
2 changed files with 44 additions and 0 deletions
--- a/meta-networking/recipes-protocols/frr/frr/0001-bgpd-Make-sure-hdr-length-is-at-a-minimum-of-what-is.patch
+++ b/meta-networking/recipes-protocols/frr/frr/0001-bgpd-Make-sure-hdr-length-is-at-a-minimum-of-what-is.patch
@ -0,0 +1,43 @@
+From 066770ac1c69ee5b484bb82581b22ad0423b004d Mon Sep 17 00:00:00 2001
+From: Donald Sharp <sharpd@nvidia.com>
+Date: Thu, 21 Jul 2022 08:11:58 -0400
+Subject: [PATCH] bgpd: Make sure hdr length is at a minimum of what is
+ expected
+
+Ensure that if the capability length specified is enough data.
+
+Signed-off-by: Donald Sharp <sharpd@nvidia.com>
+(cherry picked from commit ff6db1027f8f36df657ff2e5ea167773752537ed)
+
+CVE: CVE-2022-37032
+
+Upstream-Status: Backport
+[https://github.com/FRRouting/frr/commit/066770ac1c69ee5b484bb82581b22ad0423b004d]
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ bgpd/bgp_packet.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c
+index 7613ccc7d..a5f065a15 100644
+--- a/bgpd/bgp_packet.c
+++ b/bgpd/bgp_packet.c
+@@ -2621,6 +2621,14 @@ static int bgp_capability_msg_parse(struct peer *peer, uint8_t *pnt,
+ 				"%s CAPABILITY has action: %d, code: %u, length %u",
+ 				peer->host, action, hdr->code, hdr->length);
+ 
+		if (hdr->length < sizeof(struct capability_mp_data)) {
+			zlog_info(
+				"%pBP Capability structure is not properly filled out, expected at least %zu bytes but header length specified is %d",
+				peer, sizeof(struct capability_mp_data),
+				hdr->length);
+			return BGP_Stop;
+		}
+
+ 		/* Capability length check. */
+ 		if ((pnt + hdr->length + 3) > end) {
+ 			zlog_info("%s Capability length error", peer->host);
+-- 
+2.25.1
+
--- a/meta-networking/recipes-protocols/frr/frr_8.3.1.bb
+++ b/meta-networking/recipes-protocols/frr/frr_8.3.1.bb
@ -13,6 +13,7 @@ SRC_URI = "git://github.com/FRRouting/frr.git;protocol=https;branch=stable/8.3 \
           file://0001-configure-Check-for-readline-function-instead-of-mai.patch \
           file://0001-ospfd-Adding-SUPPORT_OSPF_API-define-in-ospf_spf.c.patch \
           file://0001-bgpd-avoid-notify-race-between-io-and-main-pthreads.patch \
+           file://0001-bgpd-Make-sure-hdr-length-is-at-a-minimum-of-what-is.patch \
           file://frr.pam \
 	      "