Bugzilla – Bug 1202023
VUL-0: CVE-2022-37032: frr: out-of-bounds read in the BGP daemon may lead to information disclosure or denial of service
Last modified: 2022-10-13 14:50:56 UTC
When FRR receives a BGP capability message, the following call trace occurs when an attempt is made to parse it: ``` #0 bgp_capability_msg_parse() in bgpd/bgp_packet.c #1 bgp_capability_receive() in bgpd/bgp_packet.c #2 bgp_process_packet() in bgpd/bgp_packet.c ``` In `bgp_capability_msg_parse()`, an inproper calculation on the bounds of the available data is made. ```c static int bgp_capability_msg_parse(struct peer *peer, uint8_t *pnt, bgp_size_t length) { ... end = pnt + length; while (pnt < end) { /* We need at least action, capability code and capability * length. */ if (pnt + 3 > end) { /* error ... */ } ... hdr = (struct capability_header *)(pnt + 1); ... /* Capability length check. */ if ((pnt + hdr->length + 3) > end) { /* error ... */ } /* Fetch structure to the byte stream. */ memcpy(&mpc, pnt + 3, sizeof(struct capability_mp_data)); pnt += hdr->length + 3; } return BGP_PACKET_NOOP; } ``` While the first length check is properly done, the second one relies on a value directly read from the packet without verification. `hdr->length` is used to check the remaining amount of data, but the actual amount read is `sizeof(struct capability_mp_data)`. This means that the size check can be bypassed, causing `memcpy()` to read out of bounds. This issue could be exploited to trigger a segmentation fault, leading to denial of service, or cause undefined behavior via corrupt fields in `mpc`. This issue was fixed with the following commit: https://github.com/FRRouting/frr/commit/ff6db1027f8f36df657ff2e5ea167773752537ed
Affected: - SUSE:SLE-15-SP3:Update - openSUSE:Factory
Submission request to SLE in https://build.suse.de/request/show/279073
Submission request to network is in https://build.opensuse.org/request/show/1001418
(In reply to Marius Tomaschewski from comment #5) > Submission request to network is in > https://build.opensuse.org/request/show/1001418 On the way to factory in https://build.opensuse.org/request/show/1001456 Assigning back to security-team.
SUSE-SU-2022:3246-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1202022,1202023 CVE References: CVE-2019-25074,CVE-2022-37032 JIRA References: Sources used: openSUSE Leap 15.4 (src): frr-7.4-150300.4.7.1 openSUSE Leap 15.3 (src): frr-7.4-150300.4.7.1 SUSE Linux Enterprise Module for Server Applications 15-SP4 (src): frr-7.4-150300.4.7.1 SUSE Linux Enterprise Module for Server Applications 15-SP3 (src): frr-7.4-150300.4.7.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Done, closing.