1From 3c4821679f2362bcd38fcc7803f28a5210441ddb Mon Sep 17 00:00:00 2001 2From: Donald Sharp <sharpd@nvidia.com> 3Date: Thu, 21 Jul 2022 08:11:58 -0400 4Subject: [PATCH] bgpd: Make sure hdr length is at a minimum of what is 5 expected 6 7Ensure that if the capability length specified is enough data. 8 9Signed-off-by: Donald Sharp <sharpd@nvidia.com> 10 11CVE: CVE-2022-37032 12 13Upstream-Status: Backport 14[https://github.com/FRRouting/frr/commit/3c4821679f2362bcd38fcc7803f28a5210441ddb] 15 16Signed-off-by: Yi Zhao <yi.zhao@windriver.com> 17--- 18 bgpd/bgp_packet.c | 8 ++++++++ 19 1 file changed, 8 insertions(+) 20 21diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c 22index 7c92a8d9e..bcd47e32d 100644 23--- a/bgpd/bgp_packet.c 24+++ b/bgpd/bgp_packet.c 25@@ -2440,6 +2440,14 @@ static int bgp_capability_msg_parse(struct peer *peer, uint8_t *pnt, 26 "%s CAPABILITY has action: %d, code: %u, length %u", 27 peer->host, action, hdr->code, hdr->length); 28 29+ if (hdr->length < sizeof(struct capability_mp_data)) { 30+ zlog_info( 31+ "%s Capability structure is not properly filled out, expected at least %zu bytes but header length specified is %d", 32+ peer->host, sizeof(struct capability_mp_data), 33+ hdr->length); 34+ return BGP_Stop; 35+ } 36+ 37 /* Capability length check. */ 38 if ((pnt + hdr->length + 3) > end) { 39 zlog_info("%s Capability length error", peer->host); 40-- 412.25.1 42 43