From f5613956d29cba3a35544a8fe1432b6a1d04ee4c Mon Sep 17 00:00:00 2001
From: niuyachen <root@localhost.localdomain>
Date: Mon, 29 Jan 2024 10:09:15 +0800
Subject: [PATCH] bgpd: Fix use beyond end of stream of labeled unicast parsing

---
 CVE-2023-38407.patch | 54 ++++++++++++++++++++++++++++++++++++++++++++
 frr.spec             |  7 +++++-
 2 files changed, 60 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2023-38407.patch

diff --git a/CVE-2023-38407.patch b/CVE-2023-38407.patch
new file mode 100644
index 0000000..dbd4e9e
--- /dev/null
+++ b/CVE-2023-38407.patch
@@ -0,0 +1,54 @@
+From 7404a914b0cafe046703c8381903a80d3def8f8b Mon Sep 17 00:00:00 2001
+From: Donald Sharp <sharpd@nvidia.com>
+Date: Fri, 3 Mar 2023 21:58:33 -0500
+Subject: [PATCH] bgpd: Fix use beyond end of stream of labeled unicast parsing
+
+Fixes a couple crashes associated with attempting to read
+beyond the end of the stream.
+
+Reported-by: Iggy Frankovic <iggyfran@amazon.com>
+Signed-off-by: Donald Sharp <sharpd@nvidia.com>
+---
+ bgpd/bgp_label.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/bgpd/bgp_label.c b/bgpd/bgp_label.c
+index 0cad119af101..c4a5277553ba 100644
+--- a/bgpd/bgp_label.c
++++ b/bgpd/bgp_label.c
+@@ -297,6 +297,9 @@ static int bgp_nlri_get_labels(struct peer *peer, uint8_t *pnt, uint8_t plen,
+ 	uint8_t llen = 0;
+ 	uint8_t label_depth = 0;
+ 
++	if (plen < BGP_LABEL_BYTES)
++		return 0;
++
+ 	for (; data < lim; data += BGP_LABEL_BYTES) {
+ 		memcpy(label, data, BGP_LABEL_BYTES);
+ 		llen += BGP_LABEL_BYTES;
+@@ -359,6 +362,9 @@ int bgp_nlri_parse_label(struct peer *peer, struct attr *attr,
+ 			memcpy(&addpath_id, pnt, BGP_ADDPATH_ID_LEN);
+ 			addpath_id = ntohl(addpath_id);
+ 			pnt += BGP_ADDPATH_ID_LEN;
++
++			if (pnt >= lim)
++				return BGP_NLRI_PARSE_ERROR_PACKET_OVERFLOW;
+ 		}
+ 
+ 		/* Fetch prefix length. */
+@@ -377,6 +383,15 @@ int bgp_nlri_parse_label(struct peer *peer, struct attr *attr,
+ 
+ 		/* Fill in the labels */
+ 		llen = bgp_nlri_get_labels(peer, pnt, psize, &label);
++		if (llen == 0) {
++			flog_err(
++				EC_BGP_UPDATE_RCV,
++				"%s [Error] Update packet error (wrong label length 0)",
++				peer->host);
++			bgp_notify_send(peer, BGP_NOTIFY_UPDATE_ERR,
++					BGP_NOTIFY_UPDATE_INVAL_NETWORK);
++			return BGP_NLRI_PARSE_ERROR_LABEL_LENGTH;
++		}
+ 		p.prefixlen = prefixlen - BSIZE(llen);
+ 
+ 		/* There needs to be at least one label */
diff --git a/frr.spec b/frr.spec
index c79b26a..e5f4967 100644
--- a/frr.spec
+++ b/frr.spec
@@ -8,7 +8,7 @@
 
 Name: frr
 Version: 7.5.1
-Release: 14%{?checkout}%{anolis_release}%{?dist}
+Release: 15%{?checkout}%{anolis_release}%{?dist}
 Summary: Routing daemon
 License: GPLv2+
 URL: http://www.frrouting.org
@@ -64,6 +64,8 @@ Patch0015: 0015-max-ttl-reload.patch
 Patch1000: CVE-2023-20593.patch
 #https://github.com/FRRouting/frr/commit/0b999c886e241c52bd1f7ef0066700e4b618ebb3
 Patch1001: CVE-2023-38406.patch
+# https://github.com/FRRouting/frr/commit/7404a914b0cafe046703c8381903a80d3def8f8b
+Patch1002: CVE-2023-38407.patch
 
 %description
 FRRouting is free software that manages TCP/IP based routing protocols. It takes
@@ -294,6 +296,9 @@ make check PYTHON=%{__python3}
 %doc doc/mpls
 
 %changelog
+* Fri Jan 26 2024 niuyachen <niuyachen@inspur.com> - 7.5.1-15.0.2
+- fix CVE-2023-38407
+
 * Mon Jan 22 2024 Kaiqiang Wang <wangkaiqiang@inspur.com> - 7.5.1-14.0.2
 - fix CVE-2023-38406
 
-- 
Gitee