diff options
| author | Gyorgy Sarvari <skandigraun@gmail.com> | 2026-01-19 17:27:18 +0100 |
|---|---|---|
| committer | Khem Raj <raj.khem@gmail.com> | 2026-01-20 08:27:12 -0800 |
| commit | 3cd47f72ad8d3889e2ef44c63ce6414cb1a9964d (patch) | |
| tree | 73fdc3361746058ededb0d04b029bceaa1afded6 | |
| parent | b8b3ab6048b5c4ae07a4288c8e4c71377898c2c4 (diff) | |
| download | meta-openembedded-3cd47f72ad8d3889e2ef44c63ce6414cb1a9964d.tar.gz | |
frr: patch CVE-2025-61099..61107
Details:
https://nvd.nist.gov/vuln/detail/CVE-2025-61099
https://nvd.nist.gov/vuln/detail/CVE-2025-61100
https://nvd.nist.gov/vuln/detail/CVE-2025-61101
https://nvd.nist.gov/vuln/detail/CVE-2025-61102
https://nvd.nist.gov/vuln/detail/CVE-2025-61103
https://nvd.nist.gov/vuln/detail/CVE-2025-61104
https://nvd.nist.gov/vuln/detail/CVE-2025-61105
https://nvd.nist.gov/vuln/detail/CVE-2025-61106
https://nvd.nist.gov/vuln/detail/CVE-2025-61107
The NVD advisory refernces a PR[1] that contains only an unfinished, and
ultimately unmerged attempt at the fixes. The actual solution comes from
a different PR[2]. These patches are 3 commits from that PR. The last
commit wasn't backported, because it is just code formatting.
[1]: https://github.com/FRRouting/frr/pull/19480
[2]: https://github.com/FRRouting/frr/pull/19983
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
4 files changed, 416 insertions, 0 deletions
diff --git a/meta-networking/recipes-protocols/frr/frr/CVE-2025-61099-61107-1.patch b/meta-networking/recipes-protocols/frr/frr/CVE-2025-61099-61107-1.patch new file mode 100644 index 0000000000..a1e1246cce --- /dev/null +++ b/meta-networking/recipes-protocols/frr/frr/CVE-2025-61099-61107-1.patch | |||
| @@ -0,0 +1,40 @@ | |||
| 1 | From e21276d430663fd8312940bb3b0ce081957e3d85 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Gyorgy Sarvari <skandigraun@gmail.com> | ||
| 3 | Date: Sun, 24 Aug 2025 21:17:55 +0800 | ||
| 4 | Subject: [PATCH] ospfd: Add null check for vty_out in check_tlv_size | ||
| 5 | |||
| 6 | From: s1awwhy <seawwhy@163.com> | ||
| 7 | |||
| 8 | Add security check for vty_out. Specifically, Check NULL for vty. If vty is not available, dump info via zlog. | ||
| 9 | |||
| 10 | Signed-off-by: s1awwhy <seawwhy@163.com> | ||
| 11 | |||
| 12 | CVE: CVE-2025-61099 CVE-2025-61100 CVE-2025-61101 CVE-2025-61102 CVE-2025-61103 CVE-2025-61104 CVE-2025-61105 CVE-2025-61106 CVE-2025-61107 | ||
| 13 | Upstream-Status: Backport [https://github.com/FRRouting/frr/commit/b7d9b7aa47627b31e4b50795284408ab6de98660] | ||
| 14 | Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> | ||
| 15 | --- | ||
| 16 | ospfd/ospf_ext.c | 8 ++++++-- | ||
| 17 | 1 file changed, 6 insertions(+), 2 deletions(-) | ||
| 18 | |||
| 19 | diff --git a/ospfd/ospf_ext.c b/ospfd/ospf_ext.c | ||
| 20 | index df0b3b9081..8ca0df3200 100644 | ||
| 21 | --- a/ospfd/ospf_ext.c | ||
| 22 | +++ b/ospfd/ospf_ext.c | ||
| 23 | @@ -1705,11 +1705,15 @@ static void ospf_ext_lsa_schedule(struct ext_itf *exti, enum lsa_opcode op) | ||
| 24 | * ------------------------------------ | ||
| 25 | */ | ||
| 26 | |||
| 27 | +/* Check NULL for vty. If vty is not available, dump info via zlog */ | ||
| 28 | #define check_tlv_size(size, msg) \ | ||
| 29 | do { \ | ||
| 30 | if (ntohs(tlvh->length) != size) { \ | ||
| 31 | - vty_out(vty, " Wrong %s TLV size: %d(%d). Abort!\n", \ | ||
| 32 | - msg, ntohs(tlvh->length), size); \ | ||
| 33 | + if (vty != NULL) \ | ||
| 34 | + vty_out(vty, " Wrong %s TLV size: %d(%d). Abort!\n", \ | ||
| 35 | + msg, ntohs(tlvh->length), size); \ | ||
| 36 | + else \ | ||
| 37 | + zlog_debug(" Wrong %s TLV size: %d(%d). Abort!", msg, ntohs(tlvh->length), size); \ | ||
| 38 | return size + TLV_HDR_SIZE; \ | ||
| 39 | } \ | ||
| 40 | } while (0) | ||
diff --git a/meta-networking/recipes-protocols/frr/frr/CVE-2025-61099-61107-2.patch b/meta-networking/recipes-protocols/frr/frr/CVE-2025-61099-61107-2.patch new file mode 100644 index 0000000000..eacada0ec4 --- /dev/null +++ b/meta-networking/recipes-protocols/frr/frr/CVE-2025-61099-61107-2.patch | |||
| @@ -0,0 +1,80 @@ | |||
| 1 | From d9ed123b814dad7cf4b069de5601c9f279596191 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Gyorgy Sarvari <skandigraun@gmail.com> | ||
| 3 | Date: Tue, 6 Jan 2026 15:32:32 +0100 | ||
| 4 | Subject: [PATCH] ospfd: skip subsequent tlvs after invalid length | ||
| 5 | |||
| 6 | From: Louis Scalbert <louis.scalbert@6wind.com> | ||
| 7 | |||
| 8 | Do not attempt to read subsequent TLVs after an TLV invalid length is | ||
| 9 | detected. | ||
| 10 | |||
| 11 | Signed-off-by: Louis Scalbert <louis.scalbert@6wind.com> | ||
| 12 | |||
| 13 | CVE: CVE-2025-61099 CVE-2025-61100 CVE-2025-61101 CVE-2025-61102 CVE-2025-61103 CVE-2025-61104 CVE-2025-61105 CVE-2025-61106 CVE-2025-61107 | ||
| 14 | Upstream-Status: Backport [https://github.com/FRRouting/frr/commit/33dfc7e7be1ac8b66abbf47c30a709215fbc1926] | ||
| 15 | Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> | ||
| 16 | --- | ||
| 17 | ospfd/ospf_ext.c | 6 +++--- | ||
| 18 | ospfd/ospf_ri.c | 6 +++--- | ||
| 19 | ospfd/ospf_te.c | 6 +++--- | ||
| 20 | 3 files changed, 9 insertions(+), 9 deletions(-) | ||
| 21 | |||
| 22 | diff --git a/ospfd/ospf_ext.c b/ospfd/ospf_ext.c | ||
| 23 | index 8ca0df3200..62b0020148 100644 | ||
| 24 | --- a/ospfd/ospf_ext.c | ||
| 25 | +++ b/ospfd/ospf_ext.c | ||
| 26 | @@ -1710,11 +1710,11 @@ static void ospf_ext_lsa_schedule(struct ext_itf *exti, enum lsa_opcode op) | ||
| 27 | do { \ | ||
| 28 | if (ntohs(tlvh->length) != size) { \ | ||
| 29 | if (vty != NULL) \ | ||
| 30 | - vty_out(vty, " Wrong %s TLV size: %d(%d). Abort!\n", \ | ||
| 31 | + vty_out(vty, " Wrong %s TLV size: %d(expected %d). Skip subsequent TLVs!\n", \ | ||
| 32 | msg, ntohs(tlvh->length), size); \ | ||
| 33 | else \ | ||
| 34 | - zlog_debug(" Wrong %s TLV size: %d(%d). Abort!", msg, ntohs(tlvh->length), size); \ | ||
| 35 | - return size + TLV_HDR_SIZE; \ | ||
| 36 | + zlog_debug(" Wrong %s TLV size: %d(expected %d). Skip subsequent TLVs!", msg, ntohs(tlvh->length), size); \ | ||
| 37 | + return OSPF_MAX_LSA_SIZE + 1; \ | ||
| 38 | } \ | ||
| 39 | } while (0) | ||
| 40 | |||
| 41 | diff --git a/ospfd/ospf_ri.c b/ospfd/ospf_ri.c | ||
| 42 | index 76e6efeb83..7934b25451 100644 | ||
| 43 | --- a/ospfd/ospf_ri.c | ||
| 44 | +++ b/ospfd/ospf_ri.c | ||
| 45 | @@ -1208,12 +1208,12 @@ static int ospf_router_info_lsa_update(struct ospf_lsa *lsa) | ||
| 46 | do { \ | ||
| 47 | if (ntohs(tlvh->length) > size) { \ | ||
| 48 | if (vty != NULL) \ | ||
| 49 | - vty_out(vty, " Wrong %s TLV size: %d(%d)\n", \ | ||
| 50 | + vty_out(vty, " Wrong %s TLV size: %d(expected %d). Skip subsequent TLVs!\n", \ | ||
| 51 | msg, ntohs(tlvh->length), size); \ | ||
| 52 | else \ | ||
| 53 | - zlog_debug(" Wrong %s TLV size: %d(%d)", \ | ||
| 54 | + zlog_debug(" Wrong %s TLV size: %d(expected %d). Skip subsequent TLVs!", \ | ||
| 55 | msg, ntohs(tlvh->length), size); \ | ||
| 56 | - return size + TLV_HDR_SIZE; \ | ||
| 57 | + return OSPF_MAX_LSA_SIZE + 1; \ | ||
| 58 | } \ | ||
| 59 | } while (0) | ||
| 60 | |||
| 61 | diff --git a/ospfd/ospf_te.c b/ospfd/ospf_te.c | ||
| 62 | index d187485b9f..850a7039f1 100644 | ||
| 63 | --- a/ospfd/ospf_te.c | ||
| 64 | +++ b/ospfd/ospf_te.c | ||
| 65 | @@ -3161,12 +3161,12 @@ static void ospf_te_init_ted(struct ls_ted *ted, struct ospf *ospf) | ||
| 66 | do { \ | ||
| 67 | if (ntohs(tlvh->length) > size) { \ | ||
| 68 | if (vty != NULL) \ | ||
| 69 | - vty_out(vty, " Wrong %s TLV size: %d(%d)\n", \ | ||
| 70 | + vty_out(vty, " Wrong %s TLV size: %d(expected %d). Skip subsequent TLVs!\n", \ | ||
| 71 | msg, ntohs(tlvh->length), size); \ | ||
| 72 | else \ | ||
| 73 | - zlog_debug(" Wrong %s TLV size: %d(%d)", \ | ||
| 74 | + zlog_debug(" Wrong %s TLV size: %d(expected %d). Skip subsequent TLVs!", \ | ||
| 75 | msg, ntohs(tlvh->length), size); \ | ||
| 76 | - return size + TLV_HDR_SIZE; \ | ||
| 77 | + return OSPF_MAX_LSA_SIZE + 1; \ | ||
| 78 | } \ | ||
| 79 | } while (0) | ||
| 80 | |||
diff --git a/meta-networking/recipes-protocols/frr/frr/CVE-2025-61099-61107-3.patch b/meta-networking/recipes-protocols/frr/frr/CVE-2025-61099-61107-3.patch new file mode 100644 index 0000000000..7b983198f5 --- /dev/null +++ b/meta-networking/recipes-protocols/frr/frr/CVE-2025-61099-61107-3.patch | |||
| @@ -0,0 +1,293 @@ | |||
| 1 | From 2d02bca97251ee53fb10b4c34c8cda0e20ae8b8e Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Gyorgy Sarvari <skandigraun@gmail.com> | ||
| 3 | Date: Sun, 24 Aug 2025 21:21:23 +0800 | ||
| 4 | Subject: [PATCH] ospfd: Fix NULL Pointer Deference when dumping link info | ||
| 5 | |||
| 6 | From: s1awwhy <seawwhy@163.com> | ||
| 7 | |||
| 8 | When the command debug ospf packet all send/recv detail is enabled in the OSPF | ||
| 9 | configuration, ospfd will dump detailed information of any received or sent | ||
| 10 | OSPF packets, either via VTY or through the zlog. However, the original Opaque | ||
| 11 | LSA handling code failed to check whether the VTY context and show_opaque_info | ||
| 12 | were available, resulting in NULL pointer dereference and crashes in ospfd. | ||
| 13 | The patch fixes the Null Pointer Deference Vulnerability in | ||
| 14 | show_vty_ext_link_rmt_itf_addr, show_vty_ext_link_adj_sid, | ||
| 15 | show_vty_ext_link_lan_adj_sid, show_vty_unknown_tlv, | ||
| 16 | show_vty_link_info, show_vty_ext_pref_pref_sid, show_vtY_pref_info. | ||
| 17 | Specifically, add NULL check for vty. If vty is not available, dump details | ||
| 18 | via zlog. | ||
| 19 | |||
| 20 | Signed-off-by: s1awwhy <seawwhy@163.com> | ||
| 21 | Signed-off-by: Louis Scalbert <louis.scalbert@6wind.com> | ||
| 22 | |||
| 23 | CVE: CVE-2025-61099 CVE-2025-61100 CVE-2025-61101 CVE-2025-61102 CVE-2025-61103 CVE-2025-61104 CVE-2025-61105 CVE-2025-61106 CVE-2025-61107 | ||
| 24 | Upstream-Status: Backport [https://github.com/FRRouting/frr/commit/034e6fe67078810b952630055614ee5710d1196e] | ||
| 25 | Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> | ||
| 26 | --- | ||
| 27 | ospfd/ospf_ext.c | 200 ++++++++++++++++++++++++++++++++--------------- | ||
| 28 | 1 file changed, 138 insertions(+), 62 deletions(-) | ||
| 29 | |||
| 30 | diff --git a/ospfd/ospf_ext.c b/ospfd/ospf_ext.c | ||
| 31 | index 62b0020148..c1fcd632e0 100644 | ||
| 32 | --- a/ospfd/ospf_ext.c | ||
| 33 | +++ b/ospfd/ospf_ext.c | ||
| 34 | @@ -1729,9 +1729,15 @@ static uint16_t show_vty_ext_link_rmt_itf_addr(struct vty *vty, | ||
| 35 | check_tlv_size(EXT_SUBTLV_RMT_ITF_ADDR_SIZE, "Remote Itf. Address"); | ||
| 36 | |||
| 37 | if (!json) | ||
| 38 | - vty_out(vty, | ||
| 39 | - " Remote Interface Address Sub-TLV: Length %u\n Address: %pI4\n", | ||
| 40 | - ntohs(top->header.length), &top->value); | ||
| 41 | + if (vty != NULL) { | ||
| 42 | + vty_out(vty, | ||
| 43 | + " Remote Interface Address Sub-TLV: Length %u\n Address: %pI4\n", | ||
| 44 | + ntohs(top->header.length), &top->value); | ||
| 45 | + } else { | ||
| 46 | + zlog_debug(" Remote Interface Address Sub-TLV: Length %u", | ||
| 47 | + ntohs(top->header.length)); | ||
| 48 | + zlog_debug(" Address: %pI4", &top->value); | ||
| 49 | + } | ||
| 50 | else | ||
| 51 | json_object_string_addf(json, "remoteInterfaceAddress", "%pI4", | ||
| 52 | &top->value); | ||
| 53 | @@ -1752,18 +1758,30 @@ static uint16_t show_vty_ext_link_adj_sid(struct vty *vty, | ||
| 54 | : SID_INDEX_SIZE(EXT_SUBTLV_ADJ_SID_SIZE); | ||
| 55 | check_tlv_size(tlv_size, "Adjacency SID"); | ||
| 56 | |||
| 57 | - if (!json) | ||
| 58 | - vty_out(vty, | ||
| 59 | - " Adj-SID Sub-TLV: Length %u\n\tFlags: 0x%x\n\tMT-ID:0x%x\n\tWeight: 0x%x\n\t%s: %u\n", | ||
| 60 | - ntohs(top->header.length), top->flags, top->mtid, | ||
| 61 | - top->weight, | ||
| 62 | - CHECK_FLAG(top->flags, EXT_SUBTLV_LINK_ADJ_SID_VFLG) | ||
| 63 | - ? "Label" | ||
| 64 | - : "Index", | ||
| 65 | - CHECK_FLAG(top->flags, EXT_SUBTLV_LINK_ADJ_SID_VFLG) | ||
| 66 | - ? GET_LABEL(ntohl(top->value)) | ||
| 67 | - : ntohl(top->value)); | ||
| 68 | - else { | ||
| 69 | + if (!json) { | ||
| 70 | + /* Add security check for vty_out. If vty is not available, dump info via zlog.*/ | ||
| 71 | + if (vty != NULL) | ||
| 72 | + vty_out(vty, | ||
| 73 | + " Adj-SID Sub-TLV: Length %u\n\tFlags: 0x%x\n\tMT-ID:0x%x\n\tWeight: 0x%x\n\t%s: %u\n", | ||
| 74 | + ntohs(top->header.length), top->flags, top->mtid, top->weight, | ||
| 75 | + CHECK_FLAG(top->flags, EXT_SUBTLV_LINK_ADJ_SID_VFLG) ? "Label" | ||
| 76 | + : "Index", | ||
| 77 | + CHECK_FLAG(top->flags, EXT_SUBTLV_LINK_ADJ_SID_VFLG) | ||
| 78 | + ? GET_LABEL(ntohl(top->value)) | ||
| 79 | + : ntohl(top->value)); | ||
| 80 | + else { | ||
| 81 | + zlog_debug(" Adj-SID Sub-TLV: Length %u", ntohs(top->header.length)); | ||
| 82 | + zlog_debug(" Flags: 0x%x", top->flags); | ||
| 83 | + zlog_debug(" MT-ID:0x%x", top->mtid); | ||
| 84 | + zlog_debug(" Weight: 0x%x", top->weight); | ||
| 85 | + zlog_debug(" %s: %u", | ||
| 86 | + CHECK_FLAG(top->flags, EXT_SUBTLV_LINK_ADJ_SID_VFLG) ? "Label" | ||
| 87 | + : "Index", | ||
| 88 | + CHECK_FLAG(top->flags, EXT_SUBTLV_LINK_ADJ_SID_VFLG) | ||
| 89 | + ? GET_LABEL(ntohl(top->value)) | ||
| 90 | + : ntohl(top->value)); | ||
| 91 | + } | ||
| 92 | + } else { | ||
| 93 | json_object_string_addf(json, "flags", "0x%x", top->flags); | ||
| 94 | json_object_string_addf(json, "mtID", "0x%x", top->mtid); | ||
| 95 | json_object_string_addf(json, "weight", "0x%x", top->weight); | ||
| 96 | @@ -1791,18 +1809,32 @@ static uint16_t show_vty_ext_link_lan_adj_sid(struct vty *vty, | ||
| 97 | : SID_INDEX_SIZE(EXT_SUBTLV_LAN_ADJ_SID_SIZE); | ||
| 98 | check_tlv_size(tlv_size, "LAN-Adjacency SID"); | ||
| 99 | |||
| 100 | - if (!json) | ||
| 101 | - vty_out(vty, | ||
| 102 | - " LAN-Adj-SID Sub-TLV: Length %u\n\tFlags: 0x%x\n\tMT-ID:0x%x\n\tWeight: 0x%x\n\tNeighbor ID: %pI4\n\t%s: %u\n", | ||
| 103 | - ntohs(top->header.length), top->flags, top->mtid, | ||
| 104 | - top->weight, &top->neighbor_id, | ||
| 105 | - CHECK_FLAG(top->flags, EXT_SUBTLV_LINK_ADJ_SID_VFLG) | ||
| 106 | - ? "Label" | ||
| 107 | - : "Index", | ||
| 108 | - CHECK_FLAG(top->flags, EXT_SUBTLV_LINK_ADJ_SID_VFLG) | ||
| 109 | - ? GET_LABEL(ntohl(top->value)) | ||
| 110 | - : ntohl(top->value)); | ||
| 111 | - else { | ||
| 112 | + if (!json) { | ||
| 113 | + /* Add security check for vty_out. If vty is not available, dump info via zlog. */ | ||
| 114 | + if (vty != NULL) { | ||
| 115 | + vty_out(vty, | ||
| 116 | + " LAN-Adj-SID Sub-TLV: Length %u\n\tFlags: 0x%x\n\tMT-ID:0x%x\n\tWeight: 0x%x\n\tNeighbor ID: %pI4\n\t%s: %u\n", | ||
| 117 | + ntohs(top->header.length), top->flags, top->mtid, top->weight, | ||
| 118 | + &top->neighbor_id, | ||
| 119 | + CHECK_FLAG(top->flags, EXT_SUBTLV_LINK_ADJ_SID_VFLG) ? "Label" | ||
| 120 | + : "Index", | ||
| 121 | + CHECK_FLAG(top->flags, EXT_SUBTLV_LINK_ADJ_SID_VFLG) | ||
| 122 | + ? GET_LABEL(ntohl(top->value)) | ||
| 123 | + : ntohl(top->value)); | ||
| 124 | + } else { | ||
| 125 | + zlog_debug(" LAN-Adj-SID Sub-TLV: Length %u", ntohs(top->header.length)); | ||
| 126 | + zlog_debug(" Flags: 0x%x", top->flags); | ||
| 127 | + zlog_debug(" MT-ID:0x%x", top->mtid); | ||
| 128 | + zlog_debug(" Weight: 0x%x", top->weight); | ||
| 129 | + zlog_debug(" Neighbor ID: %pI4", &top->neighbor_id); | ||
| 130 | + zlog_debug(" %s: %u", | ||
| 131 | + CHECK_FLAG(top->flags, EXT_SUBTLV_LINK_ADJ_SID_VFLG) ? "Label" | ||
| 132 | + : "Index", | ||
| 133 | + CHECK_FLAG(top->flags, EXT_SUBTLV_LINK_ADJ_SID_VFLG) | ||
| 134 | + ? GET_LABEL(ntohl(top->value)) | ||
| 135 | + : ntohl(top->value)); | ||
| 136 | + } | ||
| 137 | + } else { | ||
| 138 | json_object_string_addf(json, "flags", "0x%x", top->flags); | ||
| 139 | json_object_string_addf(json, "mtID", "0x%x", top->mtid); | ||
| 140 | json_object_string_addf(json, "weight", "0x%x", top->weight); | ||
| 141 | @@ -1823,14 +1855,23 @@ static uint16_t show_vty_unknown_tlv(struct vty *vty, struct tlv_header *tlvh, | ||
| 142 | { | ||
| 143 | json_object *obj; | ||
| 144 | |||
| 145 | + /* Add security check for vty_out. If vty is not available, dump info via zlog. */ | ||
| 146 | if (TLV_SIZE(tlvh) > buf_size) { | ||
| 147 | - vty_out(vty, " TLV size %d exceeds buffer size. Abort!", | ||
| 148 | - TLV_SIZE(tlvh)); | ||
| 149 | + if (vty != NULL) | ||
| 150 | + vty_out(vty, " TLV size %d exceeds buffer size. Abort!", TLV_SIZE(tlvh)); | ||
| 151 | + else | ||
| 152 | + zlog_debug(" TLV size %d exceeds buffer size. Abort!", TLV_SIZE(tlvh)); | ||
| 153 | + | ||
| 154 | return buf_size; | ||
| 155 | } | ||
| 156 | if (!json) | ||
| 157 | - vty_out(vty, " Unknown TLV: [type(0x%x), length(0x%x)]\n", | ||
| 158 | - ntohs(tlvh->type), ntohs(tlvh->length)); | ||
| 159 | + if (vty != NULL) { | ||
| 160 | + vty_out(vty, " Unknown TLV: [type(0x%x), length(0x%x)]\n", | ||
| 161 | + ntohs(tlvh->type), ntohs(tlvh->length)); | ||
| 162 | + } else { | ||
| 163 | + zlog_debug(" Unknown TLV: [type(0x%x), length(0x%x)]", | ||
| 164 | + ntohs(tlvh->type), ntohs(tlvh->length)); | ||
| 165 | + } | ||
| 166 | else { | ||
| 167 | obj = json_object_new_object(); | ||
| 168 | json_object_string_addf(obj, "type", "0x%x", | ||
| 169 | @@ -1855,19 +1896,31 @@ static uint16_t show_vty_link_info(struct vty *vty, struct tlv_header *ext, | ||
| 170 | |||
| 171 | /* Verify that TLV length is valid against remaining buffer size */ | ||
| 172 | if (length > buf_size) { | ||
| 173 | - vty_out(vty, | ||
| 174 | - " Extended Link TLV size %d exceeds buffer size. Abort!\n", | ||
| 175 | - length); | ||
| 176 | + /* Add security check for vty_out. If vty is not available, dump info via zlog. */ | ||
| 177 | + if (vty != NULL) { | ||
| 178 | + vty_out(vty, " Extended Link TLV size %d exceeds buffer size. Abort!\n", | ||
| 179 | + length); | ||
| 180 | + } else { | ||
| 181 | + zlog_debug(" Extended Link TLV size %d exceeds buffer size. Abort!", | ||
| 182 | + length); | ||
| 183 | + } | ||
| 184 | return buf_size; | ||
| 185 | } | ||
| 186 | |||
| 187 | if (!json) { | ||
| 188 | - vty_out(vty, | ||
| 189 | - " Extended Link TLV: Length %u\n Link Type: 0x%x\n" | ||
| 190 | - " Link ID: %pI4\n", | ||
| 191 | - ntohs(top->header.length), top->link_type, | ||
| 192 | - &top->link_id); | ||
| 193 | - vty_out(vty, " Link data: %pI4\n", &top->link_data); | ||
| 194 | + /* Add security check for vty_out. If vty is not available, dump info via zlog. */ | ||
| 195 | + if (vty != NULL) { | ||
| 196 | + vty_out(vty, | ||
| 197 | + " Extended Link TLV: Length %u\n Link Type: 0x%x\n" | ||
| 198 | + " Link ID: %pI4\n", | ||
| 199 | + ntohs(top->header.length), top->link_type, &top->link_id); | ||
| 200 | + vty_out(vty, " Link data: %pI4\n", &top->link_data); | ||
| 201 | + } else { | ||
| 202 | + zlog_debug(" Extended Link TLV: Length %u", ntohs(top->header.length)); | ||
| 203 | + zlog_debug(" Link Type: 0x%x", top->link_type); | ||
| 204 | + zlog_debug(" Link ID: %pI4", &top->link_id); | ||
| 205 | + zlog_debug(" Link data: %pI4", &top->link_data); | ||
| 206 | + } | ||
| 207 | } else { | ||
| 208 | json_object_string_addf(json, "linkType", "0x%x", | ||
| 209 | top->link_type); | ||
| 210 | @@ -1959,18 +2012,29 @@ static uint16_t show_vty_ext_pref_pref_sid(struct vty *vty, | ||
| 211 | : SID_INDEX_SIZE(EXT_SUBTLV_PREFIX_SID_SIZE); | ||
| 212 | check_tlv_size(tlv_size, "Prefix SID"); | ||
| 213 | |||
| 214 | - if (!json) | ||
| 215 | - vty_out(vty, | ||
| 216 | - " Prefix SID Sub-TLV: Length %u\n\tAlgorithm: %u\n\tFlags: 0x%x\n\tMT-ID:0x%x\n\t%s: %u\n", | ||
| 217 | - ntohs(top->header.length), top->algorithm, top->flags, | ||
| 218 | - top->mtid, | ||
| 219 | - CHECK_FLAG(top->flags, EXT_SUBTLV_PREFIX_SID_VFLG) | ||
| 220 | - ? "Label" | ||
| 221 | - : "Index", | ||
| 222 | - CHECK_FLAG(top->flags, EXT_SUBTLV_PREFIX_SID_VFLG) | ||
| 223 | - ? GET_LABEL(ntohl(top->value)) | ||
| 224 | - : ntohl(top->value)); | ||
| 225 | - else { | ||
| 226 | + if (!json) { | ||
| 227 | + if (vty != NULL) { | ||
| 228 | + vty_out(vty, | ||
| 229 | + " Prefix SID Sub-TLV: Length %u\n\tAlgorithm: %u\n\tFlags: 0x%x\n\tMT-ID:0x%x\n\t%s: %u\n", | ||
| 230 | + ntohs(top->header.length), top->algorithm, top->flags, top->mtid, | ||
| 231 | + CHECK_FLAG(top->flags, EXT_SUBTLV_PREFIX_SID_VFLG) ? "Label" | ||
| 232 | + : "Index", | ||
| 233 | + CHECK_FLAG(top->flags, EXT_SUBTLV_PREFIX_SID_VFLG) | ||
| 234 | + ? GET_LABEL(ntohl(top->value)) | ||
| 235 | + : ntohl(top->value)); | ||
| 236 | + } else { | ||
| 237 | + zlog_debug(" Prefix SID Sub-TLV: Length %u", ntohs(top->header.length)); | ||
| 238 | + zlog_debug(" Algorithm: %u", top->algorithm); | ||
| 239 | + zlog_debug(" Flags: 0x%x", top->flags); | ||
| 240 | + zlog_debug(" MT-ID:0x%x", top->mtid); | ||
| 241 | + zlog_debug(" %s: %u", | ||
| 242 | + CHECK_FLAG(top->flags, EXT_SUBTLV_PREFIX_SID_VFLG) ? "Label" | ||
| 243 | + : "Index", | ||
| 244 | + CHECK_FLAG(top->flags, EXT_SUBTLV_PREFIX_SID_VFLG) | ||
| 245 | + ? GET_LABEL(ntohl(top->value)) | ||
| 246 | + : ntohl(top->value)); | ||
| 247 | + } | ||
| 248 | + } else { | ||
| 249 | json_object_int_add(json, "algorithm", top->algorithm); | ||
| 250 | json_object_string_addf(json, "flags", "0x%x", top->flags); | ||
| 251 | json_object_string_addf(json, "mtID", "0x%x", top->mtid); | ||
| 252 | @@ -1995,19 +2059,31 @@ static uint16_t show_vty_pref_info(struct vty *vty, struct tlv_header *ext, | ||
| 253 | |||
| 254 | /* Verify that TLV length is valid against remaining buffer size */ | ||
| 255 | if (length > buf_size) { | ||
| 256 | - vty_out(vty, | ||
| 257 | - " Extended Link TLV size %d exceeds buffer size. Abort!\n", | ||
| 258 | - length); | ||
| 259 | + if (vty != NULL) { | ||
| 260 | + vty_out(vty, " Extended Link TLV size %d exceeds buffer size. Abort!\n", | ||
| 261 | + length); | ||
| 262 | + } else { | ||
| 263 | + zlog_debug(" Extended Link TLV size %d exceeds buffer size. Abort!", | ||
| 264 | + length); | ||
| 265 | + } | ||
| 266 | return buf_size; | ||
| 267 | } | ||
| 268 | |||
| 269 | - if (!json) | ||
| 270 | - vty_out(vty, | ||
| 271 | - " Extended Prefix TLV: Length %u\n\tRoute Type: %u\n" | ||
| 272 | - "\tAddress Family: 0x%x\n\tFlags: 0x%x\n\tAddress: %pI4/%u\n", | ||
| 273 | - ntohs(top->header.length), top->route_type, top->af, | ||
| 274 | - top->flags, &top->address, top->pref_length); | ||
| 275 | - else { | ||
| 276 | + if (!json) { | ||
| 277 | + if (vty != NULL) { | ||
| 278 | + vty_out(vty, | ||
| 279 | + " Extended Prefix TLV: Length %u\n\tRoute Type: %u\n" | ||
| 280 | + "\tAddress Family: 0x%x\n\tFlags: 0x%x\n\tAddress: %pI4/%u\n", | ||
| 281 | + ntohs(top->header.length), top->route_type, top->af, top->flags, | ||
| 282 | + &top->address, top->pref_length); | ||
| 283 | + } else { | ||
| 284 | + zlog_debug(" Extended Prefix TLV: Length %u", ntohs(top->header.length)); | ||
| 285 | + zlog_debug(" Route Type: %u", top->route_type); | ||
| 286 | + zlog_debug(" Address Family: 0x%x", top->af); | ||
| 287 | + zlog_debug(" Flags: 0x%x", top->flags); | ||
| 288 | + zlog_debug(" Address: %pI4/%u", &top->address, top->pref_length); | ||
| 289 | + } | ||
| 290 | + } else { | ||
| 291 | json_object_int_add(json, "routeType", top->route_type); | ||
| 292 | json_object_string_addf(json, "addressFamily", "0x%x", top->af); | ||
| 293 | json_object_string_addf(json, "flags", "0x%x", top->flags); | ||
diff --git a/meta-networking/recipes-protocols/frr/frr_10.5.1.bb b/meta-networking/recipes-protocols/frr/frr_10.5.1.bb index a309330dc1..c125709bf4 100644 --- a/meta-networking/recipes-protocols/frr/frr_10.5.1.bb +++ b/meta-networking/recipes-protocols/frr/frr_10.5.1.bb | |||
| @@ -12,6 +12,9 @@ LIC_FILES_CHKSUM = "file://doc/licenses/GPL-2.0;md5=b234ee4d69f5fce4486a80fdaf4a | |||
| 12 | 12 | ||
| 13 | SRC_URI = "git://github.com/FRRouting/frr.git;protocol=https;branch=stable/10.5;tag=frr-${PV} \ | 13 | SRC_URI = "git://github.com/FRRouting/frr.git;protocol=https;branch=stable/10.5;tag=frr-${PV} \ |
| 14 | file://frr.pam \ | 14 | file://frr.pam \ |
| 15 | file://CVE-2025-61099-61107-1.patch \ | ||
| 16 | file://CVE-2025-61099-61107-2.patch \ | ||
| 17 | file://CVE-2025-61099-61107-3.patch \ | ||
| 15 | " | 18 | " |
| 16 | SRCREV = "d17791ee7ee76a0407d3fdbebf81bd242840741b" | 19 | SRCREV = "d17791ee7ee76a0407d3fdbebf81bd242840741b" |
| 17 | 20 | ||