frr: fix CVE-2024-31949

CVE-2024-31949: In FRRouting (FRR) through 9.1, an infinite loop can occur when receiving a MP/GR capability as a dynamic capability because malformed data results in a pointer not advancing. Reference: [https://nvd.nist.gov/vuln/detail/CVE-2024-31949] [https://salsa.debian.org/lts-team/packages/frr/-/blob/debian/7.5.1-1.1+deb10u4/debian/patches/CVE-2024-31949.patch?ref_type=tags] Upstream patches: [https://github.com/FRRouting/frr/pull/15640/commits/30a332dad86fafd2b0b6c61d23de59ed969a219b] Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
author: Zhang Peng <peng.zhang1.cn@windriver.com> 2025-10-28 14:13:22 +0800
committer: Gyorgy Sarvari <skandigraun@gmail.com> 2025-10-29 16:59:21 +0100
commit: 50c69deb2c01cdf49bf4a1e8b68949f00cb31f82 (patch)
tree: ddc26ba672c53e097020f966f1653785fc7a612a /meta-networking/recipes-protocols
parent: d2da8450c03adf1066a81313dcc47fda53e8afed (diff)
download: meta-openembedded-50c69deb2c01cdf49bf4a1e8b68949f00cb31f82.tar.gz
2 files changed, 154 insertions, 0 deletions
diff --git a/meta-networking/recipes-protocols/frr/frr/CVE-2024-31949.patch b/meta-networking/recipes-protocols/frr/frr/CVE-2024-31949.patch
new file mode 100644
index 0000000000..7d6c62e95f
--- /dev/null
+++ b/meta-networking/recipes-protocols/frr/frr/CVE-2024-31949.patch
@@ -0,0 +1,153 @@
+From 54816c5b32e5318fbd1ff8335adf7e8dd93e2415 Mon Sep 17 00:00:00 2001
+From: Donatas Abraitis <donatas@opensourcerouting.org>
+Date: Sat, 30 Mar 2024 15:35:18 +0200
+Subject: [PATCH] bgpd: Fix errors handling for MP/GR capabilities as dynamic
+ capability
+When receiving a MP/GR capability as dynamic capability, but malformed, do not
+forget to advance the pointer to avoid hitting infinity loop.
+After:
+```
+Mar 29 11:15:28 donatas-laptop bgpd[353550]: [GS0AQ-HKY0X] 127.0.0.1 rcv CAPABILITY
+Mar 29 11:15:28 donatas-laptop bgpd[353550]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 5, length 0
+Mar 29 11:15:28 donatas-laptop bgpd[353550]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 0, length 0
+Mar 29 11:15:28 donatas-laptop bgpd[353550]: [HFHDS-QT71N][EC 33554494] 127.0.0.1(donatas-pc): unrecognized capability code: 0 - ignored
+Mar 29 11:15:28 donatas-laptop bgpd[353550]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 0, code: 0, length 0
+Mar 29 11:15:28 donatas-laptop bgpd[353550]: [HFHDS-QT71N][EC 33554494] 127.0.0.1(donatas-pc): unrecognized capability code: 0 - ignored
+Mar 29 11:15:28 donatas-laptop bgpd[353550]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 0, code: 0, length 0
+Mar 29 11:15:28 donatas-laptop bgpd[353550]: [HFHDS-QT71N][EC 33554494] 127.0.0.1(donatas-pc): unrecognized capability code: 0 - ignored
+Mar 29 11:15:28 donatas-laptop bgpd[353550]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 0, code: 0, length 1
+Mar 29 11:15:28 donatas-laptop bgpd[353550]: [HFHDS-QT71N][EC 33554494] 127.0.0.1(donatas-pc): unrecognized capability code: 0 - ignored
+Mar 29 11:15:28 donatas-laptop bgpd[353550]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10
+Mar 29 11:15:28 donatas-laptop bgpd[353550]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast)
+```
+Before:
+```
+Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10
+Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast)
+Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10
+Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast)
+Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10
+Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast)
+Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10
+Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast)
+Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10
+Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast)
+Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10
+Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast)
+Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10
+Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast)
+Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10
+Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast)
+Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10
+Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast)
+Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10
+Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast)
+Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10
+Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast)
+Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10
+Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast)
+Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10
+Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast)
+Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10
+Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast)
+Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10
+Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast)
+Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10
+```
+Reported-by: Iggy Frankovic <iggyfran@amazon.com>
+Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
+CVE: CVE-2024-31949
+Upstream-Status: Backport [https://github.com/FRRouting/frr/commit/30a332dad86fafd2b0b6c61d23de59ed969a219b]
+Ref debian fix: [https://salsa.debian.org/lts-team/packages/frr/-/blob/debian/7.5.1-1.1+deb10u4/debian/patches/CVE-2024-31949.patch?ref_type=tags]
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ bgpd/bgp_packet.c | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c
+index bcd47e32d4..361cd7b6e1 100644
+--- a/bgpd/bgp_packet.c
+++ b/bgpd/bgp_packet.c
+@@ -2420,6 +2420,7 @@ static int bgp_capability_msg_parse(struct peer *peer, uint8_t *pnt,
+                        zlog_info("%s Capability length error", peer->host);
+                        bgp_notify_send(peer, BGP_NOTIFY_CEASE,
+                                        BGP_NOTIFY_SUBCODE_UNSPECIFIC);
+                       pnt += length;
+                        return BGP_Stop;
+                }
+                action = *pnt;
+@@ -2432,7 +2433,7 @@ static int bgp_capability_msg_parse(struct peer *peer, uint8_t *pnt,
+                                  peer->host, action);
+                        bgp_notify_send(peer, BGP_NOTIFY_CEASE,
+                                        BGP_NOTIFY_SUBCODE_UNSPECIFIC);
+-                       return BGP_Stop;
+                       goto done;
+                }
+ 
+                if (bgp_debug_neighbor_events(peer))
+@@ -2445,6 +2446,7 @@ static int bgp_capability_msg_parse(struct peer *peer, uint8_t *pnt,
+                                "%s Capability structure is not properly filled out, expected at least %zu bytes but header length specified is %d",
+                                peer->host, sizeof(struct capability_mp_data),
+                                hdr->length);
+                       pnt += length;
+                        return BGP_Stop;
+                }
+ 
+@@ -2453,12 +2455,12 @@ static int bgp_capability_msg_parse(struct peer *peer, uint8_t *pnt,
+                        zlog_info("%s Capability length error", peer->host);
+                        bgp_notify_send(peer, BGP_NOTIFY_CEASE,
+                                        BGP_NOTIFY_SUBCODE_UNSPECIFIC);
+                       pnt += length;
+                        return BGP_Stop;
+                }
+ 
+                /* Fetch structure to the byte stream. */
+                memcpy(&mpc, pnt + 3, sizeof(struct capability_mp_data));
+-               pnt += hdr->length + 3;
+ 
+                /* We know MP Capability Code. */
+                if (hdr->code == CAPABILITY_CODE_MP) {
+@@ -2468,7 +2470,7 @@ static int bgp_capability_msg_parse(struct peer *peer, uint8_t *pnt,
+                        /* Ignore capability when override-capability is set. */
+                        if (CHECK_FLAG(peer->flags,
+                                       PEER_FLAG_OVERRIDE_CAPABILITY))
+-                               continue;
+                               goto done;
+ 
+                        /* Convert AFI, SAFI to internal values. */
+                        if (bgp_map_afi_safi_iana2int(pkt_afi, pkt_safi, &afi,
+@@ -2479,7 +2481,7 @@ static int bgp_capability_msg_parse(struct peer *peer, uint8_t *pnt,
+                                                peer->host,
+                                                iana_afi2str(pkt_afi),
+                                                iana_safi2str(pkt_safi));
+-                               continue;
+                               goto done;
+                        }
+ 
+                        /* Address family check.  */
+@@ -2507,7 +2509,7 @@ static int bgp_capability_msg_parse(struct peer *peer, uint8_t *pnt,
+                                if (peer_active_nego(peer))
+                                        bgp_clear_route(peer, afi, safi);
+                                else
+-                                       return BGP_Stop;
+                                       goto done;
+                        }
+                } else {
+                        flog_warn(
+@@ -2515,6 +2517,8 @@ static int bgp_capability_msg_parse(struct peer *peer, uint8_t *pnt,
+                                "%s unrecognized capability code: %d - ignored",
+                                peer->host, hdr->code);
+                }
+done:
+               pnt += hdr->length + 3;
+        }
+ 
+        /* No FSM action necessary */
+-- 
+2.34.1
diff --git a/meta-networking/recipes-protocols/frr/frr_8.2.2.bb b/meta-networking/recipes-protocols/frr/frr_8.2.2.bb
index 975607f5af..857973df16 100644
--- a/meta-networking/recipes-protocols/frr/frr_8.2.2.bb
+++ b/meta-networking/recipes-protocols/frr/frr_8.2.2.bb
@@ -35,6 +35,7 @@ SRC_URI = "git://github.com/FRRouting/frr.git;protocol=https;branch=stable/8.2 \
           file://CVE-2024-31951.patch \
           file://CVE-2024-31948.patch \
           file://CVE-2024-55553.patch \
+           file://CVE-2024-31949.patch \
              "
 SRCREV = "79188bf710e92acf42fb5b9b0a2e9593a5ee9b05"
author	Zhang Peng <peng.zhang1.cn@windriver.com>	2025-10-28 14:13:22 +0800
committer	Gyorgy Sarvari <skandigraun@gmail.com>	2025-10-29 16:59:21 +0100
commit	50c69deb2c01cdf49bf4a1e8b68949f00cb31f82 (patch)
tree	ddc26ba672c53e097020f966f1653785fc7a612a /meta-networking/recipes-protocols
parent	d2da8450c03adf1066a81313dcc47fda53e8afed (diff)
download	meta-openembedded-50c69deb2c01cdf49bf4a1e8b68949f00cb31f82.tar.gz

diff --git a/meta-networking/recipes-protocols/frr/frr/CVE-2024-31949.patch b/meta-networking/recipes-protocols/frr/frr/CVE-2024-31949.patch new file mode 100644 index 0000000000..7d6c62e95f --- /dev/null +++ b/meta-networking/recipes-protocols/frr/frr/CVE-2024-31949.patch
@@ -0,0 +1,153 @@
		1	From 54816c5b32e5318fbd1ff8335adf7e8dd93e2415 Mon Sep 17 00:00:00 2001
		2	From: Donatas Abraitis <donatas@opensourcerouting.org>
		3	Date: Sat, 30 Mar 2024 15:35:18 +0200
		4	Subject: [PATCH] bgpd: Fix errors handling for MP/GR capabilities as dynamic
		5	capability
		6
		7	When receiving a MP/GR capability as dynamic capability, but malformed, do not
		8	forget to advance the pointer to avoid hitting infinity loop.
		9
		10	After:
		11	```
		12	Mar 29 11:15:28 donatas-laptop bgpd[353550]: [GS0AQ-HKY0X] 127.0.0.1 rcv CAPABILITY
		13	Mar 29 11:15:28 donatas-laptop bgpd[353550]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 5, length 0
		14	Mar 29 11:15:28 donatas-laptop bgpd[353550]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 0, length 0
		15	Mar 29 11:15:28 donatas-laptop bgpd[353550]: [HFHDS-QT71N][EC 33554494] 127.0.0.1(donatas-pc): unrecognized capability code: 0 - ignored
		16	Mar 29 11:15:28 donatas-laptop bgpd[353550]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 0, code: 0, length 0
		17	Mar 29 11:15:28 donatas-laptop bgpd[353550]: [HFHDS-QT71N][EC 33554494] 127.0.0.1(donatas-pc): unrecognized capability code: 0 - ignored
		18	Mar 29 11:15:28 donatas-laptop bgpd[353550]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 0, code: 0, length 0
		19	Mar 29 11:15:28 donatas-laptop bgpd[353550]: [HFHDS-QT71N][EC 33554494] 127.0.0.1(donatas-pc): unrecognized capability code: 0 - ignored
		20	Mar 29 11:15:28 donatas-laptop bgpd[353550]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 0, code: 0, length 1
		21	Mar 29 11:15:28 donatas-laptop bgpd[353550]: [HFHDS-QT71N][EC 33554494] 127.0.0.1(donatas-pc): unrecognized capability code: 0 - ignored
		22	Mar 29 11:15:28 donatas-laptop bgpd[353550]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10
		23	Mar 29 11:15:28 donatas-laptop bgpd[353550]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast)
		24	```
		25
		26	Before:
		27	```
		28	Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10
		29	Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast)
		30	Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10
		31	Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast)
		32	Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10
		33	Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast)
		34	Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10
		35	Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast)
		36	Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10
		37	Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast)
		38	Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10
		39	Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast)
		40	Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10
		41	Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast)
		42	Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10
		43	Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast)
		44	Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10
		45	Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast)
		46	Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10
		47	Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast)
		48	Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10
		49	Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast)
		50	Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10
		51	Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast)
		52	Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10
		53	Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast)
		54	Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10
		55	Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast)
		56	Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10
		57	Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast)
		58	Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10
		59	```
		60
		61	Reported-by: Iggy Frankovic <iggyfran@amazon.com>
		62	Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
		63
		64	CVE: CVE-2024-31949
		65	Upstream-Status: Backport [https://github.com/FRRouting/frr/commit/30a332dad86fafd2b0b6c61d23de59ed969a219b]
		66	Ref debian fix: [https://salsa.debian.org/lts-team/packages/frr/-/blob/debian/7.5.1-1.1+deb10u4/debian/patches/CVE-2024-31949.patch?ref_type=tags]
		67	Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
		68	---
		69	bgpd/bgp_packet.c \| 14 +++++++++-----
		70	1 file changed, 9 insertions(+), 5 deletions(-)
		71
		72	diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c
		73	index bcd47e32d4..361cd7b6e1 100644
		74	--- a/bgpd/bgp_packet.c
		75	+++ b/bgpd/bgp_packet.c
		76	@@ -2420,6 +2420,7 @@ static int bgp_capability_msg_parse(struct peer peer, uint8_t pnt,
		77	zlog_info("%s Capability length error", peer->host);
		78	bgp_notify_send(peer, BGP_NOTIFY_CEASE,
		79	BGP_NOTIFY_SUBCODE_UNSPECIFIC);
		80	+ pnt += length;
		81	return BGP_Stop;
		82	}
		83	action = *pnt;
		84	@@ -2432,7 +2433,7 @@ static int bgp_capability_msg_parse(struct peer peer, uint8_t pnt,
		85	peer->host, action);
		86	bgp_notify_send(peer, BGP_NOTIFY_CEASE,
		87	BGP_NOTIFY_SUBCODE_UNSPECIFIC);
		88	- return BGP_Stop;
		89	+ goto done;
		90	}
		91
		92	if (bgp_debug_neighbor_events(peer))
		93	@@ -2445,6 +2446,7 @@ static int bgp_capability_msg_parse(struct peer peer, uint8_t pnt,
		94	"%s Capability structure is not properly filled out, expected at least %zu bytes but header length specified is %d",
		95	peer->host, sizeof(struct capability_mp_data),
		96	hdr->length);
		97	+ pnt += length;
		98	return BGP_Stop;
		99	}
		100
		101	@@ -2453,12 +2455,12 @@ static int bgp_capability_msg_parse(struct peer peer, uint8_t pnt,
		102	zlog_info("%s Capability length error", peer->host);
		103	bgp_notify_send(peer, BGP_NOTIFY_CEASE,
		104	BGP_NOTIFY_SUBCODE_UNSPECIFIC);
		105	+ pnt += length;
		106	return BGP_Stop;
		107	}
		108
		109	/* Fetch structure to the byte stream. */
		110	memcpy(&mpc, pnt + 3, sizeof(struct capability_mp_data));
		111	- pnt += hdr->length + 3;
		112
		113	/* We know MP Capability Code. */
		114	if (hdr->code == CAPABILITY_CODE_MP) {
		115	@@ -2468,7 +2470,7 @@ static int bgp_capability_msg_parse(struct peer peer, uint8_t pnt,
		116	/* Ignore capability when override-capability is set. */
		117	if (CHECK_FLAG(peer->flags,
		118	PEER_FLAG_OVERRIDE_CAPABILITY))
		119	- continue;
		120	+ goto done;
		121
		122	/* Convert AFI, SAFI to internal values. */
		123	if (bgp_map_afi_safi_iana2int(pkt_afi, pkt_safi, &afi,
		124	@@ -2479,7 +2481,7 @@ static int bgp_capability_msg_parse(struct peer peer, uint8_t pnt,
		125	peer->host,
		126	iana_afi2str(pkt_afi),
		127	iana_safi2str(pkt_safi));
		128	- continue;
		129	+ goto done;
		130	}
		131
		132	/* Address family check. */
		133	@@ -2507,7 +2509,7 @@ static int bgp_capability_msg_parse(struct peer peer, uint8_t pnt,
		134	if (peer_active_nego(peer))
		135	bgp_clear_route(peer, afi, safi);
		136	else
		137	- return BGP_Stop;
		138	+ goto done;
		139	}
		140	} else {
		141	flog_warn(
		142	@@ -2515,6 +2517,8 @@ static int bgp_capability_msg_parse(struct peer peer, uint8_t pnt,
		143	"%s unrecognized capability code: %d - ignored",
		144	peer->host, hdr->code);
		145	}
		146	+done:
		147	+ pnt += hdr->length + 3;
		148	}
		149
		150	/* No FSM action necessary */
		151	--
		152	2.34.1
		153


diff --git a/meta-networking/recipes-protocols/frr/frr_8.2.2.bb b/meta-networking/recipes-protocols/frr/frr_8.2.2.bb index 975607f5af..857973df16 100644 --- a/meta-networking/recipes-protocols/frr/frr_8.2.2.bb +++ b/meta-networking/recipes-protocols/frr/frr_8.2.2.bb
@@ -35,6 +35,7 @@ SRC_URI = "git://github.com/FRRouting/frr.git;protocol=https;branch=stable/8.2 \
35	file://CVE-2024-31951.patch \	35	file://CVE-2024-31951.patch \
36	file://CVE-2024-31948.patch \	36	file://CVE-2024-31948.patch \
37	file://CVE-2024-55553.patch \	37	file://CVE-2024-55553.patch \
		38	file://CVE-2024-31949.patch \
38	"	39	"
39		40
40	SRCREV = "79188bf710e92acf42fb5b9b0a2e9593a5ee9b05"	41	SRCREV = "79188bf710e92acf42fb5b9b0a2e9593a5ee9b05"