summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--meta-networking/recipes-protocols/frr/frr/CVE-2024-31948.patch130
-rw-r--r--meta-networking/recipes-protocols/frr/frr/CVE-2024-31949.patch163
-rw-r--r--meta-networking/recipes-protocols/frr/frr/CVE-2024-31950.patch68
-rw-r--r--meta-networking/recipes-protocols/frr/frr/CVE-2024-31951.patch110
-rw-r--r--meta-networking/recipes-protocols/frr/frr/CVE-2024-34088.patch83
-rw-r--r--meta-networking/recipes-protocols/frr/frr/CVE-2024-44070.patch54
-rw-r--r--meta-networking/recipes-protocols/frr/frr_9.1.3.bb (renamed from meta-networking/recipes-protocols/frr/frr_9.1.bb)8
7 files changed, 1 insertions, 615 deletions
diff --git a/meta-networking/recipes-protocols/frr/frr/CVE-2024-31948.patch b/meta-networking/recipes-protocols/frr/frr/CVE-2024-31948.patch
deleted file mode 100644
index bc1f2edc7d..0000000000
--- a/meta-networking/recipes-protocols/frr/frr/CVE-2024-31948.patch
+++ /dev/null
@@ -1,130 +0,0 @@
1From a11446687169c679b5e51b57f151a6f6c119656c Mon Sep 17 00:00:00 2001
2From: Donatas Abraitis <donatas@opensourcerouting.org>
3Date: Wed, 27 Mar 2024 18:42:56 +0200
4Subject: [PATCH 1/2] bgpd: Fix error handling when receiving BGP Prefix SID
5 attribute
6
7Without this patch, we always set the BGP Prefix SID attribute flag without
8checking if it's malformed or not. RFC8669 says that this attribute MUST be discarded.
9
10Also, this fixes the bgpd crash when a malformed Prefix SID attribute is received,
11with malformed transitive flags and/or TLVs.
12
13Reported-by: Iggy Frankovic <iggyfran@amazon.com>
14Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
15
16CVE: CVE-2024-31948
17Upstream-Status: Backport [https://github.com/FRRouting/frr/commit/ba6a8f1a31e1a88df2de69ea46068e8bd9b97138]
18
19Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
20---
21 bgpd/bgp_attr.c | 5 +++--
22 1 file changed, 3 insertions(+), 2 deletions(-)
23
24diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
25index 56e77eb3a..2639ff864 100644
26--- a/bgpd/bgp_attr.c
27+++ b/bgpd/bgp_attr.c
28@@ -1390,6 +1390,7 @@ bgp_attr_malformed(struct bgp_attr_parser_args *args, uint8_t subcode,
29 case BGP_ATTR_AS4_AGGREGATOR:
30 case BGP_ATTR_AGGREGATOR:
31 case BGP_ATTR_ATOMIC_AGGREGATE:
32+ case BGP_ATTR_PREFIX_SID:
33 return BGP_ATTR_PARSE_PROCEED;
34
35 /* Core attributes, particularly ones which may influence route
36@@ -3144,8 +3145,6 @@ enum bgp_attr_parse_ret bgp_attr_prefix_sid(struct bgp_attr_parser_args *args)
37 struct attr *const attr = args->attr;
38 enum bgp_attr_parse_ret ret;
39
40- attr->flag |= ATTR_FLAG_BIT(BGP_ATTR_PREFIX_SID);
41-
42 uint8_t type;
43 uint16_t length;
44 size_t headersz = sizeof(type) + sizeof(length);
45@@ -3195,6 +3194,8 @@ enum bgp_attr_parse_ret bgp_attr_prefix_sid(struct bgp_attr_parser_args *args)
46 }
47 }
48
49+ SET_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_PREFIX_SID));
50+
51 return BGP_ATTR_PARSE_PROCEED;
52 }
53
54--
552.34.1
56
57From 70555e1c0927b84f3aae9406379b00c976b2fa0c Mon Sep 17 00:00:00 2001
58From: Donatas Abraitis <donatas@opensourcerouting.org>
59Date: Wed, 27 Mar 2024 19:08:38 +0200
60Subject: [PATCH 2/2] bgpd: Prevent from one more CVE triggering this place
61
62If we receive an attribute that is handled by bgp_attr_malformed(), use
63treat-as-withdraw behavior for unknown (or missing to add - if new) attributes.
64
65Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
66
67CVE: CVE-2024-31948
68Upstream-Status: Backport [https://github.com/FRRouting/frr/commit/babb23b74855e23c987a63f8256d24e28c044d07]
69
70Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
71---
72 bgpd/bgp_attr.c | 33 ++++++++++++++++++++++-----------
73 1 file changed, 22 insertions(+), 11 deletions(-)
74
75diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
76index 2639ff864..797f05d60 100644
77--- a/bgpd/bgp_attr.c
78+++ b/bgpd/bgp_attr.c
79@@ -1381,6 +1381,15 @@ bgp_attr_malformed(struct bgp_attr_parser_args *args, uint8_t subcode,
80 (args->startp - STREAM_DATA(BGP_INPUT(peer)))
81 + args->total);
82
83+ /* Partial optional attributes that are malformed should not cause
84+ * the whole session to be reset. Instead treat it as a withdrawal
85+ * of the routes, if possible.
86+ */
87+ if (CHECK_FLAG(flags, BGP_ATTR_FLAG_TRANS) &&
88+ CHECK_FLAG(flags, BGP_ATTR_FLAG_OPTIONAL) &&
89+ CHECK_FLAG(flags, BGP_ATTR_FLAG_PARTIAL))
90+ return BGP_ATTR_PARSE_WITHDRAW;
91+
92 switch (args->type) {
93 /* where an attribute is relatively inconsequential, e.g. it does not
94 * affect route selection, and can be safely ignored, then any such
95@@ -1418,19 +1427,21 @@ bgp_attr_malformed(struct bgp_attr_parser_args *args, uint8_t subcode,
96 BGP_NOTIFY_UPDATE_ERR, subcode,
97 notify_datap, length);
98 return BGP_ATTR_PARSE_ERROR;
99+ default:
100+ /* Unknown attributes, that are handled by this function
101+ * should be treated as withdraw, to prevent one more CVE
102+ * from being introduced.
103+ * RFC 7606 says:
104+ * The "treat-as-withdraw" approach is generally preferred
105+ * and the "session reset" approach is discouraged.
106+ */
107+ flog_err(EC_BGP_ATTR_FLAG,
108+ "%s(%u) attribute received, while it is not known how to handle it, treating as withdraw",
109+ lookup_msg(attr_str, args->type, NULL), args->type);
110+ break;
111 }
112
113- /* Partial optional attributes that are malformed should not cause
114- * the whole session to be reset. Instead treat it as a withdrawal
115- * of the routes, if possible.
116- */
117- if (CHECK_FLAG(flags, BGP_ATTR_FLAG_TRANS)
118- && CHECK_FLAG(flags, BGP_ATTR_FLAG_OPTIONAL)
119- && CHECK_FLAG(flags, BGP_ATTR_FLAG_PARTIAL))
120- return BGP_ATTR_PARSE_WITHDRAW;
121-
122- /* default to reset */
123- return BGP_ATTR_PARSE_ERROR_NOTIFYPLS;
124+ return BGP_ATTR_PARSE_WITHDRAW;
125 }
126
127 /* Find out what is wrong with the path attribute flag bits and log the error.
128--
1292.34.1
130
diff --git a/meta-networking/recipes-protocols/frr/frr/CVE-2024-31949.patch b/meta-networking/recipes-protocols/frr/frr/CVE-2024-31949.patch
deleted file mode 100644
index dad0255ead..0000000000
--- a/meta-networking/recipes-protocols/frr/frr/CVE-2024-31949.patch
+++ /dev/null
@@ -1,163 +0,0 @@
1From 2779d7d7c4f465f8e117aa4c47982dd60d620bc9 Mon Sep 17 00:00:00 2001
2From: Donatas Abraitis <donatas@opensourcerouting.org>
3Date: Sat, 30 Mar 2024 15:35:18 +0200
4Subject: [PATCH] bgpd: Fix errors handling for MP/GR capabilities as dynamic
5 capability
6
7When receiving a MP/GR capability as dynamic capability, but malformed, do not
8forget to advance the pointer to avoid hitting infinity loop.
9
10After:
11```
12Mar 29 11:15:28 donatas-laptop bgpd[353550]: [GS0AQ-HKY0X] 127.0.0.1 rcv CAPABILITY
13Mar 29 11:15:28 donatas-laptop bgpd[353550]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 5, length 0
14Mar 29 11:15:28 donatas-laptop bgpd[353550]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 0, length 0
15Mar 29 11:15:28 donatas-laptop bgpd[353550]: [HFHDS-QT71N][EC 33554494] 127.0.0.1(donatas-pc): unrecognized capability code: 0 - ignored
16Mar 29 11:15:28 donatas-laptop bgpd[353550]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 0, code: 0, length 0
17Mar 29 11:15:28 donatas-laptop bgpd[353550]: [HFHDS-QT71N][EC 33554494] 127.0.0.1(donatas-pc): unrecognized capability code: 0 - ignored
18Mar 29 11:15:28 donatas-laptop bgpd[353550]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 0, code: 0, length 0
19Mar 29 11:15:28 donatas-laptop bgpd[353550]: [HFHDS-QT71N][EC 33554494] 127.0.0.1(donatas-pc): unrecognized capability code: 0 - ignored
20Mar 29 11:15:28 donatas-laptop bgpd[353550]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 0, code: 0, length 1
21Mar 29 11:15:28 donatas-laptop bgpd[353550]: [HFHDS-QT71N][EC 33554494] 127.0.0.1(donatas-pc): unrecognized capability code: 0 - ignored
22Mar 29 11:15:28 donatas-laptop bgpd[353550]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10
23Mar 29 11:15:28 donatas-laptop bgpd[353550]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast)
24```
25
26Before:
27```
28Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10
29Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast)
30Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10
31Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast)
32Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10
33Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast)
34Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10
35Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast)
36Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10
37Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast)
38Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10
39Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast)
40Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10
41Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast)
42Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10
43Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast)
44Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10
45Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast)
46Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10
47Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast)
48Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10
49Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast)
50Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10
51Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast)
52Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10
53Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast)
54Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10
55Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast)
56Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10
57Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast)
58Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10
59```
60
61Reported-by: Iggy Frankovic <iggyfran@amazon.com>
62Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
63
64CVE: CVE-2024-31949
65Upstream-Status: Backport [https://github.com/FRRouting/frr/commit/30a332dad86fafd2b0b6c61d23de59ed969a219b]
66
67Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
68---
69 bgpd/bgp_packet.c | 17 ++++++++++-------
70 1 file changed, 10 insertions(+), 7 deletions(-)
71
72diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c
73index cae82cbbb..50e5b54ab 100644
74--- a/bgpd/bgp_packet.c
75+++ b/bgpd/bgp_packet.c
76@@ -3121,6 +3121,7 @@ static int bgp_capability_msg_parse(struct peer *peer, uint8_t *pnt,
77 zlog_err("%pBP: Capability length error", peer);
78 bgp_notify_send(peer->connection, BGP_NOTIFY_CEASE,
79 BGP_NOTIFY_SUBCODE_UNSPECIFIC);
80+ pnt += length;
81 return BGP_Stop;
82 }
83 action = *pnt;
84@@ -3133,7 +3134,7 @@ static int bgp_capability_msg_parse(struct peer *peer, uint8_t *pnt,
85 action);
86 bgp_notify_send(peer->connection, BGP_NOTIFY_CEASE,
87 BGP_NOTIFY_SUBCODE_UNSPECIFIC);
88- return BGP_Stop;
89+ goto done;
90 }
91
92 if (bgp_debug_neighbor_events(peer))
93@@ -3145,12 +3146,13 @@ static int bgp_capability_msg_parse(struct peer *peer, uint8_t *pnt,
94 zlog_err("%pBP: Capability length error", peer);
95 bgp_notify_send(peer->connection, BGP_NOTIFY_CEASE,
96 BGP_NOTIFY_SUBCODE_UNSPECIFIC);
97+ pnt += length;
98 return BGP_Stop;
99 }
100
101 /* Ignore capability when override-capability is set. */
102 if (CHECK_FLAG(peer->flags, PEER_FLAG_OVERRIDE_CAPABILITY))
103- continue;
104+ goto done;
105
106 capability = lookup_msg(capcode_str, hdr->code, "Unknown");
107
108@@ -3165,7 +3167,7 @@ static int bgp_capability_msg_parse(struct peer *peer, uint8_t *pnt,
109 peer, capability,
110 sizeof(struct capability_mp_data),
111 hdr->length);
112- return BGP_Stop;
113+ goto done;
114 }
115
116 memcpy(&mpc, pnt + 3, sizeof(struct capability_mp_data));
117@@ -3180,7 +3182,7 @@ static int bgp_capability_msg_parse(struct peer *peer, uint8_t *pnt,
118 peer, capability,
119 iana_afi2str(pkt_afi),
120 iana_safi2str(pkt_safi));
121- continue;
122+ goto done;
123 }
124
125 /* Address family check. */
126@@ -3207,7 +3209,7 @@ static int bgp_capability_msg_parse(struct peer *peer, uint8_t *pnt,
127 if (peer_active_nego(peer))
128 bgp_clear_route(peer, afi, safi);
129 else
130- return BGP_Stop;
131+ goto done;
132 }
133 break;
134 case CAPABILITY_CODE_RESTART:
135@@ -3217,7 +3219,7 @@ static int bgp_capability_msg_parse(struct peer *peer, uint8_t *pnt,
136 bgp_notify_send(peer->connection,
137 BGP_NOTIFY_CEASE,
138 BGP_NOTIFY_SUBCODE_UNSPECIFIC);
139- return BGP_Stop;
140+ goto done;
141 }
142
143 bgp_dynamic_capability_graceful_restart(pnt, action,
144@@ -3243,7 +3245,7 @@ static int bgp_capability_msg_parse(struct peer *peer, uint8_t *pnt,
145 bgp_notify_send(peer->connection,
146 BGP_NOTIFY_CEASE,
147 BGP_NOTIFY_SUBCODE_UNSPECIFIC);
148- return BGP_Stop;
149+ goto done;
150 }
151
152 uint8_t role;
153@@ -3265,6 +3267,7 @@ static int bgp_capability_msg_parse(struct peer *peer, uint8_t *pnt,
154 break;
155 }
156
157+done:
158 pnt += hdr->length + 3;
159 }
160
161--
1622.34.1
163
diff --git a/meta-networking/recipes-protocols/frr/frr/CVE-2024-31950.patch b/meta-networking/recipes-protocols/frr/frr/CVE-2024-31950.patch
deleted file mode 100644
index c579ec283e..0000000000
--- a/meta-networking/recipes-protocols/frr/frr/CVE-2024-31950.patch
+++ /dev/null
@@ -1,68 +0,0 @@
1From f69d1313b19047d3d83fc2b36a518355b861dfc4 Mon Sep 17 00:00:00 2001
2From: Olivier Dugeon <olivier.dugeon@orange.com>
3Date: Wed, 3 Apr 2024 16:28:23 +0200
4Subject: [PATCH] ospfd: Solved crash in RI parsing with OSPF TE
5
6Iggy Frankovic discovered another ospfd crash when performing fuzzing of OSPF
7LSA packets. The crash occurs in ospf_te_parse_ri() function when attemping to
8read Segment Routing subTLVs. The original code doesn't check if the size of
9the SR subTLVs have the correct length. In presence of erronous LSA, this will
10cause a buffer overflow and ospfd crash.
11
12This patch introduces new verification of the subTLVs size for Router
13Information TLV.
14
15Co-authored-by: Iggy Frankovic <iggyfran@amazon.com>
16Signed-off-by: Olivier Dugeon <olivier.dugeon@orange.com>
17
18CVE: CVE-2024-31950
19Upstream-Status: Backport [https://github.com/FRRouting/frr/commit/f69d1313b19047d3d83fc2b36a518355b861dfc4]
20
21Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
22---
23 ospfd/ospf_te.c | 9 +++++++++
24 1 file changed, 9 insertions(+)
25
26diff --git a/ospfd/ospf_te.c b/ospfd/ospf_te.c
27index 359dc1f5d4b8..091669d8ed36 100644
28--- a/ospfd/ospf_te.c
29+++ b/ospfd/ospf_te.c
30@@ -2456,6 +2456,9 @@ static int ospf_te_parse_ri(struct ls_ted *ted, struct ospf_lsa *lsa)
31
32 switch (ntohs(tlvh->type)) {
33 case RI_SR_TLV_SR_ALGORITHM:
34+ if (TLV_BODY_SIZE(tlvh) < 1 ||
35+ TLV_BODY_SIZE(tlvh) > ALGORITHM_COUNT)
36+ break;
37 algo = (struct ri_sr_tlv_sr_algorithm *)tlvh;
38
39 for (int i = 0; i < ntohs(algo->header.length); i++) {
40@@ -2480,6 +2483,8 @@ static int ospf_te_parse_ri(struct ls_ted *ted, struct ospf_lsa *lsa)
41 break;
42
43 case RI_SR_TLV_SRGB_LABEL_RANGE:
44+ if (TLV_BODY_SIZE(tlvh) != RI_SR_TLV_LABEL_RANGE_SIZE)
45+ break;
46 range = (struct ri_sr_tlv_sid_label_range *)tlvh;
47 size = GET_RANGE_SIZE(ntohl(range->size));
48 lower = GET_LABEL(ntohl(range->lower.value));
49@@ -2497,6 +2502,8 @@ static int ospf_te_parse_ri(struct ls_ted *ted, struct ospf_lsa *lsa)
50 break;
51
52 case RI_SR_TLV_SRLB_LABEL_RANGE:
53+ if (TLV_BODY_SIZE(tlvh) != RI_SR_TLV_LABEL_RANGE_SIZE)
54+ break;
55 range = (struct ri_sr_tlv_sid_label_range *)tlvh;
56 size = GET_RANGE_SIZE(ntohl(range->size));
57 lower = GET_LABEL(ntohl(range->lower.value));
58@@ -2514,6 +2521,8 @@ static int ospf_te_parse_ri(struct ls_ted *ted, struct ospf_lsa *lsa)
59 break;
60
61 case RI_SR_TLV_NODE_MSD:
62+ if (TLV_BODY_SIZE(tlvh) < RI_SR_TLV_NODE_MSD_SIZE)
63+ break;
64 msd = (struct ri_sr_tlv_node_msd *)tlvh;
65 if ((CHECK_FLAG(node->flags, LS_NODE_MSD))
66 && (node->msd == msd->value))
67--
682.34.1 \ No newline at end of file
diff --git a/meta-networking/recipes-protocols/frr/frr/CVE-2024-31951.patch b/meta-networking/recipes-protocols/frr/frr/CVE-2024-31951.patch
deleted file mode 100644
index 7f19b0312a..0000000000
--- a/meta-networking/recipes-protocols/frr/frr/CVE-2024-31951.patch
+++ /dev/null
@@ -1,110 +0,0 @@
1From 5557a289acdaeec8cc63ffc97b5c2abf6dee7b3a Mon Sep 17 00:00:00 2001
2From: Olivier Dugeon <olivier.dugeon@orange.com>
3Date: Fri, 5 Apr 2024 12:57:11 +0200
4Subject: [PATCH] ospfd: Correct Opaque LSA Extended parser
5
6Iggy Frankovic discovered another ospfd crash when performing fuzzing of OSPF
7LSA packets. The crash occurs in ospf_te_parse_ext_link() function when
8attemping to read Segment Routing Adjacency SID subTLVs. The original code
9doesn't check if the size of the Extended Link TLVs and subTLVs have the correct
10length. In presence of erronous LSA, this will cause a buffer overflow and ospfd
11crashes.
12
13This patch introduces new verification of the subTLVs size for Extended Link
14TLVs and subTLVs. Similar check has been also introduced for the Extended
15Prefix TLV.
16
17Co-authored-by: Iggy Frankovic <iggyfran@amazon.com>
18Signed-off-by: Olivier Dugeon <olivier.dugeon@orange.com>
19
20CVE: CVE-2024-31951
21Upstream-Status: Backport [https://github.com/FRRouting/frr/commit/5557a289acdaeec8cc63ffc97b5c2abf6dee7b3a]
22
23Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
24---
25 ospfd/ospf_te.c | 35 +++++++++++++++++++++++++++++++++--
26 1 file changed, 33 insertions(+), 2 deletions(-)
27
28diff --git a/ospfd/ospf_te.c b/ospfd/ospf_te.c
29index 091669d8ed36..e68f9444f512 100644
30--- a/ospfd/ospf_te.c
31+++ b/ospfd/ospf_te.c
32@@ -2620,6 +2620,7 @@ static int ospf_te_parse_ext_pref(struct ls_ted *ted, struct ospf_lsa *lsa)
33 struct ext_tlv_prefix *ext;
34 struct ext_subtlv_prefix_sid *pref_sid;
35 uint32_t label;
36+ uint16_t len, size;
37
38 /* Get corresponding Subnet from Link State Data Base */
39 ext = (struct ext_tlv_prefix *)TLV_HDR_TOP(lsa->data);
40@@ -2641,6 +2642,18 @@ static int ospf_te_parse_ext_pref(struct ls_ted *ted, struct ospf_lsa *lsa)
41 ote_debug(" |- Process Extended Prefix LSA %pI4 for subnet %pFX",
42 &lsa->data->id, &pref);
43
44+ /*
45+ * Check Extended Prefix TLV size against LSA size
46+ * as only one TLV is allowed per LSA
47+ */
48+ len = TLV_BODY_SIZE(&ext->header);
49+ size = lsa->size - (OSPF_LSA_HEADER_SIZE + TLV_HDR_SIZE);
50+ if (len != size || len <= 0) {
51+ ote_debug(" |- Wrong TLV size: %u instead of %u",
52+ (uint32_t)len, (uint32_t)size);
53+ return -1;
54+ }
55+
56 /* Initialize TLV browsing */
57 ls_pref = subnet->ls_pref;
58 pref_sid = (struct ext_subtlv_prefix_sid *)((char *)(ext) + TLV_HDR_SIZE
59@@ -2751,8 +2764,20 @@ static int ospf_te_parse_ext_link(struct ls_ted *ted, struct ospf_lsa *lsa)
60 ote_debug(" |- Process Extended Link LSA %pI4 for edge %pI4",
61 &lsa->data->id, &edge->attributes->standard.local);
62
63- /* Initialize TLV browsing */
64- len = TLV_BODY_SIZE(&ext->header) - EXT_TLV_LINK_SIZE;
65+ /*
66+ * Check Extended Link TLV size against LSA size
67+ * as only one TLV is allowed per LSA
68+ */
69+ len = TLV_BODY_SIZE(&ext->header);
70+ i = lsa->size - (OSPF_LSA_HEADER_SIZE + TLV_HDR_SIZE);
71+ if (len != i || len <= 0) {
72+ ote_debug(" |- Wrong TLV size: %u instead of %u",
73+ (uint32_t)len, (uint32_t)i);
74+ return -1;
75+ }
76+
77+ /* Initialize subTLVs browsing */
78+ len -= EXT_TLV_LINK_SIZE;
79 tlvh = (struct tlv_header *)((char *)(ext) + TLV_HDR_SIZE
80 + EXT_TLV_LINK_SIZE);
81 for (; sum < len; tlvh = TLV_HDR_NEXT(tlvh)) {
82@@ -2762,6 +2787,8 @@ static int ospf_te_parse_ext_link(struct ls_ted *ted, struct ospf_lsa *lsa)
83
84 switch (ntohs(tlvh->type)) {
85 case EXT_SUBTLV_ADJ_SID:
86+ if (TLV_BODY_SIZE(tlvh) != EXT_SUBTLV_ADJ_SID_SIZE)
87+ break;
88 adj = (struct ext_subtlv_adj_sid *)tlvh;
89 label = CHECK_FLAG(adj->flags,
90 EXT_SUBTLV_LINK_ADJ_SID_VFLG)
91@@ -2788,6 +2815,8 @@ static int ospf_te_parse_ext_link(struct ls_ted *ted, struct ospf_lsa *lsa)
92
93 break;
94 case EXT_SUBTLV_LAN_ADJ_SID:
95+ if (TLV_BODY_SIZE(tlvh) != EXT_SUBTLV_LAN_ADJ_SID_SIZE)
96+ break;
97 ladj = (struct ext_subtlv_lan_adj_sid *)tlvh;
98 label = CHECK_FLAG(ladj->flags,
99 EXT_SUBTLV_LINK_ADJ_SID_VFLG)
100@@ -2817,6 +2846,8 @@ static int ospf_te_parse_ext_link(struct ls_ted *ted, struct ospf_lsa *lsa)
101
102 break;
103 case EXT_SUBTLV_RMT_ITF_ADDR:
104+ if (TLV_BODY_SIZE(tlvh) != EXT_SUBTLV_RMT_ITF_ADDR_SIZE)
105+ break;
106 rmt = (struct ext_subtlv_rmt_itf_addr *)tlvh;
107 if (CHECK_FLAG(atr->flags, LS_ATTR_NEIGH_ADDR)
108 && IPV4_ADDR_SAME(&atr->standard.remote,
109--
1102.34.1 \ No newline at end of file
diff --git a/meta-networking/recipes-protocols/frr/frr/CVE-2024-34088.patch b/meta-networking/recipes-protocols/frr/frr/CVE-2024-34088.patch
deleted file mode 100644
index 72dffb1328..0000000000
--- a/meta-networking/recipes-protocols/frr/frr/CVE-2024-34088.patch
+++ /dev/null
@@ -1,83 +0,0 @@
1From 8c177d69e32b91b45bda5fc5da6511fa03dc11ca Mon Sep 17 00:00:00 2001
2From: Olivier Dugeon <olivier.dugeon@orange.com>
3Date: Tue, 16 Apr 2024 16:42:06 +0200
4Subject: [PATCH] ospfd: protect call to get_edge() in ospf_te.c
5
6During fuzzing, Iggy Frankovic discovered that get_edge() function in ospf_te.c
7could return null pointer, in particular when the link_id or advertised router
8IP addresses are fuzzed. As the null pointer returned by get_edge() function is
9not handlei by calling functions, this could cause ospfd crash.
10
11This patch introduces new verification of returned pointer by get_edge()
12function and stop the processing in case of null pointer. In addition, link ID
13and advertiser router ID are validated before calling ls_find_edge_by_key() to
14avoid the creation of a new edge with an invalid key.
15
16CVE-2024-34088
17
18Co-authored-by: Iggy Frankovic <iggyfran@amazon.com>
19Signed-off-by: Olivier Dugeon <olivier.dugeon@orange.com>
20
21CVE: CVE-2024-34088
22Upstream-Status: Backport [https://github.com/FRRouting/frr/commit/8c177d69e32b91b45bda5fc5da6511fa03dc11ca]
23
24Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
25---
26 ospfd/ospf_te.c | 19 ++++++++++++++++---
27 1 file changed, 16 insertions(+), 3 deletions(-)
28
29diff --git a/ospfd/ospf_te.c b/ospfd/ospf_te.c
30index e68f9444f512..d57990e1a174 100644
31--- a/ospfd/ospf_te.c
32+++ b/ospfd/ospf_te.c
33@@ -1670,6 +1670,11 @@ static struct ls_edge *get_edge(struct ls_ted *ted, struct ls_node_id adv,
34 struct ls_edge *edge;
35 struct ls_attributes *attr;
36
37+ /* Check that Link ID and Node ID are valid */
38+ if (IPV4_NET0(link_id.s_addr) || IPV4_NET0(adv.id.ip.addr.s_addr) ||
39+ adv.origin != OSPFv2)
40+ return NULL;
41+
42 /* Search Edge that corresponds to the Link ID */
43 key.family = AF_INET;
44 IPV4_ADDR_COPY(&key.k.addr, &link_id);
45@@ -1743,6 +1748,10 @@ static void ospf_te_update_link(struct ls_ted *ted, struct ls_vertex *vertex,
46
47 /* Get Corresponding Edge from Link State Data Base */
48 edge = get_edge(ted, vertex->node->adv, link_data);
49+ if (!edge) {
50+ ote_debug(" |- Found no edge from Link Data. Abort!");
51+ return;
52+ }
53 attr = edge->attributes;
54
55 /* re-attached edge to vertex if needed */
56@@ -2246,11 +2255,11 @@ static int ospf_te_parse_te(struct ls_ted *ted, struct ospf_lsa *lsa)
57 }
58
59 /* Get corresponding Edge from Link State Data Base */
60- if (IPV4_NET0(attr.standard.local.s_addr) && !attr.standard.local_id) {
61- ote_debug(" |- Found no TE Link local address/ID. Abort!");
62+ edge = get_edge(ted, attr.adv, attr.standard.local);
63+ if (!edge) {
64+ ote_debug(" |- Found no edge from Link local add./ID. Abort!");
65 return -1;
66 }
67- edge = get_edge(ted, attr.adv, attr.standard.local);
68 old = edge->attributes;
69
70 ote_debug(" |- Process Traffic Engineering LSA %pI4 for Edge %pI4",
71@@ -2759,6 +2768,10 @@ static int ospf_te_parse_ext_link(struct ls_ted *ted, struct ospf_lsa *lsa)
72 lnid.id.ip.area_id = lsa->area->area_id;
73 ext = (struct ext_tlv_link *)TLV_HDR_TOP(lsa->data);
74 edge = get_edge(ted, lnid, ext->link_data);
75+ if (!edge) {
76+ ote_debug(" |- Found no edge from Extended Link Data. Abort!");
77+ return -1;
78+ }
79 atr = edge->attributes;
80
81 ote_debug(" |- Process Extended Link LSA %pI4 for edge %pI4",
82--
832.34.1 \ No newline at end of file
diff --git a/meta-networking/recipes-protocols/frr/frr/CVE-2024-44070.patch b/meta-networking/recipes-protocols/frr/frr/CVE-2024-44070.patch
deleted file mode 100644
index 87bd16efa6..0000000000
--- a/meta-networking/recipes-protocols/frr/frr/CVE-2024-44070.patch
+++ /dev/null
@@ -1,54 +0,0 @@
1From 335dc7f0421dc5b59a50795f21f28bd92ed4ef12 Mon Sep 17 00:00:00 2001
2From: Donatas Abraitis <donatas@opensourcerouting.org>
3Date: Wed, 31 Jul 2024 08:35:14 +0300
4Subject: [PATCH] bgpd: Check the actual remaining stream length before taking
5 TLV value
6
7```
8 0 0xb50b9f898028 in __sanitizer_print_stack_trace (/home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/.libs/bgpd+0x368028) (BuildId: 3292703ed7958b20076550c967f879db8dc27ca7)
9 1 0xb50b9f7ed8e4 in fuzzer::PrintStackTrace() (/home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/.libs/bgpd+0x2bd8e4) (BuildId: 3292703ed7958b20076550c967f879db8dc27ca7)
10 2 0xb50b9f7d4d9c in fuzzer::Fuzzer::CrashCallback() (/home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/.libs/bgpd+0x2a4d9c) (BuildId: 3292703ed7958b20076550c967f879db8dc27ca7)
11 3 0xe0d12d7469cc (linux-vdso.so.1+0x9cc) (BuildId: 1a77697e9d723fe22246cfd7641b140c427b7e11)
12 4 0xe0d12c88f1fc in __pthread_kill_implementation nptl/pthread_kill.c:43:17
13 5 0xe0d12c84a678 in gsignal signal/../sysdeps/posix/raise.c:26:13
14 6 0xe0d12c83712c in abort stdlib/abort.c:79:7
15 7 0xe0d12d214724 in _zlog_assert_failed /home/ubuntu/frr-public/frr_public_private-libfuzzer/lib/zlog.c:789:2
16 8 0xe0d12d1285e4 in stream_get /home/ubuntu/frr-public/frr_public_private-libfuzzer/lib/stream.c:324:3
17 9 0xb50b9f8e47c4 in bgp_attr_encap /home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/bgp_attr.c:2758:3
18 10 0xb50b9f8dcd38 in bgp_attr_parse /home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/bgp_attr.c:3783:10
19 11 0xb50b9faf74b4 in bgp_update_receive /home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/bgp_packet.c:2383:20
20 12 0xb50b9faf1dcc in bgp_process_packet /home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/bgp_packet.c:4075:11
21 13 0xb50b9f8c90d0 in LLVMFuzzerTestOneInput /home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/bgp_main.c:582:3
22```
23
24CVE: CVE-2024-44070
25Upstream-Status: Backport [https://github.com/FRRouting/frr/commit/21cd931a5f9303e12104c72ce31ca383c0c57514]
26
27Reported-by: Iggy Frankovic <iggyfran@amazon.com>
28Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
29(cherry picked from commit 0998b38e4d61179441f90dd7e7fd6a3a8b7bd8c5)
30(cherry picked from commit 21cd931a5f9303e12104c72ce31ca383c0c57514)
31Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
32---
33 bgpd/bgp_attr.c | 8 ++++++++
34 1 file changed, 8 insertions(+)
35
36diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
37index 797f05d606..cc63251cc8 100644
38--- a/bgpd/bgp_attr.c
39+++ b/bgpd/bgp_attr.c
40@@ -2718,6 +2718,14 @@ static int bgp_attr_encap(struct bgp_attr_parser_args *args)
41 args->total);
42 }
43
44+ if (STREAM_READABLE(BGP_INPUT(peer)) < sublength) {
45+ zlog_err("Tunnel Encap attribute sub-tlv length %d exceeds remaining stream length %zu",
46+ sublength, STREAM_READABLE(BGP_INPUT(peer)));
47+ return bgp_attr_malformed(args,
48+ BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
49+ args->total);
50+ }
51+
52 /* alloc and copy sub-tlv */
53 /* TBD make sure these are freed when attributes are released */
54 tlv = XCALLOC(MTYPE_ENCAP_TLV,
diff --git a/meta-networking/recipes-protocols/frr/frr_9.1.bb b/meta-networking/recipes-protocols/frr/frr_9.1.3.bb
index ce9876c79f..f3b4816941 100644
--- a/meta-networking/recipes-protocols/frr/frr_9.1.bb
+++ b/meta-networking/recipes-protocols/frr/frr_9.1.3.bb
@@ -13,15 +13,9 @@ LIC_FILES_CHKSUM = "file://doc/licenses/GPL-2.0;md5=b234ee4d69f5fce4486a80fdaf4a
13SRC_URI = "git://github.com/FRRouting/frr.git;protocol=https;branch=stable/9.1 \ 13SRC_URI = "git://github.com/FRRouting/frr.git;protocol=https;branch=stable/9.1 \
14 file://frr.pam \ 14 file://frr.pam \
15 file://0001-zebra-Mimic-GNU-basename-API-for-non-glibc-library-e.patch \ 15 file://0001-zebra-Mimic-GNU-basename-API-for-non-glibc-library-e.patch \
16 file://CVE-2024-34088.patch \
17 file://CVE-2024-31950.patch \
18 file://CVE-2024-31951.patch \
19 file://CVE-2024-31948.patch \
20 file://CVE-2024-31949.patch \
21 file://CVE-2024-44070.patch \
22 " 16 "
23 17
24SRCREV = "ca2d6f0f1e000951224a18973cc1827f7f5215b5" 18SRCREV = "ad1766d17be022587fe05ebe1a7bf10e1b7dce19"
25 19
26UPSTREAM_CHECK_GITTAGREGEX = "frr-(?P<pver>\d+(\.\d+)+)$" 20UPSTREAM_CHECK_GITTAGREGEX = "frr-(?P<pver>\d+(\.\d+)+)$"
27 21
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2026-05-11 00:04:26 +0000