summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--meta-networking/recipes-protocols/frr/frr/CVE-2025-61099-61100-61101-61102-61103-61104-61105-61106-61107_1.patch37
-rw-r--r--meta-networking/recipes-protocols/frr/frr/CVE-2025-61099-61100-61101-61102-61103-61104-61105-61106-61107_2.patch273
-rw-r--r--meta-networking/recipes-protocols/frr/frr/CVE-2025-61099-61100-61101-61102-61103-61104-61105-61106-61107_3.patch78
-rw-r--r--meta-networking/recipes-protocols/frr/frr/CVE-2025-61099-61100-61101-61102-61103-61104-61105-61106-61107_4.patch119
-rw-r--r--meta-networking/recipes-protocols/frr/frr_9.1.3.bb4
5 files changed, 511 insertions, 0 deletions
diff --git a/meta-networking/recipes-protocols/frr/frr/CVE-2025-61099-61100-61101-61102-61103-61104-61105-61106-61107_1.patch b/meta-networking/recipes-protocols/frr/frr/CVE-2025-61099-61100-61101-61102-61103-61104-61105-61106-61107_1.patch
new file mode 100644
index 0000000000..c51d29058e
--- /dev/null
+++ b/meta-networking/recipes-protocols/frr/frr/CVE-2025-61099-61100-61101-61102-61103-61104-61105-61106-61107_1.patch
@@ -0,0 +1,37 @@
1From c686fcae29ea1ae9ba4ebfa792db79100948eb79 Mon Sep 17 00:00:00 2001
2From: s1awwhy <seawwhy@163.com>
3Date: Sun, 24 Aug 2025 21:17:55 +0800
4Subject: [PATCH] ospfd: Add null check for vty_out in check_tlv_size
5
6Add security check for vty_out. Specifically, Check NULL for vty. If vty is not available, dump info via zlog.
7
8Signed-off-by: s1awwhy <seawwhy@163.com>
9CVE: CVE-2025-61099 CVE-2025-61100 CVE-2025-61101 CVE-2025-61102 CVE-2025-61103 CVE-2025-61104 CVE-2025-61105 CVE-2025-61106 CVE-2025-61107
10Upstream-Status: Backport [https://github.com/FRRouting/frr/commit/b7d9b7aa47627b31e4b50795284408ab6de98660]
11Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
12---
13 ospfd/ospf_ext.c | 8 ++++++--
14 1 file changed, 6 insertions(+), 2 deletions(-)
15
16diff --git a/ospfd/ospf_ext.c b/ospfd/ospf_ext.c
17index d82c2146c7..456f163ffa 100644
18--- a/ospfd/ospf_ext.c
19+++ b/ospfd/ospf_ext.c
20@@ -1704,11 +1704,15 @@ static void ospf_ext_lsa_schedule(struct ext_itf *exti, enum lsa_opcode op)
21 * ------------------------------------
22 */
23
24+/* Check NULL for vty. If vty is not available, dump info via zlog */
25 #define check_tlv_size(size, msg) \
26 do { \
27 if (ntohs(tlvh->length) != size) { \
28- vty_out(vty, " Wrong %s TLV size: %d(%d). Abort!\n", \
29- msg, ntohs(tlvh->length), size); \
30+ if (vty != NULL) \
31+ vty_out(vty, " Wrong %s TLV size: %d(%d). Abort!\n", \
32+ msg, ntohs(tlvh->length), size); \
33+ else \
34+ zlog_debug(" Wrong %s TLV size: %d(%d). Abort!", msg, ntohs(tlvh->length), size); \
35 return size + TLV_HDR_SIZE; \
36 } \
37 } while (0)
diff --git a/meta-networking/recipes-protocols/frr/frr/CVE-2025-61099-61100-61101-61102-61103-61104-61105-61106-61107_2.patch b/meta-networking/recipes-protocols/frr/frr/CVE-2025-61099-61100-61101-61102-61103-61104-61105-61106-61107_2.patch
new file mode 100644
index 0000000000..616dff29c3
--- /dev/null
+++ b/meta-networking/recipes-protocols/frr/frr/CVE-2025-61099-61100-61101-61102-61103-61104-61105-61106-61107_2.patch
@@ -0,0 +1,273 @@
1From e99ada4aca49f34040747c7253e4b2fcd441da8a Mon Sep 17 00:00:00 2001
2From: s1awwhy <seawwhy@163.com>
3Date: Sun, 24 Aug 2025 21:21:23 +0800
4Subject: [PATCH] ospfd: Fix NULL Pointer Deference when dumping link info
5
6When the command debug ospf packet all send/recv detail is enabled in the OSPF
7configuration, ospfd will dump detailed information of any received or sent
8OSPF packets, either via VTY or through the zlog. However, the original Opaque
9LSA handling code failed to check whether the VTY context and show_opaque_info
10were available, resulting in NULL pointer dereference and crashes in ospfd.
11The patch fixes the Null Pointer Deference Vulnerability in
12show_vty_ext_link_rmt_itf_addr, show_vty_ext_link_adj_sid,
13show_vty_ext_link_lan_adj_sid, show_vty_unknown_tlv,
14show_vty_link_info, show_vty_ext_pref_pref_sid, show_vtY_pref_info.
15Specifically, add NULL check for vty. If vty is not available, dump details
16via zlog.
17
18Signed-off-by: s1awwhy <seawwhy@163.com>
19Signed-off-by: Louis Scalbert <louis.scalbert@6wind.com>
20
21CVE: CVE-2025-61099 CVE-2025-61100 CVE-2025-61101 CVE-2025-61102 CVE-2025-61103 CVE-2025-61104 CVE-2025-61105 CVE-2025-61106 CVE-2025-61107
22Upstream-Status: Backport [https://github.com/FRRouting/frr/commit/034e6fe67078810b952630055614ee5710d1196e]
23Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
24---
25 ospfd/ospf_ext.c | 184 +++++++++++++++++++++++++++++++++--------------
26 1 file changed, 130 insertions(+), 54 deletions(-)
27
28diff --git a/ospfd/ospf_ext.c b/ospfd/ospf_ext.c
29index 456f163ffa..4fa9c82c34 100644
30--- a/ospfd/ospf_ext.c
31+++ b/ospfd/ospf_ext.c
32@@ -1726,10 +1726,15 @@ static uint16_t show_vty_ext_link_rmt_itf_addr(struct vty *vty,
33
34 check_tlv_size(EXT_SUBTLV_RMT_ITF_ADDR_SIZE, "Remote Itf. Address");
35
36- vty_out(vty,
37- " Remote Interface Address Sub-TLV: Length %u\n Address: %pI4\n",
38- ntohs(top->header.length), &top->value);
39-
40+ if (vty != NULL) {
41+ vty_out(vty,
42+ " Remote Interface Address Sub-TLV: Length %u\n Address: %pI4\n",
43+ ntohs(top->header.length), &top->value);
44+ } else {
45+ zlog_debug(" Remote Interface Address Sub-TLV: Length %u",
46+ ntohs(top->header.length));
47+ zlog_debug(" Address: %pI4", &top->value);
48+ }
49 return TLV_SIZE(tlvh);
50 }
51
52@@ -1745,15 +1750,28 @@ static uint16_t show_vty_ext_link_adj_sid(struct vty *vty,
53 : SID_INDEX_SIZE(EXT_SUBTLV_ADJ_SID_SIZE);
54 check_tlv_size(tlv_size, "Adjacency SID");
55
56- vty_out(vty,
57- " Adj-SID Sub-TLV: Length %u\n\tFlags: 0x%x\n\tMT-ID:0x%x\n\tWeight: 0x%x\n\t%s: %u\n",
58- ntohs(top->header.length), top->flags, top->mtid, top->weight,
59- CHECK_FLAG(top->flags, EXT_SUBTLV_LINK_ADJ_SID_VFLG) ? "Label"
60- : "Index",
61- CHECK_FLAG(top->flags, EXT_SUBTLV_LINK_ADJ_SID_VFLG)
62- ? GET_LABEL(ntohl(top->value))
63- : ntohl(top->value));
64-
65+ /* Add security check for vty_out. If vty is not available, dump info via zlog.*/
66+ if (vty != NULL) {
67+ vty_out(vty,
68+ " Adj-SID Sub-TLV: Length %u\n\tFlags: 0x%x\n\tMT-ID:0x%x\n\tWeight: 0x%x\n\t%s: %u\n",
69+ ntohs(top->header.length), top->flags, top->mtid, top->weight,
70+ CHECK_FLAG(top->flags, EXT_SUBTLV_LINK_ADJ_SID_VFLG) ? "Label"
71+ : "Index",
72+ CHECK_FLAG(top->flags, EXT_SUBTLV_LINK_ADJ_SID_VFLG)
73+ ? GET_LABEL(ntohl(top->value))
74+ : ntohl(top->value));
75+ } else {
76+ zlog_debug(" Adj-SID Sub-TLV: Length %u", ntohs(top->header.length));
77+ zlog_debug(" Flags: 0x%x", top->flags);
78+ zlog_debug(" MT-ID:0x%x", top->mtid);
79+ zlog_debug(" Weight: 0x%x", top->weight);
80+ zlog_debug(" %s: %u",
81+ CHECK_FLAG(top->flags, EXT_SUBTLV_LINK_ADJ_SID_VFLG) ? "Label"
82+ : "Index",
83+ CHECK_FLAG(top->flags, EXT_SUBTLV_LINK_ADJ_SID_VFLG)
84+ ? GET_LABEL(ntohl(top->value))
85+ : ntohl(top->value));
86+ }
87 return TLV_SIZE(tlvh);
88 }
89
90@@ -1770,31 +1788,53 @@ static uint16_t show_vty_ext_link_lan_adj_sid(struct vty *vty,
91 : SID_INDEX_SIZE(EXT_SUBTLV_LAN_ADJ_SID_SIZE);
92 check_tlv_size(tlv_size, "LAN-Adjacency SID");
93
94- vty_out(vty,
95- " LAN-Adj-SID Sub-TLV: Length %u\n\tFlags: 0x%x\n\tMT-ID:0x%x\n\tWeight: 0x%x\n\tNeighbor ID: %pI4\n\t%s: %u\n",
96- ntohs(top->header.length), top->flags, top->mtid, top->weight,
97- &top->neighbor_id,
98- CHECK_FLAG(top->flags, EXT_SUBTLV_LINK_ADJ_SID_VFLG) ? "Label"
99- : "Index",
100- CHECK_FLAG(top->flags, EXT_SUBTLV_LINK_ADJ_SID_VFLG)
101- ? GET_LABEL(ntohl(top->value))
102- : ntohl(top->value));
103-
104+ /* Add security check for vty_out. If vty is not available, dump info via zlog. */
105+ if (vty != NULL) {
106+ vty_out(vty,
107+ " LAN-Adj-SID Sub-TLV: Length %u\n\tFlags: 0x%x\n\tMT-ID:0x%x\n\tWeight: 0x%x\n\tNeighbor ID: %pI4\n\t%s: %u\n",
108+ ntohs(top->header.length), top->flags, top->mtid, top->weight,
109+ &top->neighbor_id,
110+ CHECK_FLAG(top->flags, EXT_SUBTLV_LINK_ADJ_SID_VFLG) ? "Label"
111+ : "Index",
112+ CHECK_FLAG(top->flags, EXT_SUBTLV_LINK_ADJ_SID_VFLG)
113+ ? GET_LABEL(ntohl(top->value))
114+ : ntohl(top->value));
115+ } else {
116+ zlog_debug(" LAN-Adj-SID Sub-TLV: Length %u", ntohs(top->header.length));
117+ zlog_debug(" Flags: 0x%x", top->flags);
118+ zlog_debug(" MT-ID:0x%x", top->mtid);
119+ zlog_debug(" Weight: 0x%x", top->weight);
120+ zlog_debug(" Neighbor ID: %pI4", &top->neighbor_id);
121+ zlog_debug(" %s: %u",
122+ CHECK_FLAG(top->flags, EXT_SUBTLV_LINK_ADJ_SID_VFLG) ? "Label"
123+ : "Index",
124+ CHECK_FLAG(top->flags, EXT_SUBTLV_LINK_ADJ_SID_VFLG)
125+ ? GET_LABEL(ntohl(top->value))
126+ : ntohl(top->value));
127+ }
128 return TLV_SIZE(tlvh);
129 }
130
131 static uint16_t show_vty_unknown_tlv(struct vty *vty, struct tlv_header *tlvh,
132 size_t buf_size)
133 {
134+ /* Add security check for vty_out. If vty is not available, dump info via zlog. */
135 if (TLV_SIZE(tlvh) > buf_size) {
136- vty_out(vty, " TLV size %d exceeds buffer size. Abort!",
137- TLV_SIZE(tlvh));
138+ if (vty != NULL)
139+ vty_out(vty, " TLV size %d exceeds buffer size. Abort!", TLV_SIZE(tlvh));
140+ else
141+ zlog_debug(" TLV size %d exceeds buffer size. Abort!", TLV_SIZE(tlvh));
142+
143 return buf_size;
144 }
145
146- vty_out(vty, " Unknown TLV: [type(0x%x), length(0x%x)]\n",
147- ntohs(tlvh->type), ntohs(tlvh->length));
148-
149+ if (vty != NULL) {
150+ vty_out(vty, " Unknown TLV: [type(0x%x), length(0x%x)]\n",
151+ ntohs(tlvh->type), ntohs(tlvh->length));
152+ } else {
153+ zlog_debug(" Unknown TLV: [type(0x%x), length(0x%x)]",
154+ ntohs(tlvh->type), ntohs(tlvh->length));
155+ }
156 return TLV_SIZE(tlvh);
157 }
158
159@@ -1809,18 +1849,30 @@ static uint16_t show_vty_link_info(struct vty *vty, struct tlv_header *ext,
160
161 /* Verify that TLV length is valid against remaining buffer size */
162 if (length > buf_size) {
163- vty_out(vty,
164- " Extended Link TLV size %d exceeds buffer size. Abort!\n",
165- length);
166+ /* Add security check for vty_out. If vty is not available, dump info via zlog. */
167+ if (vty != NULL) {
168+ vty_out(vty, " Extended Link TLV size %d exceeds buffer size. Abort!\n",
169+ length);
170+ } else {
171+ zlog_debug(" Extended Link TLV size %d exceeds buffer size. Abort!",
172+ length);
173+ }
174 return buf_size;
175 }
176
177- vty_out(vty,
178- " Extended Link TLV: Length %u\n Link Type: 0x%x\n"
179- " Link ID: %pI4\n",
180- ntohs(top->header.length), top->link_type,
181- &top->link_id);
182- vty_out(vty, " Link data: %pI4\n", &top->link_data);
183+ /* Add security check for vty_out. If vty is not available, dump info via zlog. */
184+ if (vty != NULL) {
185+ vty_out(vty,
186+ " Extended Link TLV: Length %u\n Link Type: 0x%x\n"
187+ " Link ID: %pI4\n",
188+ ntohs(top->header.length), top->link_type, &top->link_id);
189+ vty_out(vty, " Link data: %pI4\n", &top->link_data);
190+ } else {
191+ zlog_debug(" Extended Link TLV: Length %u", ntohs(top->header.length));
192+ zlog_debug(" Link Type: 0x%x", top->link_type);
193+ zlog_debug(" Link ID: %pI4", &top->link_id);
194+ zlog_debug(" Link data: %pI4", &top->link_data);
195+ }
196
197 /* Skip Extended TLV and parse sub-TLVs */
198 length -= EXT_TLV_LINK_SIZE;
199@@ -1886,15 +1938,27 @@ static uint16_t show_vty_ext_pref_pref_sid(struct vty *vty,
200 : SID_INDEX_SIZE(EXT_SUBTLV_PREFIX_SID_SIZE);
201 check_tlv_size(tlv_size, "Prefix SID");
202
203- vty_out(vty,
204- " Prefix SID Sub-TLV: Length %u\n\tAlgorithm: %u\n\tFlags: 0x%x\n\tMT-ID:0x%x\n\t%s: %u\n",
205- ntohs(top->header.length), top->algorithm, top->flags,
206- top->mtid,
207- CHECK_FLAG(top->flags, EXT_SUBTLV_PREFIX_SID_VFLG) ? "Label"
208- : "Index",
209- CHECK_FLAG(top->flags, EXT_SUBTLV_PREFIX_SID_VFLG)
210- ? GET_LABEL(ntohl(top->value))
211- : ntohl(top->value));
212+ if (vty != NULL) {
213+ vty_out(vty,
214+ " Prefix SID Sub-TLV: Length %u\n\tAlgorithm: %u\n\tFlags: 0x%x\n\tMT-ID:0x%x\n\t%s: %u\n",
215+ ntohs(top->header.length), top->algorithm, top->flags, top->mtid,
216+ CHECK_FLAG(top->flags, EXT_SUBTLV_PREFIX_SID_VFLG) ? "Label"
217+ : "Index",
218+ CHECK_FLAG(top->flags, EXT_SUBTLV_PREFIX_SID_VFLG)
219+ ? GET_LABEL(ntohl(top->value))
220+ : ntohl(top->value));
221+ } else {
222+ zlog_debug(" Prefix SID Sub-TLV: Length %u", ntohs(top->header.length));
223+ zlog_debug(" Algorithm: %u", top->algorithm);
224+ zlog_debug(" Flags: 0x%x", top->flags);
225+ zlog_debug(" MT-ID:0x%x", top->mtid);
226+ zlog_debug(" %s: %u",
227+ CHECK_FLAG(top->flags, EXT_SUBTLV_PREFIX_SID_VFLG) ? "Label"
228+ : "Index",
229+ CHECK_FLAG(top->flags, EXT_SUBTLV_PREFIX_SID_VFLG)
230+ ? GET_LABEL(ntohl(top->value))
231+ : ntohl(top->value));
232+ }
233
234 return TLV_SIZE(tlvh);
235 }
236@@ -1910,17 +1974,29 @@ static uint16_t show_vty_pref_info(struct vty *vty, struct tlv_header *ext,
237
238 /* Verify that TLV length is valid against remaining buffer size */
239 if (length > buf_size) {
240- vty_out(vty,
241- " Extended Link TLV size %d exceeds buffer size. Abort!\n",
242- length);
243+ if (vty != NULL) {
244+ vty_out(vty, " Extended Link TLV size %d exceeds buffer size. Abort!\n",
245+ length);
246+ } else {
247+ zlog_debug(" Extended Link TLV size %d exceeds buffer size. Abort!",
248+ length);
249+ }
250 return buf_size;
251 }
252
253- vty_out(vty,
254- " Extended Prefix TLV: Length %u\n\tRoute Type: %u\n"
255- "\tAddress Family: 0x%x\n\tFlags: 0x%x\n\tAddress: %pI4/%u\n",
256- ntohs(top->header.length), top->route_type, top->af, top->flags,
257- &top->address, top->pref_length);
258+ if (vty != NULL) {
259+ vty_out(vty,
260+ " Extended Prefix TLV: Length %u\n\tRoute Type: %u\n"
261+ "\tAddress Family: 0x%x\n\tFlags: 0x%x\n\tAddress: %pI4/%u\n",
262+ ntohs(top->header.length), top->route_type, top->af, top->flags,
263+ &top->address, top->pref_length);
264+ } else {
265+ zlog_debug(" Extended Prefix TLV: Length %u", ntohs(top->header.length));
266+ zlog_debug(" Route Type: %u", top->route_type);
267+ zlog_debug(" Address Family: 0x%x", top->af);
268+ zlog_debug(" Flags: 0x%x", top->flags);
269+ zlog_debug(" Address: %pI4/%u", &top->address, top->pref_length);
270+ }
271
272 /* Skip Extended Prefix TLV and parse sub-TLVs */
273 length -= EXT_TLV_PREFIX_SIZE;
diff --git a/meta-networking/recipes-protocols/frr/frr/CVE-2025-61099-61100-61101-61102-61103-61104-61105-61106-61107_3.patch b/meta-networking/recipes-protocols/frr/frr/CVE-2025-61099-61100-61101-61102-61103-61104-61105-61106-61107_3.patch
new file mode 100644
index 0000000000..c184ac2059
--- /dev/null
+++ b/meta-networking/recipes-protocols/frr/frr/CVE-2025-61099-61100-61101-61102-61103-61104-61105-61106-61107_3.patch
@@ -0,0 +1,78 @@
1From 3b643cde27e33b98037e97a76c0f80447d2a9110 Mon Sep 17 00:00:00 2001
2From: Louis Scalbert <louis.scalbert@6wind.com>
3Date: Tue, 6 Jan 2026 15:32:32 +0100
4Subject: [PATCH] ospfd: skip subsequent tlvs after invalid length
5
6Do not attempt to read subsequent TLVs after an TLV invalid length is
7detected.
8
9Signed-off-by: Louis Scalbert <louis.scalbert@6wind.com>
10
11CVE: CVE-2025-61099 CVE-2025-61100 CVE-2025-61101 CVE-2025-61102 CVE-2025-61103 CVE-2025-61104 CVE-2025-61105 CVE-2025-61106 CVE-2025-61107
12Upstream-Status: Backport [https://github.com/FRRouting/frr/commit/33dfc7e7be1ac8b66abbf47c30a709215fbc1926]
13Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
14---
15 ospfd/ospf_ext.c | 6 +++---
16 ospfd/ospf_ri.c | 6 +++---
17 ospfd/ospf_te.c | 6 +++---
18 3 files changed, 9 insertions(+), 9 deletions(-)
19
20diff --git a/ospfd/ospf_ext.c b/ospfd/ospf_ext.c
21index 4fa9c82c34..1aa4f579e4 100644
22--- a/ospfd/ospf_ext.c
23+++ b/ospfd/ospf_ext.c
24@@ -1709,11 +1709,11 @@ static void ospf_ext_lsa_schedule(struct ext_itf *exti, enum lsa_opcode op)
25 do { \
26 if (ntohs(tlvh->length) != size) { \
27 if (vty != NULL) \
28- vty_out(vty, " Wrong %s TLV size: %d(%d). Abort!\n", \
29+ vty_out(vty, " Wrong %s TLV size: %d(expected %d). Skip subsequent TLVs!\n", \
30 msg, ntohs(tlvh->length), size); \
31 else \
32- zlog_debug(" Wrong %s TLV size: %d(%d). Abort!", msg, ntohs(tlvh->length), size); \
33- return size + TLV_HDR_SIZE; \
34+ zlog_debug(" Wrong %s TLV size: %d(expected %d). Skip subsequent TLVs!", msg, ntohs(tlvh->length), size); \
35+ return OSPF_MAX_LSA_SIZE + 1; \
36 } \
37 } while (0)
38
39diff --git a/ospfd/ospf_ri.c b/ospfd/ospf_ri.c
40index 80e7f59312..ec9c55645e 100644
41--- a/ospfd/ospf_ri.c
42+++ b/ospfd/ospf_ri.c
43@@ -1206,12 +1206,12 @@ static int ospf_router_info_lsa_update(struct ospf_lsa *lsa)
44 do { \
45 if (ntohs(tlvh->length) > size) { \
46 if (vty != NULL) \
47- vty_out(vty, " Wrong %s TLV size: %d(%d)\n", \
48+ vty_out(vty, " Wrong %s TLV size: %d(expected %d). Skip subsequent TLVs!\n", \
49 msg, ntohs(tlvh->length), size); \
50 else \
51- zlog_debug(" Wrong %s TLV size: %d(%d)", \
52+ zlog_debug(" Wrong %s TLV size: %d(expected %d). Skip subsequent TLVs!", \
53 msg, ntohs(tlvh->length), size); \
54- return size + TLV_HDR_SIZE; \
55+ return OSPF_MAX_LSA_SIZE + 1; \
56 } \
57 } while (0)
58
59diff --git a/ospfd/ospf_te.c b/ospfd/ospf_te.c
60index 844b28d264..d354015914 100644
61--- a/ospfd/ospf_te.c
62+++ b/ospfd/ospf_te.c
63@@ -3189,12 +3189,12 @@ static void ospf_te_init_ted(struct ls_ted *ted, struct ospf *ospf)
64 do { \
65 if (ntohs(tlvh->length) > size) { \
66 if (vty != NULL) \
67- vty_out(vty, " Wrong %s TLV size: %d(%d)\n", \
68+ vty_out(vty, " Wrong %s TLV size: %d(expected %d). Skip subsequent TLVs!\n", \
69 msg, ntohs(tlvh->length), size); \
70 else \
71- zlog_debug(" Wrong %s TLV size: %d(%d)", \
72+ zlog_debug(" Wrong %s TLV size: %d(expected %d). Skip subsequent TLVs!", \
73 msg, ntohs(tlvh->length), size); \
74- return size + TLV_HDR_SIZE; \
75+ return OSPF_MAX_LSA_SIZE + 1; \
76 } \
77 } while (0)
78
diff --git a/meta-networking/recipes-protocols/frr/frr/CVE-2025-61099-61100-61101-61102-61103-61104-61105-61106-61107_4.patch b/meta-networking/recipes-protocols/frr/frr/CVE-2025-61099-61100-61101-61102-61103-61104-61105-61106-61107_4.patch
new file mode 100644
index 0000000000..cdd167af0d
--- /dev/null
+++ b/meta-networking/recipes-protocols/frr/frr/CVE-2025-61099-61100-61101-61102-61103-61104-61105-61106-61107_4.patch
@@ -0,0 +1,119 @@
1From 50de73f57e84007fd01517b414d0987c84d132bb Mon Sep 17 00:00:00 2001
2From: Louis Scalbert <louis.scalbert@6wind.com>
3Date: Tue, 6 Jan 2026 15:39:37 +0100
4Subject: [PATCH] ospfd: reformat check_tlv_size macro
5
6to make frr-bot happy
7
8Signed-off-by: Louis Scalbert <louis.scalbert@6wind.com>
9
10CVE: CVE-2025-61099 CVE-2025-61100 CVE-2025-61101 CVE-2025-61102 CVE-2025-61103 CVE-2025-61104 CVE-2025-61105 CVE-2025-61106 CVE-2025-61107
11Upstream-Status: Backport [https://github.com/FRRouting/frr/commit/4e59658233746215a16358603ab0d98b589ba16b]
12Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
13---
14 ospfd/ospf_ext.c | 22 ++++++++++++----------
15 ospfd/ospf_ri.c | 23 ++++++++++++-----------
16 ospfd/ospf_te.c | 23 ++++++++++++-----------
17 3 files changed, 36 insertions(+), 32 deletions(-)
18
19diff --git a/ospfd/ospf_ext.c b/ospfd/ospf_ext.c
20index 1aa4f579e4..0ab5cc527d 100644
21--- a/ospfd/ospf_ext.c
22+++ b/ospfd/ospf_ext.c
23@@ -1705,16 +1705,18 @@ static void ospf_ext_lsa_schedule(struct ext_itf *exti, enum lsa_opcode op)
24 */
25
26 /* Check NULL for vty. If vty is not available, dump info via zlog */
27-#define check_tlv_size(size, msg) \
28- do { \
29- if (ntohs(tlvh->length) != size) { \
30- if (vty != NULL) \
31- vty_out(vty, " Wrong %s TLV size: %d(expected %d). Skip subsequent TLVs!\n", \
32- msg, ntohs(tlvh->length), size); \
33- else \
34- zlog_debug(" Wrong %s TLV size: %d(expected %d). Skip subsequent TLVs!", msg, ntohs(tlvh->length), size); \
35- return OSPF_MAX_LSA_SIZE + 1; \
36- } \
37+#define check_tlv_size(size, msg) \
38+ do { \
39+ if (ntohs(tlvh->length) != size) { \
40+ if (vty != NULL) \
41+ vty_out(vty, \
42+ " Wrong %s TLV size: %d(expected %d). Skip subsequent TLVs!\n", \
43+ msg, ntohs(tlvh->length), size); \
44+ else \
45+ zlog_debug(" Wrong %s TLV size: %d(expected %d). Skip subsequent TLVs!", \
46+ msg, ntohs(tlvh->length), size); \
47+ return OSPF_MAX_LSA_SIZE + 1; \
48+ } \
49 } while (0)
50
51 /* Cisco experimental SubTLV */
52diff --git a/ospfd/ospf_ri.c b/ospfd/ospf_ri.c
53index ec9c55645e..c9c3c251f5 100644
54--- a/ospfd/ospf_ri.c
55+++ b/ospfd/ospf_ri.c
56@@ -1202,17 +1202,18 @@ static int ospf_router_info_lsa_update(struct ospf_lsa *lsa)
57 * Following are vty session control functions.
58 *------------------------------------------------------------------------*/
59
60-#define check_tlv_size(size, msg) \
61- do { \
62- if (ntohs(tlvh->length) > size) { \
63- if (vty != NULL) \
64- vty_out(vty, " Wrong %s TLV size: %d(expected %d). Skip subsequent TLVs!\n", \
65- msg, ntohs(tlvh->length), size); \
66- else \
67- zlog_debug(" Wrong %s TLV size: %d(expected %d). Skip subsequent TLVs!", \
68- msg, ntohs(tlvh->length), size); \
69- return OSPF_MAX_LSA_SIZE + 1; \
70- } \
71+#define check_tlv_size(size, msg) \
72+ do { \
73+ if (ntohs(tlvh->length) > size) { \
74+ if (vty != NULL) \
75+ vty_out(vty, \
76+ " Wrong %s TLV size: %d(expected %d). Skip subsequent TLVs!\n", \
77+ msg, ntohs(tlvh->length), size); \
78+ else \
79+ zlog_debug(" Wrong %s TLV size: %d(expected %d). Skip subsequent TLVs!", \
80+ msg, ntohs(tlvh->length), size); \
81+ return OSPF_MAX_LSA_SIZE + 1; \
82+ } \
83 } while (0)
84
85 static uint16_t show_vty_router_cap(struct vty *vty, struct tlv_header *tlvh)
86diff --git a/ospfd/ospf_te.c b/ospfd/ospf_te.c
87index d354015914..1bddf97bde 100644
88--- a/ospfd/ospf_te.c
89+++ b/ospfd/ospf_te.c
90@@ -3185,17 +3185,18 @@ static void ospf_te_init_ted(struct ls_ted *ted, struct ospf *ospf)
91 /*------------------------------------------------------------------------*
92 * Following are vty session control functions.
93 *------------------------------------------------------------------------*/
94-#define check_tlv_size(size, msg) \
95- do { \
96- if (ntohs(tlvh->length) > size) { \
97- if (vty != NULL) \
98- vty_out(vty, " Wrong %s TLV size: %d(expected %d). Skip subsequent TLVs!\n", \
99- msg, ntohs(tlvh->length), size); \
100- else \
101- zlog_debug(" Wrong %s TLV size: %d(expected %d). Skip subsequent TLVs!", \
102- msg, ntohs(tlvh->length), size); \
103- return OSPF_MAX_LSA_SIZE + 1; \
104- } \
105+#define check_tlv_size(size, msg) \
106+ do { \
107+ if (ntohs(tlvh->length) > size) { \
108+ if (vty != NULL) \
109+ vty_out(vty, \
110+ " Wrong %s TLV size: %d(expected %d). Skip subsequent TLVs!\n", \
111+ msg, ntohs(tlvh->length), size); \
112+ else \
113+ zlog_debug(" Wrong %s TLV size: %d(expected %d). Skip subsequent TLVs!", \
114+ msg, ntohs(tlvh->length), size); \
115+ return OSPF_MAX_LSA_SIZE + 1; \
116+ } \
117 } while (0)
118
119 static uint16_t show_vty_router_addr(struct vty *vty, struct tlv_header *tlvh)
diff --git a/meta-networking/recipes-protocols/frr/frr_9.1.3.bb b/meta-networking/recipes-protocols/frr/frr_9.1.3.bb
index f75ce20ab3..0287a6fb69 100644
--- a/meta-networking/recipes-protocols/frr/frr_9.1.3.bb
+++ b/meta-networking/recipes-protocols/frr/frr_9.1.3.bb
@@ -14,6 +14,10 @@ SRC_URI = "git://github.com/FRRouting/frr.git;protocol=https;branch=stable/9.1 \
14 file://frr.pam \ 14 file://frr.pam \
15 file://0001-zebra-Mimic-GNU-basename-API-for-non-glibc-library-e.patch \ 15 file://0001-zebra-Mimic-GNU-basename-API-for-non-glibc-library-e.patch \
16 file://CVE-2024-55553.patch \ 16 file://CVE-2024-55553.patch \
17 file://CVE-2025-61099-61100-61101-61102-61103-61104-61105-61106-61107_1.patch \
18 file://CVE-2025-61099-61100-61101-61102-61103-61104-61105-61106-61107_2.patch \
19 file://CVE-2025-61099-61100-61101-61102-61103-61104-61105-61106-61107_3.patch \
20 file://CVE-2025-61099-61100-61101-61102-61103-61104-61105-61106-61107_4.patch \
17 " 21 "
18 22
19SRCREV = "ad1766d17be022587fe05ebe1a7bf10e1b7dce19" 23SRCREV = "ad1766d17be022587fe05ebe1a7bf10e1b7dce19"
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2026-05-17 06:05:20 +0000