6 files changed, 443 insertions, 1 deletions
diff --git a/meta-networking/recipes-protocols/frr/frr/CVE-2024-27913.patch b/meta-networking/recipes-protocols/frr/frr/CVE-2024-27913.patch
new file mode 100644
index 0000000000..401fcf585e
--- /dev/null
+++ b/meta-networking/recipes-protocols/frr/frr/CVE-2024-27913.patch
@@ -0,0 +1,43 @@
+From d2dda70be42402e0d456e1ead4035e196253f77f Mon Sep 17 00:00:00 2001
+From: Olivier Dugeon <olivier.dugeon@orange.com>
+Date: Mon, 26 Feb 2024 10:40:34 +0100
+Subject: [PATCH] ospfd: Solved crash in OSPF TE parsing
+Iggy Frankovic discovered an ospfd crash when perfomring fuzzing of OSPF LSA
+packets. The crash occurs in ospf_te_parse_te() function when attemping to
+create corresponding egde from TE Link parameters. If there is no local
+address, an edge is created but without any attributes. During parsing, the
+function try to access to this attribute fields which has not been created
+causing an ospfd crash.
+The patch simply check if the te parser has found a valid local address. If not
+found, we stop the parser which avoid the crash.
+Signed-off-by: Olivier Dugeon <olivier.dugeon@orange.com>
+CVE: CVE-2024-27913
+Upstream-Status: Backport [https://github.com/FRRouting/frr/commit/a73e66d07329d721f26f3f336f7735de420b0183]
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ ospfd/ospf_te.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+diff --git a/ospfd/ospf_te.c b/ospfd/ospf_te.c
+index 999bc49d9..5af006e54 100644
+--- a/ospfd/ospf_te.c
+++ b/ospfd/ospf_te.c
+@@ -2276,6 +2276,10 @@ static int ospf_te_parse_te(struct ls_ted *ted, struct ospf_lsa *lsa)
+        }
+ 
+        /* Get corresponding Edge from Link State Data Base */
+       if (IPV4_NET0(attr.standard.local.s_addr) && !attr.standard.local_id) {
+               ote_debug("  |- Found no TE Link local address/ID. Abort!");
+               return -1;
+       }
+        edge = get_edge(ted, attr.adv, attr.standard.local);
+        old = edge->attributes;
+ 
+-- 
+2.35.5
diff --git a/meta-networking/recipes-protocols/frr/frr/CVE-2024-31948.patch b/meta-networking/recipes-protocols/frr/frr/CVE-2024-31948.patch
new file mode 100644
index 0000000000..ef1d4829cf
--- /dev/null
+++ b/meta-networking/recipes-protocols/frr/frr/CVE-2024-31948.patch
@@ -0,0 +1,130 @@
+From 2bbcfeb311533ddcebb0d25a9acb4675324ab03f Mon Sep 17 00:00:00 2001
+From: Donatas Abraitis <donatas@opensourcerouting.org>
+Date: Wed, 27 Mar 2024 18:42:56 +0200
+Subject: [PATCH 1/2] bgpd: Fix error handling when receiving BGP Prefix SID
+ attribute
+Without this patch, we always set the BGP Prefix SID attribute flag without
+checking if it's malformed or not. RFC8669 says that this attribute MUST be discarded.
+Also, this fixes the bgpd crash when a malformed Prefix SID attribute is received,
+with malformed transitive flags and/or TLVs.
+Reported-by: Iggy Frankovic <iggyfran@amazon.com>
+Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
+CVE: CVE-2024-31948
+Upstream-Status: Backport [https://github.com/FRRouting/frr/commit/ba6a8f1a31e1a88df2de69ea46068e8bd9b97138]
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com> 
+---
+ bgpd/bgp_attr.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
+index ef45d5c46..236def2da 100644
+--- a/bgpd/bgp_attr.c
+++ b/bgpd/bgp_attr.c
+@@ -1294,6 +1294,7 @@ bgp_attr_malformed(struct bgp_attr_parser_args *args, uint8_t subcode,
+        case BGP_ATTR_AS4_AGGREGATOR:
+        case BGP_ATTR_AGGREGATOR:
+        case BGP_ATTR_ATOMIC_AGGREGATE:
+       case BGP_ATTR_PREFIX_SID:
+                return BGP_ATTR_PARSE_PROCEED;
+ 
+        /* Core attributes, particularly ones which may influence route
+@@ -2892,8 +2893,6 @@ bgp_attr_parse_ret_t bgp_attr_prefix_sid(struct bgp_attr_parser_args *args)
+        struct attr *const attr = args->attr;
+        bgp_attr_parse_ret_t ret;
+ 
+-       attr->flag |= ATTR_FLAG_BIT(BGP_ATTR_PREFIX_SID);
+-
+        uint8_t type;
+        uint16_t length;
+        size_t headersz = sizeof(type) + sizeof(length);
+@@ -2943,6 +2942,8 @@ bgp_attr_parse_ret_t bgp_attr_prefix_sid(struct bgp_attr_parser_args *args)
+                }
+        }
+ 
+       SET_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_PREFIX_SID));
+
+        return BGP_ATTR_PARSE_PROCEED;
+ }
+ 
+-- 
+2.35.5
+From 752612019f22277c387c5711305891d0b713e6c4 Mon Sep 17 00:00:00 2001
+From: Donatas Abraitis <donatas@opensourcerouting.org>
+Date: Wed, 27 Mar 2024 19:08:38 +0200
+Subject: [PATCH 2/2] bgpd: Prevent from one more CVE triggering this place
+If we receive an attribute that is handled by bgp_attr_malformed(), use
+treat-as-withdraw behavior for unknown (or missing to add - if new) attributes.
+Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
+CVE: CVE-2024-31948
+Upstream-Status: Backport [https://github.com/FRRouting/frr/commit/babb23b74855e23c987a63f8256d24e28c044d07]
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ bgpd/bgp_attr.c | 33 ++++++++++++++++++++++-----------
+ 1 file changed, 22 insertions(+), 11 deletions(-)
+diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
+index 236def2da..2c4fc70c4 100644
+--- a/bgpd/bgp_attr.c
+++ b/bgpd/bgp_attr.c
+@@ -1285,6 +1285,15 @@ bgp_attr_malformed(struct bgp_attr_parser_args *args, uint8_t subcode,
+                        (args->startp - STREAM_DATA(BGP_INPUT(peer)))
+                                + args->total);
+ 
+       /* Partial optional attributes that are malformed should not cause
+        * the whole session to be reset. Instead treat it as a withdrawal
+        * of the routes, if possible.
+        */
+       if (CHECK_FLAG(flags, BGP_ATTR_FLAG_TRANS) &&
+           CHECK_FLAG(flags, BGP_ATTR_FLAG_OPTIONAL) &&
+           CHECK_FLAG(flags, BGP_ATTR_FLAG_PARTIAL))
+               return BGP_ATTR_PARSE_WITHDRAW;
+
+        switch (args->type) {
+        /* where an attribute is relatively inconsequential, e.g. it does not
+         * affect route selection, and can be safely ignored, then any such
+@@ -1318,19 +1327,21 @@ bgp_attr_malformed(struct bgp_attr_parser_args *args, uint8_t subcode,
+                bgp_notify_send_with_data(peer, BGP_NOTIFY_UPDATE_ERR, subcode,
+                                          notify_datap, length);
+                return BGP_ATTR_PARSE_ERROR;
+       default:
+               /* Unknown attributes, that are handled by this function
+                * should be treated as withdraw, to prevent one more CVE
+                * from being introduced.
+                * RFC 7606 says:
+                * The "treat-as-withdraw" approach is generally preferred
+                * and the "session reset" approach is discouraged.
+                */
+               flog_err(EC_BGP_ATTR_FLAG,
+                        "%s(%u) attribute received, while it is not known how to handle it, treating as withdraw",
+                        lookup_msg(attr_str, args->type, NULL), args->type);
+               break;
+        }
+ 
+-       /* Partial optional attributes that are malformed should not cause
+-        * the whole session to be reset. Instead treat it as a withdrawal
+-        * of the routes, if possible.
+-        */
+-       if (CHECK_FLAG(flags, BGP_ATTR_FLAG_TRANS)
+-           && CHECK_FLAG(flags, BGP_ATTR_FLAG_OPTIONAL)
+-           && CHECK_FLAG(flags, BGP_ATTR_FLAG_PARTIAL))
+-               return BGP_ATTR_PARSE_WITHDRAW;
+-
+-       /* default to reset */
+-       return BGP_ATTR_PARSE_ERROR_NOTIFYPLS;
+       return BGP_ATTR_PARSE_WITHDRAW;
+ }
+ 
+ /* Find out what is wrong with the path attribute flag bits and log the error.
+-- 
+2.35.5
diff --git a/meta-networking/recipes-protocols/frr/frr/CVE-2024-31950.patch b/meta-networking/recipes-protocols/frr/frr/CVE-2024-31950.patch
new file mode 100644
index 0000000000..97e9f59472
--- /dev/null
+++ b/meta-networking/recipes-protocols/frr/frr/CVE-2024-31950.patch
@@ -0,0 +1,69 @@
+From fc1c932ba7384d69d76b3afe05eb3940ceeb6114 Mon Sep 17 00:00:00 2001
+From: Olivier Dugeon <olivier.dugeon@orange.com>
+Date: Wed, 3 Apr 2024 16:28:23 +0200
+Subject: [PATCH] ospfd: Solved crash in RI parsing with OSPF TE
+Iggy Frankovic discovered another ospfd crash when performing fuzzing of OSPF
+LSA packets. The crash occurs in ospf_te_parse_ri() function when attemping to
+read Segment Routing subTLVs. The original code doesn't check if the size of
+the SR subTLVs have the correct length. In presence of erronous LSA, this will
+cause a buffer overflow and ospfd crash.
+This patch introduces new verification of the subTLVs size for Router
+Information TLV.
+Co-authored-by: Iggy Frankovic <iggyfran@amazon.com>
+Signed-off-by: Olivier Dugeon <olivier.dugeon@orange.com>
+CVE: CVE-2024-31950
+Upstream-Status: Backport [https://github.com/FRRouting/frr/commit/f69d1313b19047d3d83fc2b36a518355b861dfc4]
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ ospfd/ospf_te.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+diff --git a/ospfd/ospf_te.c b/ospfd/ospf_te.c
+index 4e420edb3..8247c44a3 100644
+--- a/ospfd/ospf_te.c
+++ b/ospfd/ospf_te.c
+@@ -2492,6 +2492,9 @@ static int ospf_te_parse_ri(struct ls_ted *ted, struct ospf_lsa *lsa)
+ 
+                switch (ntohs(tlvh->type)) {
+                case RI_SR_TLV_SR_ALGORITHM:
+                       if (TLV_BODY_SIZE(tlvh) < 1 ||
+                           TLV_BODY_SIZE(tlvh) > ALGORITHM_COUNT)
+                               break;
+                        algo = (struct ri_sr_tlv_sr_algorithm *)tlvh;
+ 
+                        for (int i = 0; i < ntohs(algo->header.length); i++) {
+@@ -2516,6 +2519,8 @@ static int ospf_te_parse_ri(struct ls_ted *ted, struct ospf_lsa *lsa)
+                        break;
+ 
+                case RI_SR_TLV_SRGB_LABEL_RANGE:
+                       if (TLV_BODY_SIZE(tlvh) != RI_SR_TLV_LABEL_RANGE_SIZE)
+                               break;
+                        range = (struct ri_sr_tlv_sid_label_range *)tlvh;
+                        size = GET_RANGE_SIZE(ntohl(range->size));
+                        lower = GET_LABEL(ntohl(range->lower.value));
+@@ -2533,6 +2538,8 @@ static int ospf_te_parse_ri(struct ls_ted *ted, struct ospf_lsa *lsa)
+                        break;
+ 
+                case RI_SR_TLV_SRLB_LABEL_RANGE:
+                       if (TLV_BODY_SIZE(tlvh) != RI_SR_TLV_LABEL_RANGE_SIZE)
+                               break;
+                        range = (struct ri_sr_tlv_sid_label_range *)tlvh;
+                        size = GET_RANGE_SIZE(ntohl(range->size));
+                        lower = GET_LABEL(ntohl(range->lower.value));
+@@ -2550,6 +2557,8 @@ static int ospf_te_parse_ri(struct ls_ted *ted, struct ospf_lsa *lsa)
+                        break;
+ 
+                case RI_SR_TLV_NODE_MSD:
+                       if (TLV_BODY_SIZE(tlvh) < RI_SR_TLV_NODE_MSD_SIZE)
+                               break;
+                        msd = (struct ri_sr_tlv_node_msd *)tlvh;
+                        if ((CHECK_FLAG(node->flags, LS_NODE_MSD))
+                            && (node->msd == msd->value))
+-- 
+2.35.5
diff --git a/meta-networking/recipes-protocols/frr/frr/CVE-2024-31951.patch b/meta-networking/recipes-protocols/frr/frr/CVE-2024-31951.patch
new file mode 100644
index 0000000000..966ea7a6d9
--- /dev/null
+++ b/meta-networking/recipes-protocols/frr/frr/CVE-2024-31951.patch
@@ -0,0 +1,111 @@
+From 8dd8c6343b5aa930b7844a0e481267f3e805d906 Mon Sep 17 00:00:00 2001
+From: Olivier Dugeon <olivier.dugeon@orange.com>
+Date: Fri, 5 Apr 2024 12:57:11 +0200
+Subject: [PATCH] ospfd: Correct Opaque LSA Extended parser
+Iggy Frankovic discovered another ospfd crash when performing fuzzing of OSPF
+LSA packets. The crash occurs in ospf_te_parse_ext_link() function when
+attemping to read Segment Routing Adjacency SID subTLVs. The original code
+doesn't check if the size of the Extended Link TLVs and subTLVs have the correct
+length. In presence of erronous LSA, this will cause a buffer overflow and ospfd
+crashes.
+This patch introduces new verification of the subTLVs size for Extended Link
+TLVs and subTLVs. Similar check has been also introduced for the Extended
+Prefix TLV.
+Co-authored-by: Iggy Frankovic <iggyfran@amazon.com>
+Signed-off-by: Olivier Dugeon <olivier.dugeon@orange.com>
+CVE: CVE-2024-31951
+Upstream-Status: Backport [https://github.com/FRRouting/frr/commit/5557a289acdaeec8cc63ffc97b5c2abf6dee7b3a]
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ ospfd/ospf_te.c | 35 +++++++++++++++++++++++++++++++++--
+ 1 file changed, 33 insertions(+), 2 deletions(-)
+diff --git a/ospfd/ospf_te.c b/ospfd/ospf_te.c
+index 8247c44a3..1404506e5 100644
+--- a/ospfd/ospf_te.c
+++ b/ospfd/ospf_te.c
+@@ -2656,6 +2656,7 @@ static int ospf_te_parse_ext_pref(struct ls_ted *ted, struct ospf_lsa *lsa)
+        struct ext_tlv_prefix *ext;
+        struct ext_subtlv_prefix_sid *pref_sid;
+        uint32_t label;
+       uint16_t len, size;
+ 
+        /* Get corresponding Subnet from Link State Data Base */
+        ext = (struct ext_tlv_prefix *)TLV_HDR_TOP(lsa->data);
+@@ -2677,6 +2678,18 @@ static int ospf_te_parse_ext_pref(struct ls_ted *ted, struct ospf_lsa *lsa)
+        ote_debug("  |- Process Extended Prefix LSA %pI4 for subnet %pFX",
+                  &lsa->data->id, &pref);
+ 
+       /*
+        * Check Extended Prefix TLV size against LSA size
+        * as only one TLV is allowed per LSA
+        */
+       len = TLV_BODY_SIZE(&ext->header);
+       size = lsa->size - (OSPF_LSA_HEADER_SIZE + TLV_HDR_SIZE);
+       if (len != size || len <= 0) {
+               ote_debug("  |- Wrong TLV size: %u instead of %u",
+                         (uint32_t)len, (uint32_t)size);
+               return -1;
+       }
+
+        /* Initialize TLV browsing */
+        ls_pref = subnet->ls_pref;
+        pref_sid = (struct ext_subtlv_prefix_sid *)((char *)(ext) + TLV_HDR_SIZE
+@@ -2791,8 +2804,20 @@ static int ospf_te_parse_ext_link(struct ls_ted *ted, struct ospf_lsa *lsa)
+        ote_debug("  |- Process Extended Link LSA %pI4 for edge %pI4",
+                  &lsa->data->id, &edge->attributes->standard.local);
+ 
+-       /* Initialize TLV browsing */
+-       len = TLV_BODY_SIZE(&ext->header) - EXT_TLV_LINK_SIZE;
+       /*
+        * Check Extended Link TLV size against LSA size
+        * as only one TLV is allowed per LSA
+        */
+       len = TLV_BODY_SIZE(&ext->header);
+       i = lsa->size - (OSPF_LSA_HEADER_SIZE + TLV_HDR_SIZE);
+       if (len != i || len <= 0) {
+               ote_debug("  |- Wrong TLV size: %u instead of %u",
+                         (uint32_t)len, (uint32_t)i);
+               return -1;
+       }
+
+       /* Initialize subTLVs browsing */
+       len -= EXT_TLV_LINK_SIZE;
+        tlvh = (struct tlv_header *)((char *)(ext) + TLV_HDR_SIZE
+                                     + EXT_TLV_LINK_SIZE);
+        for (; sum < len; tlvh = TLV_HDR_NEXT(tlvh)) {
+@@ -2802,6 +2827,8 @@ static int ospf_te_parse_ext_link(struct ls_ted *ted, struct ospf_lsa *lsa)
+ 
+                switch (ntohs(tlvh->type)) {
+                case EXT_SUBTLV_ADJ_SID:
+                       if (TLV_BODY_SIZE(tlvh) != EXT_SUBTLV_ADJ_SID_SIZE)
+                               break;
+                        adj = (struct ext_subtlv_adj_sid *)tlvh;
+                        label = CHECK_FLAG(adj->flags,
+                                           EXT_SUBTLV_LINK_ADJ_SID_VFLG)
+@@ -2828,6 +2855,8 @@ static int ospf_te_parse_ext_link(struct ls_ted *ted, struct ospf_lsa *lsa)
+ 
+                        break;
+                case EXT_SUBTLV_LAN_ADJ_SID:
+                       if (TLV_BODY_SIZE(tlvh) != EXT_SUBTLV_LAN_ADJ_SID_SIZE)
+                               break;
+                        ladj = (struct ext_subtlv_lan_adj_sid *)tlvh;
+                        label = CHECK_FLAG(ladj->flags,
+                                           EXT_SUBTLV_LINK_ADJ_SID_VFLG)
+@@ -2857,6 +2886,8 @@ static int ospf_te_parse_ext_link(struct ls_ted *ted, struct ospf_lsa *lsa)
+ 
+                        break;
+                case EXT_SUBTLV_RMT_ITF_ADDR:
+                       if (TLV_BODY_SIZE(tlvh) != EXT_SUBTLV_RMT_ITF_ADDR_SIZE)
+                               break;
+                        rmt = (struct ext_subtlv_rmt_itf_addr *)tlvh;
+                        if (CHECK_FLAG(atr->flags, LS_ATTR_NEIGH_ADDR)
+                            && IPV4_ADDR_SAME(&atr->standard.remote,
+-- 
+2.35.5
diff --git a/meta-networking/recipes-protocols/frr/frr/CVE-2024-34088.patch b/meta-networking/recipes-protocols/frr/frr/CVE-2024-34088.patch
new file mode 100644
index 0000000000..59f30ed087
--- /dev/null
+++ b/meta-networking/recipes-protocols/frr/frr/CVE-2024-34088.patch
@@ -0,0 +1,84 @@
+From 10ff8433557df40c6d7e4361cc468a1192185fdd Mon Sep 17 00:00:00 2001
+From: Olivier Dugeon <olivier.dugeon@orange.com>
+Date: Tue, 16 Apr 2024 16:42:06 +0200
+Subject: [PATCH] ospfd: protect call to get_edge() in ospf_te.c
+During fuzzing, Iggy Frankovic discovered that get_edge() function in ospf_te.c
+could return null pointer, in particular when the link_id or advertised router
+IP addresses are fuzzed. As the null pointer returned by get_edge() function is
+not handlei by calling functions, this could cause ospfd crash.
+This patch introduces new verification of returned pointer by get_edge()
+function and stop the processing in case of null pointer. In addition, link ID
+and advertiser router ID are validated before calling ls_find_edge_by_key() to
+avoid the creation of a new edge with an invalid key.
+CVE-2024-34088
+Co-authored-by: Iggy Frankovic <iggyfran@amazon.com>
+Signed-off-by: Olivier Dugeon <olivier.dugeon@orange.com>
+CVE: CVE-2024-34088
+Upstream-Status: Backport [https://github.com/FRRouting/frr/commit/8c177d69e32b91b45bda5fc5da6511fa03dc11ca]
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ ospfd/ospf_te.c | 19 ++++++++++++++++---
+ 1 file changed, 16 insertions(+), 3 deletions(-)
+diff --git a/ospfd/ospf_te.c b/ospfd/ospf_te.c
+index 5af006e54..4e420edb3 100644
+--- a/ospfd/ospf_te.c
+++ b/ospfd/ospf_te.c
+@@ -1686,6 +1686,11 @@ static struct ls_edge *get_edge(struct ls_ted *ted, struct ls_node_id adv,
+        struct ls_edge *edge;
+        struct ls_attributes *attr;
+ 
+       /* Check that Link ID and Node ID are valid */
+       if (IPV4_NET0(link_id.s_addr) || IPV4_NET0(adv.id.ip.addr.s_addr) ||
+           adv.origin != OSPFv2)
+               return NULL;
+
+        /* Search Edge that corresponds to the Link ID */
+        key = ((uint64_t)ntohl(link_id.s_addr)) & 0xffffffff;
+        edge = ls_find_edge_by_key(ted, key);
+@@ -1758,6 +1763,10 @@ static void ospf_te_update_link(struct ls_ted *ted, struct ls_vertex *vertex,
+ 
+        /* Get Corresponding Edge from Link State Data Base */
+        edge = get_edge(ted, vertex->node->adv, link_data);
+       if (!edge) {
+               ote_debug("  |- Found no edge from Link Data. Abort!");
+               return;
+       }
+        attr = edge->attributes;
+ 
+        /* re-attached edge to vertex if needed */
+@@ -2276,11 +2285,11 @@ static int ospf_te_parse_te(struct ls_ted *ted, struct ospf_lsa *lsa)
+        }
+ 
+        /* Get corresponding Edge from Link State Data Base */
+-       if (IPV4_NET0(attr.standard.local.s_addr) && !attr.standard.local_id) {
+-               ote_debug("  |- Found no TE Link local address/ID. Abort!");
+       edge = get_edge(ted, attr.adv, attr.standard.local);
+       if (!edge) {
+               ote_debug("  |- Found no edge from Link local add./ID. Abort!");
+                return -1;
+        }
+-       edge = get_edge(ted, attr.adv, attr.standard.local);
+        old = edge->attributes;
+ 
+        ote_debug("  |- Process Traffic Engineering LSA %pI4 for Edge %pI4",
+@@ -2764,6 +2773,10 @@ static int ospf_te_parse_ext_link(struct ls_ted *ted, struct ospf_lsa *lsa)
+        lnid.id.ip.area_id = lsa->area->area_id;
+        ext = (struct ext_tlv_link *)TLV_HDR_TOP(lsa->data);
+        edge = get_edge(ted, lnid, ext->link_data);
+       if (!edge) {
+               ote_debug("  |- Found no edge from Extended Link Data. Abort!");
+               return -1;
+       }
+        atr = edge->attributes;
+ 
+        ote_debug("  |- Process Extended Link LSA %pI4 for edge %pI4",
+-- 
+2.35.5
diff --git a/meta-networking/recipes-protocols/frr/frr_8.2.2.bb b/meta-networking/recipes-protocols/frr/frr_8.2.2.bb
index 0823a7bf13..facc655e29 100644
--- a/meta-networking/recipes-protocols/frr/frr_8.2.2.bb
+++ b/meta-networking/recipes-protocols/frr/frr_8.2.2.bb
@@ -28,7 +28,12 @@ SRC_URI = "git://github.com/FRRouting/frr.git;protocol=https;branch=stable/8.2 \
           file://CVE-2023-47234.patch \
           file://CVE-2023-47235.patch \
           file://frr.pam \
-           file://CVE-2024-44070.patch\
+           file://CVE-2024-44070.patch \
+           file://CVE-2024-27913.patch \
+           file://CVE-2024-34088.patch \
+           file://CVE-2024-31950.patch \
+           file://CVE-2024-31951.patch \
+           file://CVE-2024-31948.patch \
              "
 SRCREV = "79188bf710e92acf42fb5b9b0a2e9593a5ee9b05"

diff --git a/meta-networking/recipes-protocols/frr/frr/CVE-2024-27913.patch b/meta-networking/recipes-protocols/frr/frr/CVE-2024-27913.patch new file mode 100644 index 0000000000..401fcf585e --- /dev/null +++ b/meta-networking/recipes-protocols/frr/frr/CVE-2024-27913.patch
@@ -0,0 +1,43 @@
		1	From d2dda70be42402e0d456e1ead4035e196253f77f Mon Sep 17 00:00:00 2001
		2	From: Olivier Dugeon <olivier.dugeon@orange.com>
		3	Date: Mon, 26 Feb 2024 10:40:34 +0100
		4	Subject: [PATCH] ospfd: Solved crash in OSPF TE parsing
		5
		6	Iggy Frankovic discovered an ospfd crash when perfomring fuzzing of OSPF LSA
		7	packets. The crash occurs in ospf_te_parse_te() function when attemping to
		8	create corresponding egde from TE Link parameters. If there is no local
		9	address, an edge is created but without any attributes. During parsing, the
		10	function try to access to this attribute fields which has not been created
		11	causing an ospfd crash.
		12
		13	The patch simply check if the te parser has found a valid local address. If not
		14	found, we stop the parser which avoid the crash.
		15
		16	Signed-off-by: Olivier Dugeon <olivier.dugeon@orange.com>
		17
		18	CVE: CVE-2024-27913
		19	Upstream-Status: Backport [https://github.com/FRRouting/frr/commit/a73e66d07329d721f26f3f336f7735de420b0183]
		20
		21	Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
		22	---
		23	ospfd/ospf_te.c \| 4 ++++
		24	1 file changed, 4 insertions(+)
		25
		26	diff --git a/ospfd/ospf_te.c b/ospfd/ospf_te.c
		27	index 999bc49d9..5af006e54 100644
		28	--- a/ospfd/ospf_te.c
		29	+++ b/ospfd/ospf_te.c
		30	@@ -2276,6 +2276,10 @@ static int ospf_te_parse_te(struct ls_ted ted, struct ospf_lsa lsa)
		31	}
		32
		33	/* Get corresponding Edge from Link State Data Base */
		34	+ if (IPV4_NET0(attr.standard.local.s_addr) && !attr.standard.local_id) {
		35	+ ote_debug(" \|- Found no TE Link local address/ID. Abort!");
		36	+ return -1;
		37	+ }
		38	edge = get_edge(ted, attr.adv, attr.standard.local);
		39	old = edge->attributes;
		40
		41	--
		42	2.35.5
		43


diff --git a/meta-networking/recipes-protocols/frr/frr/CVE-2024-31948.patch b/meta-networking/recipes-protocols/frr/frr/CVE-2024-31948.patch new file mode 100644 index 0000000000..ef1d4829cf --- /dev/null +++ b/meta-networking/recipes-protocols/frr/frr/CVE-2024-31948.patch
@@ -0,0 +1,130 @@
		1	From 2bbcfeb311533ddcebb0d25a9acb4675324ab03f Mon Sep 17 00:00:00 2001
		2	From: Donatas Abraitis <donatas@opensourcerouting.org>
		3	Date: Wed, 27 Mar 2024 18:42:56 +0200
		4	Subject: [PATCH 1/2] bgpd: Fix error handling when receiving BGP Prefix SID
		5	attribute
		6
		7	Without this patch, we always set the BGP Prefix SID attribute flag without
		8	checking if it's malformed or not. RFC8669 says that this attribute MUST be discarded.
		9
		10	Also, this fixes the bgpd crash when a malformed Prefix SID attribute is received,
		11	with malformed transitive flags and/or TLVs.
		12
		13	Reported-by: Iggy Frankovic <iggyfran@amazon.com>
		14	Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
		15
		16	CVE: CVE-2024-31948
		17	Upstream-Status: Backport [https://github.com/FRRouting/frr/commit/ba6a8f1a31e1a88df2de69ea46068e8bd9b97138]
		18
		19	Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
		20	---
		21	bgpd/bgp_attr.c \| 5 +++--
		22	1 file changed, 3 insertions(+), 2 deletions(-)
		23
		24	diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
		25	index ef45d5c46..236def2da 100644
		26	--- a/bgpd/bgp_attr.c
		27	+++ b/bgpd/bgp_attr.c
		28	@@ -1294,6 +1294,7 @@ bgp_attr_malformed(struct bgp_attr_parser_args *args, uint8_t subcode,
		29	case BGP_ATTR_AS4_AGGREGATOR:
		30	case BGP_ATTR_AGGREGATOR:
		31	case BGP_ATTR_ATOMIC_AGGREGATE:
		32	+ case BGP_ATTR_PREFIX_SID:
		33	return BGP_ATTR_PARSE_PROCEED;
		34
		35	/* Core attributes, particularly ones which may influence route
		36	@@ -2892,8 +2893,6 @@ bgp_attr_parse_ret_t bgp_attr_prefix_sid(struct bgp_attr_parser_args *args)
		37	struct attr *const attr = args->attr;
		38	bgp_attr_parse_ret_t ret;
		39
		40	- attr->flag \|= ATTR_FLAG_BIT(BGP_ATTR_PREFIX_SID);
		41	-
		42	uint8_t type;
		43	uint16_t length;
		44	size_t headersz = sizeof(type) + sizeof(length);
		45	@@ -2943,6 +2942,8 @@ bgp_attr_parse_ret_t bgp_attr_prefix_sid(struct bgp_attr_parser_args *args)
		46	}
		47	}
		48
		49	+ SET_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_PREFIX_SID));
		50	+
		51	return BGP_ATTR_PARSE_PROCEED;
		52	}
		53
		54	--
		55	2.35.5
		56
		57	From 752612019f22277c387c5711305891d0b713e6c4 Mon Sep 17 00:00:00 2001
		58	From: Donatas Abraitis <donatas@opensourcerouting.org>
		59	Date: Wed, 27 Mar 2024 19:08:38 +0200
		60	Subject: [PATCH 2/2] bgpd: Prevent from one more CVE triggering this place
		61
		62	If we receive an attribute that is handled by bgp_attr_malformed(), use
		63	treat-as-withdraw behavior for unknown (or missing to add - if new) attributes.
		64
		65	Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
		66
		67	CVE: CVE-2024-31948
		68	Upstream-Status: Backport [https://github.com/FRRouting/frr/commit/babb23b74855e23c987a63f8256d24e28c044d07]
		69
		70	Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
		71	---
		72	bgpd/bgp_attr.c \| 33 ++++++++++++++++++++++-----------
		73	1 file changed, 22 insertions(+), 11 deletions(-)
		74
		75	diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
		76	index 236def2da..2c4fc70c4 100644
		77	--- a/bgpd/bgp_attr.c
		78	+++ b/bgpd/bgp_attr.c
		79	@@ -1285,6 +1285,15 @@ bgp_attr_malformed(struct bgp_attr_parser_args *args, uint8_t subcode,
		80	(args->startp - STREAM_DATA(BGP_INPUT(peer)))
		81	+ args->total);
		82
		83	+ /* Partial optional attributes that are malformed should not cause
		84	+ * the whole session to be reset. Instead treat it as a withdrawal
		85	+ * of the routes, if possible.
		86	+ */
		87	+ if (CHECK_FLAG(flags, BGP_ATTR_FLAG_TRANS) &&
		88	+ CHECK_FLAG(flags, BGP_ATTR_FLAG_OPTIONAL) &&
		89	+ CHECK_FLAG(flags, BGP_ATTR_FLAG_PARTIAL))
		90	+ return BGP_ATTR_PARSE_WITHDRAW;
		91	+
		92	switch (args->type) {
		93	/* where an attribute is relatively inconsequential, e.g. it does not
		94	* affect route selection, and can be safely ignored, then any such
		95	@@ -1318,19 +1327,21 @@ bgp_attr_malformed(struct bgp_attr_parser_args *args, uint8_t subcode,
		96	bgp_notify_send_with_data(peer, BGP_NOTIFY_UPDATE_ERR, subcode,
		97	notify_datap, length);
		98	return BGP_ATTR_PARSE_ERROR;
		99	+ default:
		100	+ /* Unknown attributes, that are handled by this function
		101	+ * should be treated as withdraw, to prevent one more CVE
		102	+ * from being introduced.
		103	+ * RFC 7606 says:
		104	+ * The "treat-as-withdraw" approach is generally preferred
		105	+ * and the "session reset" approach is discouraged.
		106	+ */
		107	+ flog_err(EC_BGP_ATTR_FLAG,
		108	+ "%s(%u) attribute received, while it is not known how to handle it, treating as withdraw",
		109	+ lookup_msg(attr_str, args->type, NULL), args->type);
		110	+ break;
		111	}
		112
		113	- /* Partial optional attributes that are malformed should not cause
		114	- * the whole session to be reset. Instead treat it as a withdrawal
		115	- * of the routes, if possible.
		116	- */
		117	- if (CHECK_FLAG(flags, BGP_ATTR_FLAG_TRANS)
		118	- && CHECK_FLAG(flags, BGP_ATTR_FLAG_OPTIONAL)
		119	- && CHECK_FLAG(flags, BGP_ATTR_FLAG_PARTIAL))
		120	- return BGP_ATTR_PARSE_WITHDRAW;
		121	-
		122	- /* default to reset */
		123	- return BGP_ATTR_PARSE_ERROR_NOTIFYPLS;
		124	+ return BGP_ATTR_PARSE_WITHDRAW;
		125	}
		126
		127	/* Find out what is wrong with the path attribute flag bits and log the error.
		128	--
		129	2.35.5
		130


diff --git a/meta-networking/recipes-protocols/frr/frr/CVE-2024-31950.patch b/meta-networking/recipes-protocols/frr/frr/CVE-2024-31950.patch new file mode 100644 index 0000000000..97e9f59472 --- /dev/null +++ b/meta-networking/recipes-protocols/frr/frr/CVE-2024-31950.patch
@@ -0,0 +1,69 @@
		1	From fc1c932ba7384d69d76b3afe05eb3940ceeb6114 Mon Sep 17 00:00:00 2001
		2	From: Olivier Dugeon <olivier.dugeon@orange.com>
		3	Date: Wed, 3 Apr 2024 16:28:23 +0200
		4	Subject: [PATCH] ospfd: Solved crash in RI parsing with OSPF TE
		5
		6	Iggy Frankovic discovered another ospfd crash when performing fuzzing of OSPF
		7	LSA packets. The crash occurs in ospf_te_parse_ri() function when attemping to
		8	read Segment Routing subTLVs. The original code doesn't check if the size of
		9	the SR subTLVs have the correct length. In presence of erronous LSA, this will
		10	cause a buffer overflow and ospfd crash.
		11
		12	This patch introduces new verification of the subTLVs size for Router
		13	Information TLV.
		14
		15	Co-authored-by: Iggy Frankovic <iggyfran@amazon.com>
		16	Signed-off-by: Olivier Dugeon <olivier.dugeon@orange.com>
		17
		18	CVE: CVE-2024-31950
		19	Upstream-Status: Backport [https://github.com/FRRouting/frr/commit/f69d1313b19047d3d83fc2b36a518355b861dfc4]
		20
		21	Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
		22	---
		23	ospfd/ospf_te.c \| 9 +++++++++
		24	1 file changed, 9 insertions(+)
		25
		26	diff --git a/ospfd/ospf_te.c b/ospfd/ospf_te.c
		27	index 4e420edb3..8247c44a3 100644
		28	--- a/ospfd/ospf_te.c
		29	+++ b/ospfd/ospf_te.c
		30	@@ -2492,6 +2492,9 @@ static int ospf_te_parse_ri(struct ls_ted ted, struct ospf_lsa lsa)
		31
		32	switch (ntohs(tlvh->type)) {
		33	case RI_SR_TLV_SR_ALGORITHM:
		34	+ if (TLV_BODY_SIZE(tlvh) < 1 \|\|
		35	+ TLV_BODY_SIZE(tlvh) > ALGORITHM_COUNT)
		36	+ break;
		37	algo = (struct ri_sr_tlv_sr_algorithm *)tlvh;
		38
		39	for (int i = 0; i < ntohs(algo->header.length); i++) {
		40	@@ -2516,6 +2519,8 @@ static int ospf_te_parse_ri(struct ls_ted ted, struct ospf_lsa lsa)
		41	break;
		42
		43	case RI_SR_TLV_SRGB_LABEL_RANGE:
		44	+ if (TLV_BODY_SIZE(tlvh) != RI_SR_TLV_LABEL_RANGE_SIZE)
		45	+ break;
		46	range = (struct ri_sr_tlv_sid_label_range *)tlvh;
		47	size = GET_RANGE_SIZE(ntohl(range->size));
		48	lower = GET_LABEL(ntohl(range->lower.value));
		49	@@ -2533,6 +2538,8 @@ static int ospf_te_parse_ri(struct ls_ted ted, struct ospf_lsa lsa)
		50	break;
		51
		52	case RI_SR_TLV_SRLB_LABEL_RANGE:
		53	+ if (TLV_BODY_SIZE(tlvh) != RI_SR_TLV_LABEL_RANGE_SIZE)
		54	+ break;
		55	range = (struct ri_sr_tlv_sid_label_range *)tlvh;
		56	size = GET_RANGE_SIZE(ntohl(range->size));
		57	lower = GET_LABEL(ntohl(range->lower.value));
		58	@@ -2550,6 +2557,8 @@ static int ospf_te_parse_ri(struct ls_ted ted, struct ospf_lsa lsa)
		59	break;
		60
		61	case RI_SR_TLV_NODE_MSD:
		62	+ if (TLV_BODY_SIZE(tlvh) < RI_SR_TLV_NODE_MSD_SIZE)
		63	+ break;
		64	msd = (struct ri_sr_tlv_node_msd *)tlvh;
		65	if ((CHECK_FLAG(node->flags, LS_NODE_MSD))
		66	&& (node->msd == msd->value))
		67	--
		68	2.35.5
		69


diff --git a/meta-networking/recipes-protocols/frr/frr/CVE-2024-31951.patch b/meta-networking/recipes-protocols/frr/frr/CVE-2024-31951.patch new file mode 100644 index 0000000000..966ea7a6d9 --- /dev/null +++ b/meta-networking/recipes-protocols/frr/frr/CVE-2024-31951.patch
@@ -0,0 +1,111 @@
		1	From 8dd8c6343b5aa930b7844a0e481267f3e805d906 Mon Sep 17 00:00:00 2001
		2	From: Olivier Dugeon <olivier.dugeon@orange.com>
		3	Date: Fri, 5 Apr 2024 12:57:11 +0200
		4	Subject: [PATCH] ospfd: Correct Opaque LSA Extended parser
		5
		6	Iggy Frankovic discovered another ospfd crash when performing fuzzing of OSPF
		7	LSA packets. The crash occurs in ospf_te_parse_ext_link() function when
		8	attemping to read Segment Routing Adjacency SID subTLVs. The original code
		9	doesn't check if the size of the Extended Link TLVs and subTLVs have the correct
		10	length. In presence of erronous LSA, this will cause a buffer overflow and ospfd
		11	crashes.
		12
		13	This patch introduces new verification of the subTLVs size for Extended Link
		14	TLVs and subTLVs. Similar check has been also introduced for the Extended
		15	Prefix TLV.
		16
		17	Co-authored-by: Iggy Frankovic <iggyfran@amazon.com>
		18	Signed-off-by: Olivier Dugeon <olivier.dugeon@orange.com>
		19
		20	CVE: CVE-2024-31951
		21	Upstream-Status: Backport [https://github.com/FRRouting/frr/commit/5557a289acdaeec8cc63ffc97b5c2abf6dee7b3a]
		22
		23	Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
		24	---
		25	ospfd/ospf_te.c \| 35 +++++++++++++++++++++++++++++++++--
		26	1 file changed, 33 insertions(+), 2 deletions(-)
		27
		28	diff --git a/ospfd/ospf_te.c b/ospfd/ospf_te.c
		29	index 8247c44a3..1404506e5 100644
		30	--- a/ospfd/ospf_te.c
		31	+++ b/ospfd/ospf_te.c
		32	@@ -2656,6 +2656,7 @@ static int ospf_te_parse_ext_pref(struct ls_ted ted, struct ospf_lsa lsa)
		33	struct ext_tlv_prefix *ext;
		34	struct ext_subtlv_prefix_sid *pref_sid;
		35	uint32_t label;
		36	+ uint16_t len, size;
		37
		38	/* Get corresponding Subnet from Link State Data Base */
		39	ext = (struct ext_tlv_prefix *)TLV_HDR_TOP(lsa->data);
		40	@@ -2677,6 +2678,18 @@ static int ospf_te_parse_ext_pref(struct ls_ted ted, struct ospf_lsa lsa)
		41	ote_debug(" \|- Process Extended Prefix LSA %pI4 for subnet %pFX",
		42	&lsa->data->id, &pref);
		43
		44	+ /*
		45	+ * Check Extended Prefix TLV size against LSA size
		46	+ * as only one TLV is allowed per LSA
		47	+ */
		48	+ len = TLV_BODY_SIZE(&ext->header);
		49	+ size = lsa->size - (OSPF_LSA_HEADER_SIZE + TLV_HDR_SIZE);
		50	+ if (len != size \|\| len <= 0) {
		51	+ ote_debug(" \|- Wrong TLV size: %u instead of %u",
		52	+ (uint32_t)len, (uint32_t)size);
		53	+ return -1;
		54	+ }
		55	+
		56	/* Initialize TLV browsing */
		57	ls_pref = subnet->ls_pref;
		58	pref_sid = (struct ext_subtlv_prefix_sid )((char )(ext) + TLV_HDR_SIZE
		59	@@ -2791,8 +2804,20 @@ static int ospf_te_parse_ext_link(struct ls_ted ted, struct ospf_lsa lsa)
		60	ote_debug(" \|- Process Extended Link LSA %pI4 for edge %pI4",
		61	&lsa->data->id, &edge->attributes->standard.local);
		62
		63	- /* Initialize TLV browsing */
		64	- len = TLV_BODY_SIZE(&ext->header) - EXT_TLV_LINK_SIZE;
		65	+ /*
		66	+ * Check Extended Link TLV size against LSA size
		67	+ * as only one TLV is allowed per LSA
		68	+ */
		69	+ len = TLV_BODY_SIZE(&ext->header);
		70	+ i = lsa->size - (OSPF_LSA_HEADER_SIZE + TLV_HDR_SIZE);
		71	+ if (len != i \|\| len <= 0) {
		72	+ ote_debug(" \|- Wrong TLV size: %u instead of %u",
		73	+ (uint32_t)len, (uint32_t)i);
		74	+ return -1;
		75	+ }
		76	+
		77	+ /* Initialize subTLVs browsing */
		78	+ len -= EXT_TLV_LINK_SIZE;
		79	tlvh = (struct tlv_header )((char )(ext) + TLV_HDR_SIZE
		80	+ EXT_TLV_LINK_SIZE);
		81	for (; sum < len; tlvh = TLV_HDR_NEXT(tlvh)) {
		82	@@ -2802,6 +2827,8 @@ static int ospf_te_parse_ext_link(struct ls_ted ted, struct ospf_lsa lsa)
		83
		84	switch (ntohs(tlvh->type)) {
		85	case EXT_SUBTLV_ADJ_SID:
		86	+ if (TLV_BODY_SIZE(tlvh) != EXT_SUBTLV_ADJ_SID_SIZE)
		87	+ break;
		88	adj = (struct ext_subtlv_adj_sid *)tlvh;
		89	label = CHECK_FLAG(adj->flags,
		90	EXT_SUBTLV_LINK_ADJ_SID_VFLG)
		91	@@ -2828,6 +2855,8 @@ static int ospf_te_parse_ext_link(struct ls_ted ted, struct ospf_lsa lsa)
		92
		93	break;
		94	case EXT_SUBTLV_LAN_ADJ_SID:
		95	+ if (TLV_BODY_SIZE(tlvh) != EXT_SUBTLV_LAN_ADJ_SID_SIZE)
		96	+ break;
		97	ladj = (struct ext_subtlv_lan_adj_sid *)tlvh;
		98	label = CHECK_FLAG(ladj->flags,
		99	EXT_SUBTLV_LINK_ADJ_SID_VFLG)
		100	@@ -2857,6 +2886,8 @@ static int ospf_te_parse_ext_link(struct ls_ted ted, struct ospf_lsa lsa)
		101
		102	break;
		103	case EXT_SUBTLV_RMT_ITF_ADDR:
		104	+ if (TLV_BODY_SIZE(tlvh) != EXT_SUBTLV_RMT_ITF_ADDR_SIZE)
		105	+ break;
		106	rmt = (struct ext_subtlv_rmt_itf_addr *)tlvh;
		107	if (CHECK_FLAG(atr->flags, LS_ATTR_NEIGH_ADDR)
		108	&& IPV4_ADDR_SAME(&atr->standard.remote,
		109	--
		110	2.35.5
		111


diff --git a/meta-networking/recipes-protocols/frr/frr/CVE-2024-34088.patch b/meta-networking/recipes-protocols/frr/frr/CVE-2024-34088.patch new file mode 100644 index 0000000000..59f30ed087 --- /dev/null +++ b/meta-networking/recipes-protocols/frr/frr/CVE-2024-34088.patch
@@ -0,0 +1,84 @@
		1	From 10ff8433557df40c6d7e4361cc468a1192185fdd Mon Sep 17 00:00:00 2001
		2	From: Olivier Dugeon <olivier.dugeon@orange.com>
		3	Date: Tue, 16 Apr 2024 16:42:06 +0200
		4	Subject: [PATCH] ospfd: protect call to get_edge() in ospf_te.c
		5
		6	During fuzzing, Iggy Frankovic discovered that get_edge() function in ospf_te.c
		7	could return null pointer, in particular when the link_id or advertised router
		8	IP addresses are fuzzed. As the null pointer returned by get_edge() function is
		9	not handlei by calling functions, this could cause ospfd crash.
		10
		11	This patch introduces new verification of returned pointer by get_edge()
		12	function and stop the processing in case of null pointer. In addition, link ID
		13	and advertiser router ID are validated before calling ls_find_edge_by_key() to
		14	avoid the creation of a new edge with an invalid key.
		15
		16	CVE-2024-34088
		17
		18	Co-authored-by: Iggy Frankovic <iggyfran@amazon.com>
		19	Signed-off-by: Olivier Dugeon <olivier.dugeon@orange.com>
		20
		21	CVE: CVE-2024-34088
		22	Upstream-Status: Backport [https://github.com/FRRouting/frr/commit/8c177d69e32b91b45bda5fc5da6511fa03dc11ca]
		23
		24	Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
		25	---
		26	ospfd/ospf_te.c \| 19 ++++++++++++++++---
		27	1 file changed, 16 insertions(+), 3 deletions(-)
		28
		29	diff --git a/ospfd/ospf_te.c b/ospfd/ospf_te.c
		30	index 5af006e54..4e420edb3 100644
		31	--- a/ospfd/ospf_te.c
		32	+++ b/ospfd/ospf_te.c
		33	@@ -1686,6 +1686,11 @@ static struct ls_edge get_edge(struct ls_ted ted, struct ls_node_id adv,
		34	struct ls_edge *edge;
		35	struct ls_attributes *attr;
		36
		37	+ /* Check that Link ID and Node ID are valid */
		38	+ if (IPV4_NET0(link_id.s_addr) \|\| IPV4_NET0(adv.id.ip.addr.s_addr) \|\|
		39	+ adv.origin != OSPFv2)
		40	+ return NULL;
		41	+
		42	/* Search Edge that corresponds to the Link ID */
		43	key = ((uint64_t)ntohl(link_id.s_addr)) & 0xffffffff;
		44	edge = ls_find_edge_by_key(ted, key);
		45	@@ -1758,6 +1763,10 @@ static void ospf_te_update_link(struct ls_ted ted, struct ls_vertex vertex,
		46
		47	/* Get Corresponding Edge from Link State Data Base */
		48	edge = get_edge(ted, vertex->node->adv, link_data);
		49	+ if (!edge) {
		50	+ ote_debug(" \|- Found no edge from Link Data. Abort!");
		51	+ return;
		52	+ }
		53	attr = edge->attributes;
		54
		55	/* re-attached edge to vertex if needed */
		56	@@ -2276,11 +2285,11 @@ static int ospf_te_parse_te(struct ls_ted ted, struct ospf_lsa lsa)
		57	}
		58
		59	/* Get corresponding Edge from Link State Data Base */
		60	- if (IPV4_NET0(attr.standard.local.s_addr) && !attr.standard.local_id) {
		61	- ote_debug(" \|- Found no TE Link local address/ID. Abort!");
		62	+ edge = get_edge(ted, attr.adv, attr.standard.local);
		63	+ if (!edge) {
		64	+ ote_debug(" \|- Found no edge from Link local add./ID. Abort!");
		65	return -1;
		66	}
		67	- edge = get_edge(ted, attr.adv, attr.standard.local);
		68	old = edge->attributes;
		69
		70	ote_debug(" \|- Process Traffic Engineering LSA %pI4 for Edge %pI4",
		71	@@ -2764,6 +2773,10 @@ static int ospf_te_parse_ext_link(struct ls_ted ted, struct ospf_lsa lsa)
		72	lnid.id.ip.area_id = lsa->area->area_id;
		73	ext = (struct ext_tlv_link *)TLV_HDR_TOP(lsa->data);
		74	edge = get_edge(ted, lnid, ext->link_data);
		75	+ if (!edge) {
		76	+ ote_debug(" \|- Found no edge from Extended Link Data. Abort!");
		77	+ return -1;
		78	+ }
		79	atr = edge->attributes;
		80
		81	ote_debug(" \|- Process Extended Link LSA %pI4 for edge %pI4",
		82	--
		83	2.35.5
		84


diff --git a/meta-networking/recipes-protocols/frr/frr_8.2.2.bb b/meta-networking/recipes-protocols/frr/frr_8.2.2.bb index 0823a7bf13..facc655e29 100644 --- a/meta-networking/recipes-protocols/frr/frr_8.2.2.bb +++ b/meta-networking/recipes-protocols/frr/frr_8.2.2.bb
@@ -28,7 +28,12 @@ SRC_URI = "git://github.com/FRRouting/frr.git;protocol=https;branch=stable/8.2 \
28	file://CVE-2023-47234.patch \	28	file://CVE-2023-47234.patch \
29	file://CVE-2023-47235.patch \	29	file://CVE-2023-47235.patch \
30	file://frr.pam \	30	file://frr.pam \
31	file://CVE-2024-44070.patch\	31	file://CVE-2024-44070.patch \
		32	file://CVE-2024-27913.patch \
		33	file://CVE-2024-34088.patch \
		34	file://CVE-2024-31950.patch \
		35	file://CVE-2024-31951.patch \
		36	file://CVE-2024-31948.patch \
32	"	37	"
33		38
34	SRCREV = "79188bf710e92acf42fb5b9b0a2e9593a5ee9b05"	39	SRCREV = "79188bf710e92acf42fb5b9b0a2e9593a5ee9b05"