frr: fix CVE-2024-31950

CVE-2024-31950: In FRRouting (FRR) through 9.1, there can be a buffer overflow and daemon crash in ospf_te_parse_ri for OSPF LSA packets during an attempt to read Segment Routing subTLVs (their size is not validated). Reference: [https://nvd.nist.gov/vuln/detail/CVE-2024-31950] Upstream patches: [https://github.com/FRRouting/frr/commit/f69d1313b19047d3d83fc2b36a518355b861dfc4] Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Zhang Peng <peng.zhang1.cn@windriver.com> 2024-11-26 16:11:13 +0800
committer: Armin Kuster <akuster808@gmail.com> 2024-12-15 13:57:29 -0500
commit: 327470f0009cf193ab2ecfa69a866bdefc21fbb1 (patch)
tree: 2da42dc28a14264f535ac1ee25c2825d976f4178
parent: 9c352814e40a548723c73104412cc143d5fff8e5 (diff)
download: meta-openembedded-327470f0009cf193ab2ecfa69a866bdefc21fbb1.tar.gz
2 files changed, 69 insertions, 0 deletions
diff --git a/meta-networking/recipes-protocols/frr/frr/CVE-2024-31950.patch b/meta-networking/recipes-protocols/frr/frr/CVE-2024-31950.patch
new file mode 100644
index 0000000000..c579ec283e
--- /dev/null
+++ b/meta-networking/recipes-protocols/frr/frr/CVE-2024-31950.patch
@@ -0,0 +1,68 @@
+From f69d1313b19047d3d83fc2b36a518355b861dfc4 Mon Sep 17 00:00:00 2001
+From: Olivier Dugeon <olivier.dugeon@orange.com>
+Date: Wed, 3 Apr 2024 16:28:23 +0200
+Subject: [PATCH] ospfd: Solved crash in RI parsing with OSPF TE
+Iggy Frankovic discovered another ospfd crash when performing fuzzing of OSPF
+LSA packets. The crash occurs in ospf_te_parse_ri() function when attemping to
+read Segment Routing subTLVs. The original code doesn't check if the size of
+the SR subTLVs have the correct length. In presence of erronous LSA, this will
+cause a buffer overflow and ospfd crash.
+This patch introduces new verification of the subTLVs size for Router
+Information TLV.
+Co-authored-by: Iggy Frankovic <iggyfran@amazon.com>
+Signed-off-by: Olivier Dugeon <olivier.dugeon@orange.com>
+CVE: CVE-2024-31950
+Upstream-Status: Backport [https://github.com/FRRouting/frr/commit/f69d1313b19047d3d83fc2b36a518355b861dfc4]
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ ospfd/ospf_te.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+diff --git a/ospfd/ospf_te.c b/ospfd/ospf_te.c
+index 359dc1f5d4b8..091669d8ed36 100644
+--- a/ospfd/ospf_te.c
+++ b/ospfd/ospf_te.c
+@@ -2456,6 +2456,9 @@ static int ospf_te_parse_ri(struct ls_ted *ted, struct ospf_lsa *lsa)
+ 
+                switch (ntohs(tlvh->type)) {
+                case RI_SR_TLV_SR_ALGORITHM:
+                       if (TLV_BODY_SIZE(tlvh) < 1 ||
+                           TLV_BODY_SIZE(tlvh) > ALGORITHM_COUNT)
+                               break;
+                        algo = (struct ri_sr_tlv_sr_algorithm *)tlvh;
+ 
+                        for (int i = 0; i < ntohs(algo->header.length); i++) {
+@@ -2480,6 +2483,8 @@ static int ospf_te_parse_ri(struct ls_ted *ted, struct ospf_lsa *lsa)
+                        break;
+ 
+                case RI_SR_TLV_SRGB_LABEL_RANGE:
+                       if (TLV_BODY_SIZE(tlvh) != RI_SR_TLV_LABEL_RANGE_SIZE)
+                               break;
+                        range = (struct ri_sr_tlv_sid_label_range *)tlvh;
+                        size = GET_RANGE_SIZE(ntohl(range->size));
+                        lower = GET_LABEL(ntohl(range->lower.value));
+@@ -2497,6 +2502,8 @@ static int ospf_te_parse_ri(struct ls_ted *ted, struct ospf_lsa *lsa)
+                        break;
+ 
+                case RI_SR_TLV_SRLB_LABEL_RANGE:
+                       if (TLV_BODY_SIZE(tlvh) != RI_SR_TLV_LABEL_RANGE_SIZE)
+                               break;
+                        range = (struct ri_sr_tlv_sid_label_range *)tlvh;
+                        size = GET_RANGE_SIZE(ntohl(range->size));
+                        lower = GET_LABEL(ntohl(range->lower.value));
+@@ -2514,6 +2521,8 @@ static int ospf_te_parse_ri(struct ls_ted *ted, struct ospf_lsa *lsa)
+                        break;
+ 
+                case RI_SR_TLV_NODE_MSD:
+                       if (TLV_BODY_SIZE(tlvh) < RI_SR_TLV_NODE_MSD_SIZE)
+                               break;
+                        msd = (struct ri_sr_tlv_node_msd *)tlvh;
+                        if ((CHECK_FLAG(node->flags, LS_NODE_MSD))
+                            && (node->msd == msd->value))
+--
+2.34.1
+\ No newline at end of file
diff --git a/meta-networking/recipes-protocols/frr/frr_9.1.bb b/meta-networking/recipes-protocols/frr/frr_9.1.bb
index a172a4c6d3..305ef8f1b8 100644
--- a/meta-networking/recipes-protocols/frr/frr_9.1.bb
+++ b/meta-networking/recipes-protocols/frr/frr_9.1.bb
@@ -14,6 +14,7 @@ SRC_URI = "git://github.com/FRRouting/frr.git;protocol=https;branch=stable/9.1 \
           file://frr.pam \
           file://0001-zebra-Mimic-GNU-basename-API-for-non-glibc-library-e.patch \
           file://CVE-2024-34088.patch \
+           file://CVE-2024-31950.patch \
           "
 SRCREV = "ca2d6f0f1e000951224a18973cc1827f7f5215b5"
author	Zhang Peng <peng.zhang1.cn@windriver.com>	2024-11-26 16:11:13 +0800
committer	Armin Kuster <akuster808@gmail.com>	2024-12-15 13:57:29 -0500
commit	327470f0009cf193ab2ecfa69a866bdefc21fbb1 (patch)
tree	2da42dc28a14264f535ac1ee25c2825d976f4178
parent	9c352814e40a548723c73104412cc143d5fff8e5 (diff)
download	meta-openembedded-327470f0009cf193ab2ecfa69a866bdefc21fbb1.tar.gz

diff --git a/meta-networking/recipes-protocols/frr/frr/CVE-2024-31950.patch b/meta-networking/recipes-protocols/frr/frr/CVE-2024-31950.patch new file mode 100644 index 0000000000..c579ec283e --- /dev/null +++ b/meta-networking/recipes-protocols/frr/frr/CVE-2024-31950.patch
@@ -0,0 +1,68 @@
		1	From f69d1313b19047d3d83fc2b36a518355b861dfc4 Mon Sep 17 00:00:00 2001
		2	From: Olivier Dugeon <olivier.dugeon@orange.com>
		3	Date: Wed, 3 Apr 2024 16:28:23 +0200
		4	Subject: [PATCH] ospfd: Solved crash in RI parsing with OSPF TE
		5
		6	Iggy Frankovic discovered another ospfd crash when performing fuzzing of OSPF
		7	LSA packets. The crash occurs in ospf_te_parse_ri() function when attemping to
		8	read Segment Routing subTLVs. The original code doesn't check if the size of
		9	the SR subTLVs have the correct length. In presence of erronous LSA, this will
		10	cause a buffer overflow and ospfd crash.
		11
		12	This patch introduces new verification of the subTLVs size for Router
		13	Information TLV.
		14
		15	Co-authored-by: Iggy Frankovic <iggyfran@amazon.com>
		16	Signed-off-by: Olivier Dugeon <olivier.dugeon@orange.com>
		17
		18	CVE: CVE-2024-31950
		19	Upstream-Status: Backport [https://github.com/FRRouting/frr/commit/f69d1313b19047d3d83fc2b36a518355b861dfc4]
		20
		21	Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
		22	---
		23	ospfd/ospf_te.c \| 9 +++++++++
		24	1 file changed, 9 insertions(+)
		25
		26	diff --git a/ospfd/ospf_te.c b/ospfd/ospf_te.c
		27	index 359dc1f5d4b8..091669d8ed36 100644
		28	--- a/ospfd/ospf_te.c
		29	+++ b/ospfd/ospf_te.c
		30	@@ -2456,6 +2456,9 @@ static int ospf_te_parse_ri(struct ls_ted ted, struct ospf_lsa lsa)
		31
		32	switch (ntohs(tlvh->type)) {
		33	case RI_SR_TLV_SR_ALGORITHM:
		34	+ if (TLV_BODY_SIZE(tlvh) < 1 \|\|
		35	+ TLV_BODY_SIZE(tlvh) > ALGORITHM_COUNT)
		36	+ break;
		37	algo = (struct ri_sr_tlv_sr_algorithm *)tlvh;
		38
		39	for (int i = 0; i < ntohs(algo->header.length); i++) {
		40	@@ -2480,6 +2483,8 @@ static int ospf_te_parse_ri(struct ls_ted ted, struct ospf_lsa lsa)
		41	break;
		42
		43	case RI_SR_TLV_SRGB_LABEL_RANGE:
		44	+ if (TLV_BODY_SIZE(tlvh) != RI_SR_TLV_LABEL_RANGE_SIZE)
		45	+ break;
		46	range = (struct ri_sr_tlv_sid_label_range *)tlvh;
		47	size = GET_RANGE_SIZE(ntohl(range->size));
		48	lower = GET_LABEL(ntohl(range->lower.value));
		49	@@ -2497,6 +2502,8 @@ static int ospf_te_parse_ri(struct ls_ted ted, struct ospf_lsa lsa)
		50	break;
		51
		52	case RI_SR_TLV_SRLB_LABEL_RANGE:
		53	+ if (TLV_BODY_SIZE(tlvh) != RI_SR_TLV_LABEL_RANGE_SIZE)
		54	+ break;
		55	range = (struct ri_sr_tlv_sid_label_range *)tlvh;
		56	size = GET_RANGE_SIZE(ntohl(range->size));
		57	lower = GET_LABEL(ntohl(range->lower.value));
		58	@@ -2514,6 +2521,8 @@ static int ospf_te_parse_ri(struct ls_ted ted, struct ospf_lsa lsa)
		59	break;
		60
		61	case RI_SR_TLV_NODE_MSD:
		62	+ if (TLV_BODY_SIZE(tlvh) < RI_SR_TLV_NODE_MSD_SIZE)
		63	+ break;
		64	msd = (struct ri_sr_tlv_node_msd *)tlvh;
		65	if ((CHECK_FLAG(node->flags, LS_NODE_MSD))
		66	&& (node->msd == msd->value))
		67	--
		68	2.34.1 \ No newline at end of file


diff --git a/meta-networking/recipes-protocols/frr/frr_9.1.bb b/meta-networking/recipes-protocols/frr/frr_9.1.bb index a172a4c6d3..305ef8f1b8 100644 --- a/meta-networking/recipes-protocols/frr/frr_9.1.bb +++ b/meta-networking/recipes-protocols/frr/frr_9.1.bb
@@ -14,6 +14,7 @@ SRC_URI = "git://github.com/FRRouting/frr.git;protocol=https;branch=stable/9.1 \
14	file://frr.pam \	14	file://frr.pam \
15	file://0001-zebra-Mimic-GNU-basename-API-for-non-glibc-library-e.patch \	15	file://0001-zebra-Mimic-GNU-basename-API-for-non-glibc-library-e.patch \
16	file://CVE-2024-34088.patch \	16	file://CVE-2024-34088.patch \
		17	file://CVE-2024-31950.patch \
17	"	18	"
18		19
19	SRCREV = "ca2d6f0f1e000951224a18973cc1827f7f5215b5"	20	SRCREV = "ca2d6f0f1e000951224a18973cc1827f7f5215b5"