frr: fix CVE-2024-31951

CVE-2024-31951: In the Opaque LSA Extended Link parser in FRRouting (FRR) through 9.1, there can be a buffer overflow and daemon crash in ospf_te_parse_ext_link for OSPF LSA packets during an attempt to read Segment Routing Adjacency SID subTLVs (lengths are not validated). Reference: [https://nvd.nist.gov/vuln/detail/CVE-2024-31951] Upstream patches: [https://github.com/FRRouting/frr/commit/5557a289acdaeec8cc63ffc97b5c2abf6dee7b3a] Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Zhang Peng <peng.zhang1.cn@windriver.com> 2024-11-26 16:11:14 +0800
committer: Armin Kuster <akuster808@gmail.com> 2024-12-15 13:57:33 -0500
commit: 483946a97bf49752538675ed56a8acd864c6a12b (patch)
tree: 1629f059019d3ab086b27c8ac380d8146139fb71
parent: 327470f0009cf193ab2ecfa69a866bdefc21fbb1 (diff)
download: meta-openembedded-483946a97bf49752538675ed56a8acd864c6a12b.tar.gz
2 files changed, 111 insertions, 0 deletions
diff --git a/meta-networking/recipes-protocols/frr/frr/CVE-2024-31951.patch b/meta-networking/recipes-protocols/frr/frr/CVE-2024-31951.patch
new file mode 100644
index 0000000000..7f19b0312a
--- /dev/null
+++ b/meta-networking/recipes-protocols/frr/frr/CVE-2024-31951.patch
@@ -0,0 +1,110 @@
+From 5557a289acdaeec8cc63ffc97b5c2abf6dee7b3a Mon Sep 17 00:00:00 2001
+From: Olivier Dugeon <olivier.dugeon@orange.com>
+Date: Fri, 5 Apr 2024 12:57:11 +0200
+Subject: [PATCH] ospfd: Correct Opaque LSA Extended parser
+Iggy Frankovic discovered another ospfd crash when performing fuzzing of OSPF
+LSA packets. The crash occurs in ospf_te_parse_ext_link() function when
+attemping to read Segment Routing Adjacency SID subTLVs. The original code
+doesn't check if the size of the Extended Link TLVs and subTLVs have the correct
+length. In presence of erronous LSA, this will cause a buffer overflow and ospfd
+crashes.
+This patch introduces new verification of the subTLVs size for Extended Link
+TLVs and subTLVs. Similar check has been also introduced for the Extended
+Prefix TLV.
+Co-authored-by: Iggy Frankovic <iggyfran@amazon.com>
+Signed-off-by: Olivier Dugeon <olivier.dugeon@orange.com>
+CVE: CVE-2024-31951
+Upstream-Status: Backport [https://github.com/FRRouting/frr/commit/5557a289acdaeec8cc63ffc97b5c2abf6dee7b3a]
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ ospfd/ospf_te.c | 35 +++++++++++++++++++++++++++++++++--
+ 1 file changed, 33 insertions(+), 2 deletions(-)
+diff --git a/ospfd/ospf_te.c b/ospfd/ospf_te.c
+index 091669d8ed36..e68f9444f512 100644
+--- a/ospfd/ospf_te.c
+++ b/ospfd/ospf_te.c
+@@ -2620,6 +2620,7 @@ static int ospf_te_parse_ext_pref(struct ls_ted *ted, struct ospf_lsa *lsa)
+        struct ext_tlv_prefix *ext;
+        struct ext_subtlv_prefix_sid *pref_sid;
+        uint32_t label;
+       uint16_t len, size;
+ 
+        /* Get corresponding Subnet from Link State Data Base */
+        ext = (struct ext_tlv_prefix *)TLV_HDR_TOP(lsa->data);
+@@ -2641,6 +2642,18 @@ static int ospf_te_parse_ext_pref(struct ls_ted *ted, struct ospf_lsa *lsa)
+        ote_debug("  |- Process Extended Prefix LSA %pI4 for subnet %pFX",
+                  &lsa->data->id, &pref);
+ 
+       /*
+        * Check Extended Prefix TLV size against LSA size
+        * as only one TLV is allowed per LSA
+        */
+       len = TLV_BODY_SIZE(&ext->header);
+       size = lsa->size - (OSPF_LSA_HEADER_SIZE + TLV_HDR_SIZE);
+       if (len != size || len <= 0) {
+               ote_debug("  |- Wrong TLV size: %u instead of %u",
+                         (uint32_t)len, (uint32_t)size);
+               return -1;
+       }
+
+        /* Initialize TLV browsing */
+        ls_pref = subnet->ls_pref;
+        pref_sid = (struct ext_subtlv_prefix_sid *)((char *)(ext) + TLV_HDR_SIZE
+@@ -2751,8 +2764,20 @@ static int ospf_te_parse_ext_link(struct ls_ted *ted, struct ospf_lsa *lsa)
+        ote_debug("  |- Process Extended Link LSA %pI4 for edge %pI4",
+                  &lsa->data->id, &edge->attributes->standard.local);
+ 
+-       /* Initialize TLV browsing */
+-       len = TLV_BODY_SIZE(&ext->header) - EXT_TLV_LINK_SIZE;
+       /*
+        * Check Extended Link TLV size against LSA size
+        * as only one TLV is allowed per LSA
+        */
+       len = TLV_BODY_SIZE(&ext->header);
+       i = lsa->size - (OSPF_LSA_HEADER_SIZE + TLV_HDR_SIZE);
+       if (len != i || len <= 0) {
+               ote_debug("  |- Wrong TLV size: %u instead of %u",
+                         (uint32_t)len, (uint32_t)i);
+               return -1;
+       }
+
+       /* Initialize subTLVs browsing */
+       len -= EXT_TLV_LINK_SIZE;
+        tlvh = (struct tlv_header *)((char *)(ext) + TLV_HDR_SIZE
+                                     + EXT_TLV_LINK_SIZE);
+        for (; sum < len; tlvh = TLV_HDR_NEXT(tlvh)) {
+@@ -2762,6 +2787,8 @@ static int ospf_te_parse_ext_link(struct ls_ted *ted, struct ospf_lsa *lsa)
+ 
+                switch (ntohs(tlvh->type)) {
+                case EXT_SUBTLV_ADJ_SID:
+                       if (TLV_BODY_SIZE(tlvh) != EXT_SUBTLV_ADJ_SID_SIZE)
+                               break;
+                        adj = (struct ext_subtlv_adj_sid *)tlvh;
+                        label = CHECK_FLAG(adj->flags,
+                                           EXT_SUBTLV_LINK_ADJ_SID_VFLG)
+@@ -2788,6 +2815,8 @@ static int ospf_te_parse_ext_link(struct ls_ted *ted, struct ospf_lsa *lsa)
+ 
+                        break;
+                case EXT_SUBTLV_LAN_ADJ_SID:
+                       if (TLV_BODY_SIZE(tlvh) != EXT_SUBTLV_LAN_ADJ_SID_SIZE)
+                               break;
+                        ladj = (struct ext_subtlv_lan_adj_sid *)tlvh;
+                        label = CHECK_FLAG(ladj->flags,
+                                           EXT_SUBTLV_LINK_ADJ_SID_VFLG)
+@@ -2817,6 +2846,8 @@ static int ospf_te_parse_ext_link(struct ls_ted *ted, struct ospf_lsa *lsa)
+ 
+                        break;
+                case EXT_SUBTLV_RMT_ITF_ADDR:
+                       if (TLV_BODY_SIZE(tlvh) != EXT_SUBTLV_RMT_ITF_ADDR_SIZE)
+                               break;
+                        rmt = (struct ext_subtlv_rmt_itf_addr *)tlvh;
+                        if (CHECK_FLAG(atr->flags, LS_ATTR_NEIGH_ADDR)
+                            && IPV4_ADDR_SAME(&atr->standard.remote,
+--
+2.34.1
+\ No newline at end of file
diff --git a/meta-networking/recipes-protocols/frr/frr_9.1.bb b/meta-networking/recipes-protocols/frr/frr_9.1.bb
index 305ef8f1b8..807e4ef8ef 100644
--- a/meta-networking/recipes-protocols/frr/frr_9.1.bb
+++ b/meta-networking/recipes-protocols/frr/frr_9.1.bb
@@ -15,6 +15,7 @@ SRC_URI = "git://github.com/FRRouting/frr.git;protocol=https;branch=stable/9.1 \
           file://0001-zebra-Mimic-GNU-basename-API-for-non-glibc-library-e.patch \
           file://CVE-2024-34088.patch \
           file://CVE-2024-31950.patch \
+           file://CVE-2024-31951.patch \
           "
 SRCREV = "ca2d6f0f1e000951224a18973cc1827f7f5215b5"
author	Zhang Peng <peng.zhang1.cn@windriver.com>	2024-11-26 16:11:14 +0800
committer	Armin Kuster <akuster808@gmail.com>	2024-12-15 13:57:33 -0500
commit	483946a97bf49752538675ed56a8acd864c6a12b (patch)
tree	1629f059019d3ab086b27c8ac380d8146139fb71
parent	327470f0009cf193ab2ecfa69a866bdefc21fbb1 (diff)
download	meta-openembedded-483946a97bf49752538675ed56a8acd864c6a12b.tar.gz

diff --git a/meta-networking/recipes-protocols/frr/frr/CVE-2024-31951.patch b/meta-networking/recipes-protocols/frr/frr/CVE-2024-31951.patch new file mode 100644 index 0000000000..7f19b0312a --- /dev/null +++ b/meta-networking/recipes-protocols/frr/frr/CVE-2024-31951.patch
@@ -0,0 +1,110 @@
		1	From 5557a289acdaeec8cc63ffc97b5c2abf6dee7b3a Mon Sep 17 00:00:00 2001
		2	From: Olivier Dugeon <olivier.dugeon@orange.com>
		3	Date: Fri, 5 Apr 2024 12:57:11 +0200
		4	Subject: [PATCH] ospfd: Correct Opaque LSA Extended parser
		5
		6	Iggy Frankovic discovered another ospfd crash when performing fuzzing of OSPF
		7	LSA packets. The crash occurs in ospf_te_parse_ext_link() function when
		8	attemping to read Segment Routing Adjacency SID subTLVs. The original code
		9	doesn't check if the size of the Extended Link TLVs and subTLVs have the correct
		10	length. In presence of erronous LSA, this will cause a buffer overflow and ospfd
		11	crashes.
		12
		13	This patch introduces new verification of the subTLVs size for Extended Link
		14	TLVs and subTLVs. Similar check has been also introduced for the Extended
		15	Prefix TLV.
		16
		17	Co-authored-by: Iggy Frankovic <iggyfran@amazon.com>
		18	Signed-off-by: Olivier Dugeon <olivier.dugeon@orange.com>
		19
		20	CVE: CVE-2024-31951
		21	Upstream-Status: Backport [https://github.com/FRRouting/frr/commit/5557a289acdaeec8cc63ffc97b5c2abf6dee7b3a]
		22
		23	Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
		24	---
		25	ospfd/ospf_te.c \| 35 +++++++++++++++++++++++++++++++++--
		26	1 file changed, 33 insertions(+), 2 deletions(-)
		27
		28	diff --git a/ospfd/ospf_te.c b/ospfd/ospf_te.c
		29	index 091669d8ed36..e68f9444f512 100644
		30	--- a/ospfd/ospf_te.c
		31	+++ b/ospfd/ospf_te.c
		32	@@ -2620,6 +2620,7 @@ static int ospf_te_parse_ext_pref(struct ls_ted ted, struct ospf_lsa lsa)
		33	struct ext_tlv_prefix *ext;
		34	struct ext_subtlv_prefix_sid *pref_sid;
		35	uint32_t label;
		36	+ uint16_t len, size;
		37
		38	/* Get corresponding Subnet from Link State Data Base */
		39	ext = (struct ext_tlv_prefix *)TLV_HDR_TOP(lsa->data);
		40	@@ -2641,6 +2642,18 @@ static int ospf_te_parse_ext_pref(struct ls_ted ted, struct ospf_lsa lsa)
		41	ote_debug(" \|- Process Extended Prefix LSA %pI4 for subnet %pFX",
		42	&lsa->data->id, &pref);
		43
		44	+ /*
		45	+ * Check Extended Prefix TLV size against LSA size
		46	+ * as only one TLV is allowed per LSA
		47	+ */
		48	+ len = TLV_BODY_SIZE(&ext->header);
		49	+ size = lsa->size - (OSPF_LSA_HEADER_SIZE + TLV_HDR_SIZE);
		50	+ if (len != size \|\| len <= 0) {
		51	+ ote_debug(" \|- Wrong TLV size: %u instead of %u",
		52	+ (uint32_t)len, (uint32_t)size);
		53	+ return -1;
		54	+ }
		55	+
		56	/* Initialize TLV browsing */
		57	ls_pref = subnet->ls_pref;
		58	pref_sid = (struct ext_subtlv_prefix_sid )((char )(ext) + TLV_HDR_SIZE
		59	@@ -2751,8 +2764,20 @@ static int ospf_te_parse_ext_link(struct ls_ted ted, struct ospf_lsa lsa)
		60	ote_debug(" \|- Process Extended Link LSA %pI4 for edge %pI4",
		61	&lsa->data->id, &edge->attributes->standard.local);
		62
		63	- /* Initialize TLV browsing */
		64	- len = TLV_BODY_SIZE(&ext->header) - EXT_TLV_LINK_SIZE;
		65	+ /*
		66	+ * Check Extended Link TLV size against LSA size
		67	+ * as only one TLV is allowed per LSA
		68	+ */
		69	+ len = TLV_BODY_SIZE(&ext->header);
		70	+ i = lsa->size - (OSPF_LSA_HEADER_SIZE + TLV_HDR_SIZE);
		71	+ if (len != i \|\| len <= 0) {
		72	+ ote_debug(" \|- Wrong TLV size: %u instead of %u",
		73	+ (uint32_t)len, (uint32_t)i);
		74	+ return -1;
		75	+ }
		76	+
		77	+ /* Initialize subTLVs browsing */
		78	+ len -= EXT_TLV_LINK_SIZE;
		79	tlvh = (struct tlv_header )((char )(ext) + TLV_HDR_SIZE
		80	+ EXT_TLV_LINK_SIZE);
		81	for (; sum < len; tlvh = TLV_HDR_NEXT(tlvh)) {
		82	@@ -2762,6 +2787,8 @@ static int ospf_te_parse_ext_link(struct ls_ted ted, struct ospf_lsa lsa)
		83
		84	switch (ntohs(tlvh->type)) {
		85	case EXT_SUBTLV_ADJ_SID:
		86	+ if (TLV_BODY_SIZE(tlvh) != EXT_SUBTLV_ADJ_SID_SIZE)
		87	+ break;
		88	adj = (struct ext_subtlv_adj_sid *)tlvh;
		89	label = CHECK_FLAG(adj->flags,
		90	EXT_SUBTLV_LINK_ADJ_SID_VFLG)
		91	@@ -2788,6 +2815,8 @@ static int ospf_te_parse_ext_link(struct ls_ted ted, struct ospf_lsa lsa)
		92
		93	break;
		94	case EXT_SUBTLV_LAN_ADJ_SID:
		95	+ if (TLV_BODY_SIZE(tlvh) != EXT_SUBTLV_LAN_ADJ_SID_SIZE)
		96	+ break;
		97	ladj = (struct ext_subtlv_lan_adj_sid *)tlvh;
		98	label = CHECK_FLAG(ladj->flags,
		99	EXT_SUBTLV_LINK_ADJ_SID_VFLG)
		100	@@ -2817,6 +2846,8 @@ static int ospf_te_parse_ext_link(struct ls_ted ted, struct ospf_lsa lsa)
		101
		102	break;
		103	case EXT_SUBTLV_RMT_ITF_ADDR:
		104	+ if (TLV_BODY_SIZE(tlvh) != EXT_SUBTLV_RMT_ITF_ADDR_SIZE)
		105	+ break;
		106	rmt = (struct ext_subtlv_rmt_itf_addr *)tlvh;
		107	if (CHECK_FLAG(atr->flags, LS_ATTR_NEIGH_ADDR)
		108	&& IPV4_ADDR_SAME(&atr->standard.remote,
		109	--
		110	2.34.1 \ No newline at end of file


diff --git a/meta-networking/recipes-protocols/frr/frr_9.1.bb b/meta-networking/recipes-protocols/frr/frr_9.1.bb index 305ef8f1b8..807e4ef8ef 100644 --- a/meta-networking/recipes-protocols/frr/frr_9.1.bb +++ b/meta-networking/recipes-protocols/frr/frr_9.1.bb
@@ -15,6 +15,7 @@ SRC_URI = "git://github.com/FRRouting/frr.git;protocol=https;branch=stable/9.1 \
15	file://0001-zebra-Mimic-GNU-basename-API-for-non-glibc-library-e.patch \	15	file://0001-zebra-Mimic-GNU-basename-API-for-non-glibc-library-e.patch \
16	file://CVE-2024-34088.patch \	16	file://CVE-2024-34088.patch \
17	file://CVE-2024-31950.patch \	17	file://CVE-2024-31950.patch \
		18	file://CVE-2024-31951.patch \
18	"	19	"
19		20
20	SRCREV = "ca2d6f0f1e000951224a18973cc1827f7f5215b5"	21	SRCREV = "ca2d6f0f1e000951224a18973cc1827f7f5215b5"