frr: fix CVE-2024-34088

CVE-2024-34088: In FRRouting (FRR) through 9.1, it is possible for the get_edge() function in ospf_te.c in the OSPF daemon to return a NULL pointer. In cases where calling functions do not handle the returned NULL value, the OSPF daemon crashes, leading to denial of service. Reference: [https://nvd.nist.gov/vuln/detail/CVE-2024-34088] Upstream patches: [https://github.com/FRRouting/frr/commit/8c177d69e32b91b45bda5fc5da6511fa03dc11ca] Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Zhang Peng <peng.zhang1.cn@windriver.com> 2024-11-26 16:11:12 +0800
committer: Armin Kuster <akuster808@gmail.com> 2024-12-15 13:57:26 -0500
commit: 9c352814e40a548723c73104412cc143d5fff8e5 (patch)
tree: cdb51483684a41c3682a781cd4f233bf72cca79b
parent: 96d9f031ba22958e416b31278d5cd043863c8b3b (diff)
download: meta-openembedded-9c352814e40a548723c73104412cc143d5fff8e5.tar.gz
2 files changed, 84 insertions, 0 deletions
diff --git a/meta-networking/recipes-protocols/frr/frr/CVE-2024-34088.patch b/meta-networking/recipes-protocols/frr/frr/CVE-2024-34088.patch
new file mode 100644
index 0000000000..72dffb1328
--- /dev/null
+++ b/meta-networking/recipes-protocols/frr/frr/CVE-2024-34088.patch
@@ -0,0 +1,83 @@
+From 8c177d69e32b91b45bda5fc5da6511fa03dc11ca Mon Sep 17 00:00:00 2001
+From: Olivier Dugeon <olivier.dugeon@orange.com>
+Date: Tue, 16 Apr 2024 16:42:06 +0200
+Subject: [PATCH] ospfd: protect call to get_edge() in ospf_te.c
+During fuzzing, Iggy Frankovic discovered that get_edge() function in ospf_te.c
+could return null pointer, in particular when the link_id or advertised router
+IP addresses are fuzzed. As the null pointer returned by get_edge() function is
+not handlei by calling functions, this could cause ospfd crash.
+This patch introduces new verification of returned pointer by get_edge()
+function and stop the processing in case of null pointer. In addition, link ID
+and advertiser router ID are validated before calling ls_find_edge_by_key() to
+avoid the creation of a new edge with an invalid key.
+CVE-2024-34088
+Co-authored-by: Iggy Frankovic <iggyfran@amazon.com>
+Signed-off-by: Olivier Dugeon <olivier.dugeon@orange.com>
+CVE: CVE-2024-34088
+Upstream-Status: Backport [https://github.com/FRRouting/frr/commit/8c177d69e32b91b45bda5fc5da6511fa03dc11ca]
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ ospfd/ospf_te.c | 19 ++++++++++++++++---
+ 1 file changed, 16 insertions(+), 3 deletions(-)
+diff --git a/ospfd/ospf_te.c b/ospfd/ospf_te.c
+index e68f9444f512..d57990e1a174 100644
+--- a/ospfd/ospf_te.c
+++ b/ospfd/ospf_te.c
+@@ -1670,6 +1670,11 @@ static struct ls_edge *get_edge(struct ls_ted *ted, struct ls_node_id adv,
+        struct ls_edge *edge;
+        struct ls_attributes *attr;
+ 
+       /* Check that Link ID and Node ID are valid */
+       if (IPV4_NET0(link_id.s_addr) || IPV4_NET0(adv.id.ip.addr.s_addr) ||
+           adv.origin != OSPFv2)
+               return NULL;
+
+        /* Search Edge that corresponds to the Link ID */
+        key.family = AF_INET;
+        IPV4_ADDR_COPY(&key.k.addr, &link_id);
+@@ -1743,6 +1748,10 @@ static void ospf_te_update_link(struct ls_ted *ted, struct ls_vertex *vertex,
+ 
+        /* Get Corresponding Edge from Link State Data Base */
+        edge = get_edge(ted, vertex->node->adv, link_data);
+       if (!edge) {
+               ote_debug("  |- Found no edge from Link Data. Abort!");
+               return;
+       }
+        attr = edge->attributes;
+ 
+        /* re-attached edge to vertex if needed */
+@@ -2246,11 +2255,11 @@ static int ospf_te_parse_te(struct ls_ted *ted, struct ospf_lsa *lsa)
+        }
+ 
+        /* Get corresponding Edge from Link State Data Base */
+-       if (IPV4_NET0(attr.standard.local.s_addr) && !attr.standard.local_id) {
+-               ote_debug("  |- Found no TE Link local address/ID. Abort!");
+       edge = get_edge(ted, attr.adv, attr.standard.local);
+       if (!edge) {
+               ote_debug("  |- Found no edge from Link local add./ID. Abort!");
+                return -1;
+        }
+-       edge = get_edge(ted, attr.adv, attr.standard.local);
+        old = edge->attributes;
+ 
+        ote_debug("  |- Process Traffic Engineering LSA %pI4 for Edge %pI4",
+@@ -2759,6 +2768,10 @@ static int ospf_te_parse_ext_link(struct ls_ted *ted, struct ospf_lsa *lsa)
+        lnid.id.ip.area_id = lsa->area->area_id;
+        ext = (struct ext_tlv_link *)TLV_HDR_TOP(lsa->data);
+        edge = get_edge(ted, lnid, ext->link_data);
+       if (!edge) {
+               ote_debug("  |- Found no edge from Extended Link Data. Abort!");
+               return -1;
+       }
+        atr = edge->attributes;
+ 
+        ote_debug("  |- Process Extended Link LSA %pI4 for edge %pI4",
+--
+2.34.1
+\ No newline at end of file
diff --git a/meta-networking/recipes-protocols/frr/frr_9.1.bb b/meta-networking/recipes-protocols/frr/frr_9.1.bb
index eea6d62f5f..a172a4c6d3 100644
--- a/meta-networking/recipes-protocols/frr/frr_9.1.bb
+++ b/meta-networking/recipes-protocols/frr/frr_9.1.bb
@@ -13,6 +13,7 @@ LIC_FILES_CHKSUM = "file://doc/licenses/GPL-2.0;md5=b234ee4d69f5fce4486a80fdaf4a
 SRC_URI = "git://github.com/FRRouting/frr.git;protocol=https;branch=stable/9.1 \
           file://frr.pam \
           file://0001-zebra-Mimic-GNU-basename-API-for-non-glibc-library-e.patch \
+           file://CVE-2024-34088.patch \
           "
 SRCREV = "ca2d6f0f1e000951224a18973cc1827f7f5215b5"
author	Zhang Peng <peng.zhang1.cn@windriver.com>	2024-11-26 16:11:12 +0800
committer	Armin Kuster <akuster808@gmail.com>	2024-12-15 13:57:26 -0500
commit	9c352814e40a548723c73104412cc143d5fff8e5 (patch)
tree	cdb51483684a41c3682a781cd4f233bf72cca79b
parent	96d9f031ba22958e416b31278d5cd043863c8b3b (diff)
download	meta-openembedded-9c352814e40a548723c73104412cc143d5fff8e5.tar.gz

diff --git a/meta-networking/recipes-protocols/frr/frr/CVE-2024-34088.patch b/meta-networking/recipes-protocols/frr/frr/CVE-2024-34088.patch new file mode 100644 index 0000000000..72dffb1328 --- /dev/null +++ b/meta-networking/recipes-protocols/frr/frr/CVE-2024-34088.patch
@@ -0,0 +1,83 @@
		1	From 8c177d69e32b91b45bda5fc5da6511fa03dc11ca Mon Sep 17 00:00:00 2001
		2	From: Olivier Dugeon <olivier.dugeon@orange.com>
		3	Date: Tue, 16 Apr 2024 16:42:06 +0200
		4	Subject: [PATCH] ospfd: protect call to get_edge() in ospf_te.c
		5
		6	During fuzzing, Iggy Frankovic discovered that get_edge() function in ospf_te.c
		7	could return null pointer, in particular when the link_id or advertised router
		8	IP addresses are fuzzed. As the null pointer returned by get_edge() function is
		9	not handlei by calling functions, this could cause ospfd crash.
		10
		11	This patch introduces new verification of returned pointer by get_edge()
		12	function and stop the processing in case of null pointer. In addition, link ID
		13	and advertiser router ID are validated before calling ls_find_edge_by_key() to
		14	avoid the creation of a new edge with an invalid key.
		15
		16	CVE-2024-34088
		17
		18	Co-authored-by: Iggy Frankovic <iggyfran@amazon.com>
		19	Signed-off-by: Olivier Dugeon <olivier.dugeon@orange.com>
		20
		21	CVE: CVE-2024-34088
		22	Upstream-Status: Backport [https://github.com/FRRouting/frr/commit/8c177d69e32b91b45bda5fc5da6511fa03dc11ca]
		23
		24	Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
		25	---
		26	ospfd/ospf_te.c \| 19 ++++++++++++++++---
		27	1 file changed, 16 insertions(+), 3 deletions(-)
		28
		29	diff --git a/ospfd/ospf_te.c b/ospfd/ospf_te.c
		30	index e68f9444f512..d57990e1a174 100644
		31	--- a/ospfd/ospf_te.c
		32	+++ b/ospfd/ospf_te.c
		33	@@ -1670,6 +1670,11 @@ static struct ls_edge get_edge(struct ls_ted ted, struct ls_node_id adv,
		34	struct ls_edge *edge;
		35	struct ls_attributes *attr;
		36
		37	+ /* Check that Link ID and Node ID are valid */
		38	+ if (IPV4_NET0(link_id.s_addr) \|\| IPV4_NET0(adv.id.ip.addr.s_addr) \|\|
		39	+ adv.origin != OSPFv2)
		40	+ return NULL;
		41	+
		42	/* Search Edge that corresponds to the Link ID */
		43	key.family = AF_INET;
		44	IPV4_ADDR_COPY(&key.k.addr, &link_id);
		45	@@ -1743,6 +1748,10 @@ static void ospf_te_update_link(struct ls_ted ted, struct ls_vertex vertex,
		46
		47	/* Get Corresponding Edge from Link State Data Base */
		48	edge = get_edge(ted, vertex->node->adv, link_data);
		49	+ if (!edge) {
		50	+ ote_debug(" \|- Found no edge from Link Data. Abort!");
		51	+ return;
		52	+ }
		53	attr = edge->attributes;
		54
		55	/* re-attached edge to vertex if needed */
		56	@@ -2246,11 +2255,11 @@ static int ospf_te_parse_te(struct ls_ted ted, struct ospf_lsa lsa)
		57	}
		58
		59	/* Get corresponding Edge from Link State Data Base */
		60	- if (IPV4_NET0(attr.standard.local.s_addr) && !attr.standard.local_id) {
		61	- ote_debug(" \|- Found no TE Link local address/ID. Abort!");
		62	+ edge = get_edge(ted, attr.adv, attr.standard.local);
		63	+ if (!edge) {
		64	+ ote_debug(" \|- Found no edge from Link local add./ID. Abort!");
		65	return -1;
		66	}
		67	- edge = get_edge(ted, attr.adv, attr.standard.local);
		68	old = edge->attributes;
		69
		70	ote_debug(" \|- Process Traffic Engineering LSA %pI4 for Edge %pI4",
		71	@@ -2759,6 +2768,10 @@ static int ospf_te_parse_ext_link(struct ls_ted ted, struct ospf_lsa lsa)
		72	lnid.id.ip.area_id = lsa->area->area_id;
		73	ext = (struct ext_tlv_link *)TLV_HDR_TOP(lsa->data);
		74	edge = get_edge(ted, lnid, ext->link_data);
		75	+ if (!edge) {
		76	+ ote_debug(" \|- Found no edge from Extended Link Data. Abort!");
		77	+ return -1;
		78	+ }
		79	atr = edge->attributes;
		80
		81	ote_debug(" \|- Process Extended Link LSA %pI4 for edge %pI4",
		82	--
		83	2.34.1 \ No newline at end of file


diff --git a/meta-networking/recipes-protocols/frr/frr_9.1.bb b/meta-networking/recipes-protocols/frr/frr_9.1.bb index eea6d62f5f..a172a4c6d3 100644 --- a/meta-networking/recipes-protocols/frr/frr_9.1.bb +++ b/meta-networking/recipes-protocols/frr/frr_9.1.bb
@@ -13,6 +13,7 @@ LIC_FILES_CHKSUM = "file://doc/licenses/GPL-2.0;md5=b234ee4d69f5fce4486a80fdaf4a
13	SRC_URI = "git://github.com/FRRouting/frr.git;protocol=https;branch=stable/9.1 \	13	SRC_URI = "git://github.com/FRRouting/frr.git;protocol=https;branch=stable/9.1 \
14	file://frr.pam \	14	file://frr.pam \
15	file://0001-zebra-Mimic-GNU-basename-API-for-non-glibc-library-e.patch \	15	file://0001-zebra-Mimic-GNU-basename-API-for-non-glibc-library-e.patch \
		16	file://CVE-2024-34088.patch \
16	"	17	"
17		18
18	SRCREV = "ca2d6f0f1e000951224a18973cc1827f7f5215b5"	19	SRCREV = "ca2d6f0f1e000951224a18973cc1827f7f5215b5"