frr: fix CVE-2024-31949

CVE-2024-31949: In FRRouting (FRR) through 9.1, an infinite loop can occur when receiving a MP/GR capability as a dynamic capability because malformed data results in a pointer not advancing. Reference: [https://nvd.nist.gov/vuln/detail/CVE-2024-31949] Upstream patches: [https://github.com/FRRouting/frr/commit/30a332dad86fafd2b0b6c61d23de59ed969a219b] Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Zhang Peng <peng.zhang1.cn@windriver.com> 2024-11-26 16:11:16 +0800
committer: Armin Kuster <akuster808@gmail.com> 2024-12-15 13:57:40 -0500
commit: df0a87ca528b32d40d3de3ff7e43f73390a81c53 (patch)
tree: 268afbdc0421782ea977c1fb9ae86cab5e43716c
parent: 2d7769f90b09703f516a8c499972525726db6f95 (diff)
download: meta-openembedded-df0a87ca528b32d40d3de3ff7e43f73390a81c53.tar.gz
2 files changed, 164 insertions, 0 deletions
diff --git a/meta-networking/recipes-protocols/frr/frr/CVE-2024-31949.patch b/meta-networking/recipes-protocols/frr/frr/CVE-2024-31949.patch
new file mode 100644
index 0000000000..dad0255ead
--- /dev/null
+++ b/meta-networking/recipes-protocols/frr/frr/CVE-2024-31949.patch
@@ -0,0 +1,163 @@
+From 2779d7d7c4f465f8e117aa4c47982dd60d620bc9 Mon Sep 17 00:00:00 2001
+From: Donatas Abraitis <donatas@opensourcerouting.org>
+Date: Sat, 30 Mar 2024 15:35:18 +0200
+Subject: [PATCH] bgpd: Fix errors handling for MP/GR capabilities as dynamic
+ capability
+When receiving a MP/GR capability as dynamic capability, but malformed, do not
+forget to advance the pointer to avoid hitting infinity loop.
+After:
+```
+Mar 29 11:15:28 donatas-laptop bgpd[353550]: [GS0AQ-HKY0X] 127.0.0.1 rcv CAPABILITY
+Mar 29 11:15:28 donatas-laptop bgpd[353550]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 5, length 0
+Mar 29 11:15:28 donatas-laptop bgpd[353550]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 0, length 0
+Mar 29 11:15:28 donatas-laptop bgpd[353550]: [HFHDS-QT71N][EC 33554494] 127.0.0.1(donatas-pc): unrecognized capability code: 0 - ignored
+Mar 29 11:15:28 donatas-laptop bgpd[353550]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 0, code: 0, length 0
+Mar 29 11:15:28 donatas-laptop bgpd[353550]: [HFHDS-QT71N][EC 33554494] 127.0.0.1(donatas-pc): unrecognized capability code: 0 - ignored
+Mar 29 11:15:28 donatas-laptop bgpd[353550]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 0, code: 0, length 0
+Mar 29 11:15:28 donatas-laptop bgpd[353550]: [HFHDS-QT71N][EC 33554494] 127.0.0.1(donatas-pc): unrecognized capability code: 0 - ignored
+Mar 29 11:15:28 donatas-laptop bgpd[353550]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 0, code: 0, length 1
+Mar 29 11:15:28 donatas-laptop bgpd[353550]: [HFHDS-QT71N][EC 33554494] 127.0.0.1(donatas-pc): unrecognized capability code: 0 - ignored
+Mar 29 11:15:28 donatas-laptop bgpd[353550]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10
+Mar 29 11:15:28 donatas-laptop bgpd[353550]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast)
+```
+Before:
+```
+Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10
+Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast)
+Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10
+Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast)
+Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10
+Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast)
+Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10
+Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast)
+Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10
+Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast)
+Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10
+Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast)
+Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10
+Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast)
+Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10
+Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast)
+Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10
+Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast)
+Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10
+Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast)
+Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10
+Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast)
+Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10
+Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast)
+Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10
+Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast)
+Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10
+Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast)
+Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10
+Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast)
+Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10
+```
+Reported-by: Iggy Frankovic <iggyfran@amazon.com>
+Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
+CVE: CVE-2024-31949
+Upstream-Status: Backport [https://github.com/FRRouting/frr/commit/30a332dad86fafd2b0b6c61d23de59ed969a219b]
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ bgpd/bgp_packet.c | 17 ++++++++++-------
+ 1 file changed, 10 insertions(+), 7 deletions(-)
+diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c
+index cae82cbbb..50e5b54ab 100644
+--- a/bgpd/bgp_packet.c
+++ b/bgpd/bgp_packet.c
+@@ -3121,6 +3121,7 @@ static int bgp_capability_msg_parse(struct peer *peer, uint8_t *pnt,
+                        zlog_err("%pBP: Capability length error", peer);
+                        bgp_notify_send(peer->connection, BGP_NOTIFY_CEASE,
+                                        BGP_NOTIFY_SUBCODE_UNSPECIFIC);
+                       pnt += length;
+                        return BGP_Stop;
+                }
+                action = *pnt;
+@@ -3133,7 +3134,7 @@ static int bgp_capability_msg_parse(struct peer *peer, uint8_t *pnt,
+                                 action);
+                        bgp_notify_send(peer->connection, BGP_NOTIFY_CEASE,
+                                        BGP_NOTIFY_SUBCODE_UNSPECIFIC);
+-                       return BGP_Stop;
+                       goto done;
+                }
+ 
+                if (bgp_debug_neighbor_events(peer))
+@@ -3145,12 +3146,13 @@ static int bgp_capability_msg_parse(struct peer *peer, uint8_t *pnt,
+                        zlog_err("%pBP: Capability length error", peer);
+                        bgp_notify_send(peer->connection, BGP_NOTIFY_CEASE,
+                                        BGP_NOTIFY_SUBCODE_UNSPECIFIC);
+                       pnt += length;
+                        return BGP_Stop;
+                }
+ 
+                /* Ignore capability when override-capability is set. */
+                if (CHECK_FLAG(peer->flags, PEER_FLAG_OVERRIDE_CAPABILITY))
+-                       continue;
+                       goto done;
+ 
+                capability = lookup_msg(capcode_str, hdr->code, "Unknown");
+ 
+@@ -3165,7 +3167,7 @@ static int bgp_capability_msg_parse(struct peer *peer, uint8_t *pnt,
+                                         peer, capability,
+                                         sizeof(struct capability_mp_data),
+                                         hdr->length);
+-                               return BGP_Stop;
+                               goto done;
+                        }
+ 
+                        memcpy(&mpc, pnt + 3, sizeof(struct capability_mp_data));
+@@ -3180,7 +3182,7 @@ static int bgp_capability_msg_parse(struct peer *peer, uint8_t *pnt,
+                                                   peer, capability,
+                                                   iana_afi2str(pkt_afi),
+                                                   iana_safi2str(pkt_safi));
+-                               continue;
+                               goto done;
+                        }
+ 
+                        /* Address family check.  */
+@@ -3207,7 +3209,7 @@ static int bgp_capability_msg_parse(struct peer *peer, uint8_t *pnt,
+                                if (peer_active_nego(peer))
+                                        bgp_clear_route(peer, afi, safi);
+                                else
+-                                       return BGP_Stop;
+                                       goto done;
+                        }
+                        break;
+                case CAPABILITY_CODE_RESTART:
+@@ -3217,7 +3219,7 @@ static int bgp_capability_msg_parse(struct peer *peer, uint8_t *pnt,
+                                bgp_notify_send(peer->connection,
+                                                BGP_NOTIFY_CEASE,
+                                                BGP_NOTIFY_SUBCODE_UNSPECIFIC);
+-                               return BGP_Stop;
+                               goto done;
+                        }
+ 
+                        bgp_dynamic_capability_graceful_restart(pnt, action,
+@@ -3243,7 +3245,7 @@ static int bgp_capability_msg_parse(struct peer *peer, uint8_t *pnt,
+                                bgp_notify_send(peer->connection,
+                                                BGP_NOTIFY_CEASE,
+                                                BGP_NOTIFY_SUBCODE_UNSPECIFIC);
+-                               return BGP_Stop;
+                               goto done;
+                        }
+ 
+                        uint8_t role;
+@@ -3265,6 +3267,7 @@ static int bgp_capability_msg_parse(struct peer *peer, uint8_t *pnt,
+                        break;
+                }
+ 
+done:
+                pnt += hdr->length + 3;
+        }
+ 
+-- 
+2.34.1
diff --git a/meta-networking/recipes-protocols/frr/frr_9.1.bb b/meta-networking/recipes-protocols/frr/frr_9.1.bb
index 7043cad0f6..7c1691259d 100644
--- a/meta-networking/recipes-protocols/frr/frr_9.1.bb
+++ b/meta-networking/recipes-protocols/frr/frr_9.1.bb
@@ -17,6 +17,7 @@ SRC_URI = "git://github.com/FRRouting/frr.git;protocol=https;branch=stable/9.1 \
           file://CVE-2024-31950.patch \
           file://CVE-2024-31951.patch \
           file://CVE-2024-31948.patch \
+           file://CVE-2024-31949.patch \
           "
 SRCREV = "ca2d6f0f1e000951224a18973cc1827f7f5215b5"
author	Zhang Peng <peng.zhang1.cn@windriver.com>	2024-11-26 16:11:16 +0800
committer	Armin Kuster <akuster808@gmail.com>	2024-12-15 13:57:40 -0500
commit	df0a87ca528b32d40d3de3ff7e43f73390a81c53 (patch)
tree	268afbdc0421782ea977c1fb9ae86cab5e43716c
parent	2d7769f90b09703f516a8c499972525726db6f95 (diff)
download	meta-openembedded-df0a87ca528b32d40d3de3ff7e43f73390a81c53.tar.gz

diff --git a/meta-networking/recipes-protocols/frr/frr/CVE-2024-31949.patch b/meta-networking/recipes-protocols/frr/frr/CVE-2024-31949.patch new file mode 100644 index 0000000000..dad0255ead --- /dev/null +++ b/meta-networking/recipes-protocols/frr/frr/CVE-2024-31949.patch
@@ -0,0 +1,163 @@
		1	From 2779d7d7c4f465f8e117aa4c47982dd60d620bc9 Mon Sep 17 00:00:00 2001
		2	From: Donatas Abraitis <donatas@opensourcerouting.org>
		3	Date: Sat, 30 Mar 2024 15:35:18 +0200
		4	Subject: [PATCH] bgpd: Fix errors handling for MP/GR capabilities as dynamic
		5	capability
		6
		7	When receiving a MP/GR capability as dynamic capability, but malformed, do not
		8	forget to advance the pointer to avoid hitting infinity loop.
		9
		10	After:
		11	```
		12	Mar 29 11:15:28 donatas-laptop bgpd[353550]: [GS0AQ-HKY0X] 127.0.0.1 rcv CAPABILITY
		13	Mar 29 11:15:28 donatas-laptop bgpd[353550]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 5, length 0
		14	Mar 29 11:15:28 donatas-laptop bgpd[353550]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 0, length 0
		15	Mar 29 11:15:28 donatas-laptop bgpd[353550]: [HFHDS-QT71N][EC 33554494] 127.0.0.1(donatas-pc): unrecognized capability code: 0 - ignored
		16	Mar 29 11:15:28 donatas-laptop bgpd[353550]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 0, code: 0, length 0
		17	Mar 29 11:15:28 donatas-laptop bgpd[353550]: [HFHDS-QT71N][EC 33554494] 127.0.0.1(donatas-pc): unrecognized capability code: 0 - ignored
		18	Mar 29 11:15:28 donatas-laptop bgpd[353550]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 0, code: 0, length 0
		19	Mar 29 11:15:28 donatas-laptop bgpd[353550]: [HFHDS-QT71N][EC 33554494] 127.0.0.1(donatas-pc): unrecognized capability code: 0 - ignored
		20	Mar 29 11:15:28 donatas-laptop bgpd[353550]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 0, code: 0, length 1
		21	Mar 29 11:15:28 donatas-laptop bgpd[353550]: [HFHDS-QT71N][EC 33554494] 127.0.0.1(donatas-pc): unrecognized capability code: 0 - ignored
		22	Mar 29 11:15:28 donatas-laptop bgpd[353550]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10
		23	Mar 29 11:15:28 donatas-laptop bgpd[353550]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast)
		24	```
		25
		26	Before:
		27	```
		28	Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10
		29	Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast)
		30	Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10
		31	Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast)
		32	Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10
		33	Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast)
		34	Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10
		35	Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast)
		36	Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10
		37	Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast)
		38	Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10
		39	Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast)
		40	Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10
		41	Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast)
		42	Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10
		43	Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast)
		44	Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10
		45	Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast)
		46	Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10
		47	Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast)
		48	Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10
		49	Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast)
		50	Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10
		51	Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast)
		52	Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10
		53	Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast)
		54	Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10
		55	Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast)
		56	Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10
		57	Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast)
		58	Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10
		59	```
		60
		61	Reported-by: Iggy Frankovic <iggyfran@amazon.com>
		62	Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
		63
		64	CVE: CVE-2024-31949
		65	Upstream-Status: Backport [https://github.com/FRRouting/frr/commit/30a332dad86fafd2b0b6c61d23de59ed969a219b]
		66
		67	Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
		68	---
		69	bgpd/bgp_packet.c \| 17 ++++++++++-------
		70	1 file changed, 10 insertions(+), 7 deletions(-)
		71
		72	diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c
		73	index cae82cbbb..50e5b54ab 100644
		74	--- a/bgpd/bgp_packet.c
		75	+++ b/bgpd/bgp_packet.c
		76	@@ -3121,6 +3121,7 @@ static int bgp_capability_msg_parse(struct peer peer, uint8_t pnt,
		77	zlog_err("%pBP: Capability length error", peer);
		78	bgp_notify_send(peer->connection, BGP_NOTIFY_CEASE,
		79	BGP_NOTIFY_SUBCODE_UNSPECIFIC);
		80	+ pnt += length;
		81	return BGP_Stop;
		82	}
		83	action = *pnt;
		84	@@ -3133,7 +3134,7 @@ static int bgp_capability_msg_parse(struct peer peer, uint8_t pnt,
		85	action);
		86	bgp_notify_send(peer->connection, BGP_NOTIFY_CEASE,
		87	BGP_NOTIFY_SUBCODE_UNSPECIFIC);
		88	- return BGP_Stop;
		89	+ goto done;
		90	}
		91
		92	if (bgp_debug_neighbor_events(peer))
		93	@@ -3145,12 +3146,13 @@ static int bgp_capability_msg_parse(struct peer peer, uint8_t pnt,
		94	zlog_err("%pBP: Capability length error", peer);
		95	bgp_notify_send(peer->connection, BGP_NOTIFY_CEASE,
		96	BGP_NOTIFY_SUBCODE_UNSPECIFIC);
		97	+ pnt += length;
		98	return BGP_Stop;
		99	}
		100
		101	/* Ignore capability when override-capability is set. */
		102	if (CHECK_FLAG(peer->flags, PEER_FLAG_OVERRIDE_CAPABILITY))
		103	- continue;
		104	+ goto done;
		105
		106	capability = lookup_msg(capcode_str, hdr->code, "Unknown");
		107
		108	@@ -3165,7 +3167,7 @@ static int bgp_capability_msg_parse(struct peer peer, uint8_t pnt,
		109	peer, capability,
		110	sizeof(struct capability_mp_data),
		111	hdr->length);
		112	- return BGP_Stop;
		113	+ goto done;
		114	}
		115
		116	memcpy(&mpc, pnt + 3, sizeof(struct capability_mp_data));
		117	@@ -3180,7 +3182,7 @@ static int bgp_capability_msg_parse(struct peer peer, uint8_t pnt,
		118	peer, capability,
		119	iana_afi2str(pkt_afi),
		120	iana_safi2str(pkt_safi));
		121	- continue;
		122	+ goto done;
		123	}
		124
		125	/* Address family check. */
		126	@@ -3207,7 +3209,7 @@ static int bgp_capability_msg_parse(struct peer peer, uint8_t pnt,
		127	if (peer_active_nego(peer))
		128	bgp_clear_route(peer, afi, safi);
		129	else
		130	- return BGP_Stop;
		131	+ goto done;
		132	}
		133	break;
		134	case CAPABILITY_CODE_RESTART:
		135	@@ -3217,7 +3219,7 @@ static int bgp_capability_msg_parse(struct peer peer, uint8_t pnt,
		136	bgp_notify_send(peer->connection,
		137	BGP_NOTIFY_CEASE,
		138	BGP_NOTIFY_SUBCODE_UNSPECIFIC);
		139	- return BGP_Stop;
		140	+ goto done;
		141	}
		142
		143	bgp_dynamic_capability_graceful_restart(pnt, action,
		144	@@ -3243,7 +3245,7 @@ static int bgp_capability_msg_parse(struct peer peer, uint8_t pnt,
		145	bgp_notify_send(peer->connection,
		146	BGP_NOTIFY_CEASE,
		147	BGP_NOTIFY_SUBCODE_UNSPECIFIC);
		148	- return BGP_Stop;
		149	+ goto done;
		150	}
		151
		152	uint8_t role;
		153	@@ -3265,6 +3267,7 @@ static int bgp_capability_msg_parse(struct peer peer, uint8_t pnt,
		154	break;
		155	}
		156
		157	+done:
		158	pnt += hdr->length + 3;
		159	}
		160
		161	--
		162	2.34.1
		163


diff --git a/meta-networking/recipes-protocols/frr/frr_9.1.bb b/meta-networking/recipes-protocols/frr/frr_9.1.bb index 7043cad0f6..7c1691259d 100644 --- a/meta-networking/recipes-protocols/frr/frr_9.1.bb +++ b/meta-networking/recipes-protocols/frr/frr_9.1.bb
@@ -17,6 +17,7 @@ SRC_URI = "git://github.com/FRRouting/frr.git;protocol=https;branch=stable/9.1 \
17	file://CVE-2024-31950.patch \	17	file://CVE-2024-31950.patch \
18	file://CVE-2024-31951.patch \	18	file://CVE-2024-31951.patch \
19	file://CVE-2024-31948.patch \	19	file://CVE-2024-31948.patch \
		20	file://CVE-2024-31949.patch \
20	"	21	"
21		22
22	SRCREV = "ca2d6f0f1e000951224a18973cc1827f7f5215b5"	23	SRCREV = "ca2d6f0f1e000951224a18973cc1827f7f5215b5"