From 327470f0009cf193ab2ecfa69a866bdefc21fbb1 Mon Sep 17 00:00:00 2001 From: Zhang Peng Date: Tue, 26 Nov 2024 16:11:13 +0800 Subject: frr: fix CVE-2024-31950 CVE-2024-31950: In FRRouting (FRR) through 9.1, there can be a buffer overflow and daemon crash in ospf_te_parse_ri for OSPF LSA packets during an attempt to read Segment Routing subTLVs (their size is not validated). Reference: [https://nvd.nist.gov/vuln/detail/CVE-2024-31950] Upstream patches: [https://github.com/FRRouting/frr/commit/f69d1313b19047d3d83fc2b36a518355b861dfc4] Signed-off-by: Zhang Peng Signed-off-by: Armin Kuster --- .../recipes-protocols/frr/frr/CVE-2024-31950.patch | 68 ++++++++++++++++++++++ meta-networking/recipes-protocols/frr/frr_9.1.bb | 1 + 2 files changed, 69 insertions(+) create mode 100644 meta-networking/recipes-protocols/frr/frr/CVE-2024-31950.patch diff --git a/meta-networking/recipes-protocols/frr/frr/CVE-2024-31950.patch b/meta-networking/recipes-protocols/frr/frr/CVE-2024-31950.patch new file mode 100644 index 0000000000..c579ec283e --- /dev/null +++ b/meta-networking/recipes-protocols/frr/frr/CVE-2024-31950.patch @@ -0,0 +1,68 @@ +From f69d1313b19047d3d83fc2b36a518355b861dfc4 Mon Sep 17 00:00:00 2001 +From: Olivier Dugeon +Date: Wed, 3 Apr 2024 16:28:23 +0200 +Subject: [PATCH] ospfd: Solved crash in RI parsing with OSPF TE + +Iggy Frankovic discovered another ospfd crash when performing fuzzing of OSPF +LSA packets. The crash occurs in ospf_te_parse_ri() function when attemping to +read Segment Routing subTLVs. The original code doesn't check if the size of +the SR subTLVs have the correct length. In presence of erronous LSA, this will +cause a buffer overflow and ospfd crash. + +This patch introduces new verification of the subTLVs size for Router +Information TLV. + +Co-authored-by: Iggy Frankovic +Signed-off-by: Olivier Dugeon + +CVE: CVE-2024-31950 +Upstream-Status: Backport [https://github.com/FRRouting/frr/commit/f69d1313b19047d3d83fc2b36a518355b861dfc4] + +Signed-off-by: Zhang Peng +--- + ospfd/ospf_te.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/ospfd/ospf_te.c b/ospfd/ospf_te.c +index 359dc1f5d4b8..091669d8ed36 100644 +--- a/ospfd/ospf_te.c ++++ b/ospfd/ospf_te.c +@@ -2456,6 +2456,9 @@ static int ospf_te_parse_ri(struct ls_ted *ted, struct ospf_lsa *lsa) + + switch (ntohs(tlvh->type)) { + case RI_SR_TLV_SR_ALGORITHM: ++ if (TLV_BODY_SIZE(tlvh) < 1 || ++ TLV_BODY_SIZE(tlvh) > ALGORITHM_COUNT) ++ break; + algo = (struct ri_sr_tlv_sr_algorithm *)tlvh; + + for (int i = 0; i < ntohs(algo->header.length); i++) { +@@ -2480,6 +2483,8 @@ static int ospf_te_parse_ri(struct ls_ted *ted, struct ospf_lsa *lsa) + break; + + case RI_SR_TLV_SRGB_LABEL_RANGE: ++ if (TLV_BODY_SIZE(tlvh) != RI_SR_TLV_LABEL_RANGE_SIZE) ++ break; + range = (struct ri_sr_tlv_sid_label_range *)tlvh; + size = GET_RANGE_SIZE(ntohl(range->size)); + lower = GET_LABEL(ntohl(range->lower.value)); +@@ -2497,6 +2502,8 @@ static int ospf_te_parse_ri(struct ls_ted *ted, struct ospf_lsa *lsa) + break; + + case RI_SR_TLV_SRLB_LABEL_RANGE: ++ if (TLV_BODY_SIZE(tlvh) != RI_SR_TLV_LABEL_RANGE_SIZE) ++ break; + range = (struct ri_sr_tlv_sid_label_range *)tlvh; + size = GET_RANGE_SIZE(ntohl(range->size)); + lower = GET_LABEL(ntohl(range->lower.value)); +@@ -2514,6 +2521,8 @@ static int ospf_te_parse_ri(struct ls_ted *ted, struct ospf_lsa *lsa) + break; + + case RI_SR_TLV_NODE_MSD: ++ if (TLV_BODY_SIZE(tlvh) < RI_SR_TLV_NODE_MSD_SIZE) ++ break; + msd = (struct ri_sr_tlv_node_msd *)tlvh; + if ((CHECK_FLAG(node->flags, LS_NODE_MSD)) + && (node->msd == msd->value)) +-- +2.34.1 \ No newline at end of file diff --git a/meta-networking/recipes-protocols/frr/frr_9.1.bb b/meta-networking/recipes-protocols/frr/frr_9.1.bb index a172a4c6d3..305ef8f1b8 100644 --- a/meta-networking/recipes-protocols/frr/frr_9.1.bb +++ b/meta-networking/recipes-protocols/frr/frr_9.1.bb @@ -14,6 +14,7 @@ SRC_URI = "git://github.com/FRRouting/frr.git;protocol=https;branch=stable/9.1 \ file://frr.pam \ file://0001-zebra-Mimic-GNU-basename-API-for-non-glibc-library-e.patch \ file://CVE-2024-34088.patch \ + file://CVE-2024-31950.patch \ " SRCREV = "ca2d6f0f1e000951224a18973cc1827f7f5215b5" -- cgit v1.2.3-54-g00ecf