From 9c352814e40a548723c73104412cc143d5fff8e5 Mon Sep 17 00:00:00 2001
From: Zhang Peng <peng.zhang1.cn@windriver.com>
Date: Tue, 26 Nov 2024 16:11:12 +0800
Subject: frr: fix CVE-2024-34088

CVE-2024-34088:
In FRRouting (FRR) through 9.1, it is possible for the get_edge() function in ospf_te.c
in the OSPF daemon to return a NULL pointer. In cases where calling functions do not
handle the returned NULL value, the OSPF daemon crashes, leading to denial of service.

Reference:
[https://nvd.nist.gov/vuln/detail/CVE-2024-34088]

Upstream patches:
[https://github.com/FRRouting/frr/commit/8c177d69e32b91b45bda5fc5da6511fa03dc11ca]

Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 .../recipes-protocols/frr/frr/CVE-2024-34088.patch | 83 ++++++++++++++++++++++
 meta-networking/recipes-protocols/frr/frr_9.1.bb   |  1 +
 2 files changed, 84 insertions(+)
 create mode 100644 meta-networking/recipes-protocols/frr/frr/CVE-2024-34088.patch

diff --git a/meta-networking/recipes-protocols/frr/frr/CVE-2024-34088.patch b/meta-networking/recipes-protocols/frr/frr/CVE-2024-34088.patch
new file mode 100644
index 0000000000..72dffb1328
--- /dev/null
+++ b/meta-networking/recipes-protocols/frr/frr/CVE-2024-34088.patch
@@ -0,0 +1,83 @@
+From 8c177d69e32b91b45bda5fc5da6511fa03dc11ca Mon Sep 17 00:00:00 2001
+From: Olivier Dugeon <olivier.dugeon@orange.com>
+Date: Tue, 16 Apr 2024 16:42:06 +0200
+Subject: [PATCH] ospfd: protect call to get_edge() in ospf_te.c
+
+During fuzzing, Iggy Frankovic discovered that get_edge() function in ospf_te.c
+could return null pointer, in particular when the link_id or advertised router
+IP addresses are fuzzed. As the null pointer returned by get_edge() function is
+not handlei by calling functions, this could cause ospfd crash.
+
+This patch introduces new verification of returned pointer by get_edge()
+function and stop the processing in case of null pointer. In addition, link ID
+and advertiser router ID are validated before calling ls_find_edge_by_key() to
+avoid the creation of a new edge with an invalid key.
+
+CVE-2024-34088
+
+Co-authored-by: Iggy Frankovic <iggyfran@amazon.com>
+Signed-off-by: Olivier Dugeon <olivier.dugeon@orange.com>
+
+CVE: CVE-2024-34088
+Upstream-Status: Backport [https://github.com/FRRouting/frr/commit/8c177d69e32b91b45bda5fc5da6511fa03dc11ca]
+
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ ospfd/ospf_te.c | 19 ++++++++++++++++---
+ 1 file changed, 16 insertions(+), 3 deletions(-)
+
+diff --git a/ospfd/ospf_te.c b/ospfd/ospf_te.c
+index e68f9444f512..d57990e1a174 100644
+--- a/ospfd/ospf_te.c
++++ b/ospfd/ospf_te.c
+@@ -1670,6 +1670,11 @@ static struct ls_edge *get_edge(struct ls_ted *ted, struct ls_node_id adv,
+ 	struct ls_edge *edge;
+ 	struct ls_attributes *attr;
+ 
++	/* Check that Link ID and Node ID are valid */
++	if (IPV4_NET0(link_id.s_addr) || IPV4_NET0(adv.id.ip.addr.s_addr) ||
++	    adv.origin != OSPFv2)
++		return NULL;
++
+ 	/* Search Edge that corresponds to the Link ID */
+ 	key.family = AF_INET;
+ 	IPV4_ADDR_COPY(&key.k.addr, &link_id);
+@@ -1743,6 +1748,10 @@ static void ospf_te_update_link(struct ls_ted *ted, struct ls_vertex *vertex,
+ 
+ 	/* Get Corresponding Edge from Link State Data Base */
+ 	edge = get_edge(ted, vertex->node->adv, link_data);
++	if (!edge) {
++		ote_debug("  |- Found no edge from Link Data. Abort!");
++		return;
++	}
+ 	attr = edge->attributes;
+ 
+ 	/* re-attached edge to vertex if needed */
+@@ -2246,11 +2255,11 @@ static int ospf_te_parse_te(struct ls_ted *ted, struct ospf_lsa *lsa)
+ 	}
+ 
+ 	/* Get corresponding Edge from Link State Data Base */
+-	if (IPV4_NET0(attr.standard.local.s_addr) && !attr.standard.local_id) {
+-		ote_debug("  |- Found no TE Link local address/ID. Abort!");
++	edge = get_edge(ted, attr.adv, attr.standard.local);
++	if (!edge) {
++		ote_debug("  |- Found no edge from Link local add./ID. Abort!");
+ 		return -1;
+ 	}
+-	edge = get_edge(ted, attr.adv, attr.standard.local);
+ 	old = edge->attributes;
+ 
+ 	ote_debug("  |- Process Traffic Engineering LSA %pI4 for Edge %pI4",
+@@ -2759,6 +2768,10 @@ static int ospf_te_parse_ext_link(struct ls_ted *ted, struct ospf_lsa *lsa)
+ 	lnid.id.ip.area_id = lsa->area->area_id;
+ 	ext = (struct ext_tlv_link *)TLV_HDR_TOP(lsa->data);
+ 	edge = get_edge(ted, lnid, ext->link_data);
++	if (!edge) {
++		ote_debug("  |- Found no edge from Extended Link Data. Abort!");
++		return -1;
++	}
+ 	atr = edge->attributes;
+ 
+ 	ote_debug("  |- Process Extended Link LSA %pI4 for edge %pI4",
+--
+2.34.1
\ No newline at end of file
diff --git a/meta-networking/recipes-protocols/frr/frr_9.1.bb b/meta-networking/recipes-protocols/frr/frr_9.1.bb
index eea6d62f5f..a172a4c6d3 100644
--- a/meta-networking/recipes-protocols/frr/frr_9.1.bb
+++ b/meta-networking/recipes-protocols/frr/frr_9.1.bb
@@ -13,6 +13,7 @@ LIC_FILES_CHKSUM = "file://doc/licenses/GPL-2.0;md5=b234ee4d69f5fce4486a80fdaf4a
 SRC_URI = "git://github.com/FRRouting/frr.git;protocol=https;branch=stable/9.1 \
            file://frr.pam \
            file://0001-zebra-Mimic-GNU-basename-API-for-non-glibc-library-e.patch \
+           file://CVE-2024-34088.patch \
            "
 
 SRCREV = "ca2d6f0f1e000951224a18973cc1827f7f5215b5"
-- 
cgit v1.2.3-54-g00ecf