From patchwork Tue Nov 26 08:11:12 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peng Zhang X-Patchwork-Id: 53210 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 386CAD5A6F7 for ; Tue, 26 Nov 2024 08:11:41 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web11.41206.1732608691628838136 for ; Tue, 26 Nov 2024 00:11:31 -0800 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=1060a1ab4c=peng.zhang1.cn@windriver.com) Received: from pps.filterd (m0250812.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 4AQ52WdD005193 for ; Tue, 26 Nov 2024 08:11:30 GMT Received: from nam12-bn8-obe.outbound.protection.outlook.com (mail-bn8nam12lp2174.outbound.protection.outlook.com [104.47.55.174]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 433618aya9-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Tue, 26 Nov 2024 08:11:30 +0000 (GMT) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=W7PUY8XzTJdsU057HaN1L03YahNcWzKepW4YEsQpHM7o8Eo56QXZmHUuPCkLtKi3rxP8t/YFT+i0eK3/LpdUG9zqlDEPvlZKRm/77KyHfufEi8xwX5szoCbsnrqhqTx6o3JvuvA5QAWT356/EmKokyH+ULwiiOLJ5XqfOLxzxqsA6TIQ0AW5sFtoSwIFpGVHHziroVsrScU3GeWcGaMkM4W82Yvd4FrW5ipM1PXRkojPB95oCbusAT6d02TX6ZQcWNKlEFUpMXbnaAGs2fI6TSuPOToS0iwnWlvRtMaZleHDBl4v9jORh6CvwWQjAzuGqNqYJYL/3HTHUc09vh7mFA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=JJ/7c6lWQyo+B10J00z2cdxwPa6CvWsVdHT44a+JD8w=; b=hB/KhF7JNhsqWWU0t7ULbK0rTJD1apDMKda7uNZB9UnYpDMN1UoPMVEFulHx+wxYGRKHpN4nqVt5XNIMiLXM+nTqW1Cb2ni3SMBVrhtXfrOo/Ag+2RYbnU92e8Un3QbDsbEyzbnSJu0Dd+eKavMpTyhHgSv/ufCgMnwwSQxhbxufANia2Vytoa2UpnKuvRPGM8TGDF40FMB5Y7nqttlUw5VUw69PozVJaVS1ssQ2u6/ETdhzLjUFJK65v55rbfimJ8mHmMtTUR3u9kPcuGoSbLbU62bSHlmHp6NnvSkP9S1YFpoTUMgYgYxpIDzl5SaNvmZ39/cpieo6SNgaCR0j3Q== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none Received: from CH3PR11MB8562.namprd11.prod.outlook.com (2603:10b6:610:1b8::13) by CYYPR11MB8430.namprd11.prod.outlook.com (2603:10b6:930:c6::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8207.13; Tue, 26 Nov 2024 08:11:27 +0000 Received: from CH3PR11MB8562.namprd11.prod.outlook.com ([fe80::24c6:f8fc:1afe:179f]) by CH3PR11MB8562.namprd11.prod.outlook.com ([fe80::24c6:f8fc:1afe:179f%6]) with mapi id 15.20.8182.019; Tue, 26 Nov 2024 08:11:27 +0000 From: peng.zhang1.cn@windriver.com To: openembedded-devel@lists.openembedded.org Subject: [meta-networking][scarthgap][PATCH 1/5] frr: fix CVE-2024-34088 Date: Tue, 26 Nov 2024 16:11:12 +0800 Message-Id: <20241126081116.2535308-1-peng.zhang1.cn@windriver.com> X-Mailer: git-send-email 2.34.1 X-ClientProxiedBy: TYCP286CA0066.JPNP286.PROD.OUTLOOK.COM (2603:1096:400:31a::10) To CH3PR11MB8562.namprd11.prod.outlook.com (2603:10b6:610:1b8::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CH3PR11MB8562:EE_|CYYPR11MB8430:EE_ X-MS-Office365-Filtering-Correlation-Id: b08d9cb4-d221-4213-15fa-08dd0df1ece2 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|366016|52116014|376014|1800799024|38350700014; X-Microsoft-Antispam-Message-Info: wap+Z981xHH4BeyVQwMVBkaZDmPo/zAVqILC8kjtpDhAPCauZzzVEFdtSMPXwIqYUpTbVVGosmzyBb2odY3j1WHuDz0f+NxaUIffO87kQu7iTNHav3MtVmk6MSxZEt4l8NYHuIIShcugrur0rx3haDJkgwVe/TrlTEx7enFtPbaWLsBSR5ysXoJbCFl/jDVhZuYJT/G3ULaLNBACulsWOvlJXqy7bBoIa7AsM7f0dh4AwG6W4iRob01qSQS7lsv6znQMfOiEkoDrqKb/98YESQrBw4OdHwKbzYKIarj+OmZabJ9HaTpIWWJDbKgQophUGwLMomjtVUU24GIfMf09nNiuAXxFRG8gU42oB9Hv/Uz2PjHhjFnAUJ98+FiP3kEqlx9sWJyLT7/yATrzrO2XqtLcLyEIDovO2J9PvhB9YzV0Udvb56sMDd5dpHGV7q6hAD6gKJaB9UjuCs3pB8ftqw4a7SOof+51sr72LMde7Bi5cRa8KuuHhlqrVmZyMpHjupE6gatFyhN7RdUtsR35VwtnmisVQK1T+QEjyk3WXZ0KaUtLK0u/C6m0Gkdq/2/nOBvMVyCnl+SCp8gDfpcIiolEjpuMRvIYdgAl9x3LKH+XwjUGOWqDI2yRIufwY53LDSwEn61xXIpDX8o5Ca1Ujo3YPYuDuLr7Lz41mTgQ8xfzuLqVuYpnX0yUU6BZqf/4carxbW3//iEes273gezvTVDmH9oYMf4Schpwsr3XcTZPu1tdr+NCBczeX0u7vmgkJy/eihbRoAuEAy+mIgB2haA+Op7U1knAGEQ7Hmv809yfVM2zU8Ct4ARhqwtRqgf+qniGHvHHHiQRfUOK3Mo0CdKVOIbkjPOW3h141i0f1LmZDasdU6EkK4riwZc7iFQZd6m1+i4E3VFZkcsaxkPBWwk/XhTBVm8usavRlNXm3QRtRIazKw3mHIRo6xYZvlW0YHZF3t/Ge+N9X9R2GftpWVH5LUYoLKxLLD8hzrvceJ+b9TsxoGUokNSzNM1kC5zd2agkQN/LbizXQWoH/qOcjLiRX1lh8wPYoHQB2JeXzonckKb79n75Jou20omz4i3jEhxq5DxkUYIpXk2X4fo26IELcjctdoVXK3e8BDQkzil9Yh4B1LCbU47GNW4PNlgrGTXFIalFi7oFI3KNxW3I/pvT2jvV+PRTK7YGlyl35Q+GS1sb/b8NSLNWr37IrH/H2BB3+/Gjw+Z20+IASDiW/e5aLGHwaJOGrrDh3nMLQTusi/29BUSUhnkMJlViXa5jiMIuaCvfrs8egHgMqdpVOy026aXD0tKt10sbCvqMbPIEKPhQgWH0FuICOTOCdwaYP/OXnb9RpQepFEhMzzVP8HmMDMOwxhiZgr6lX+pTC6E= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH3PR11MB8562.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(366016)(52116014)(376014)(1800799024)(38350700014);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: 4IBqeVAKzPfEV6EboLokhXapHGg0KuMlOO7mtyk9P5A587BjoR5M1+FcTKyO4phMvmGzUPWu278KiS9ywXlKpmj4WzAV8kGotlTGsCm/Cp33MK0RkUrIJp7u7TNVlxr4ncMsCIhC4b4PAuOyw6GzeaNqp2D9YnqgvWkhd3FAFdqUC3wsYUuejjqnYMntd8VRr/pNRjsAF5y4voKuc+H8cWHW8z96ZuzDCpp+q/tQiRTr7igsirIAxbzt5iXiYwnZKDt+eYHJl7+af02U67M3WRYzjGBWrGbZvWIJ4p25Pliy3TpYcPrFKJQivNt+aazJTRG+BUXQbgGnZbvMCfPPnYrfZztOdy5pYn2xMPubaBQJrTSBirAT7N3JRJhobK9GE42pop51DI6G/BhNaHapuzzZnN1Ax49wNHItxqoKfLq7UWWMlWEvRTqQRKfAqVfOTc9Agde+VUlrY722/rua8FybtoU5WDa5CGU5sLMt7C7Hk/yUNVS+G3BDmsby1kTA+ywkp5xnb+VlU5eoSsg8LQ4XyBalXxSnnphjVH1vAIC1b2uKkgiL3jyk9uP0jtqlkFJJrkp2HzrhaMSg6o8E+U6LQBlcNgLr4nrmq2dwHH/LhwhOpoWmEZ+QMWxWzLr6gjnuIq8w70BgeHUteAufE29jdZqWOiN0VyhYsnsbnluJU/iYMac8spZbX4Ex6ZM/Xq4T7Q9SNmJeQc8rDm0abg475mFcRolQKePdhYq6EDy8BNln/4pt0Q9FgAI2jwf+UQgUpxMd8Oc9D8VAMNVYDkt/GPY2laU1cAKd6ig2Ev7uxT20cK/pRVmZvmIloFfRVobv1TF4G6FDTZU/slOBhcsRKBd5FYEnszAgf8N/4YFiZmkBH/V9P4BdndtsjvgW0MioTDUDFJX/oRUSXaGOxTZPHaxCeHnuTvVW2gmtY3+tFLks+4grbgXqfLflhudTe2xCRNWf6HaDeA7mTaAalKdwng9kt7NQmG/+lmBbnKuip9s2V3qDpbm3Q/Rxfm8aXfG2aOlYVqueQjJ5Zd9VzqtqkGg7rI7FkecAmZXkK26w0xaImwoNmqvnik2dDCo4N1ct29IBl4R2pRBGpYq6Iv+dBt+yQzfXPsQKrmZHTZfCl+fRP7POv6MokyeAHd0Dc17PpC1uBZiUOiRcozuSYeetiFDBEAbTC4vKOIuM0Z8dA3eTWnj/zOgd4HNACURGm5xaF7qi4npq+ONLwRb9ZnKiuSS6xUZNhIdEZMDYvE+Li60JFNH5za7qfhnbwBeIHF0J5LTCYvSajCf9X6IoumdqxdR32zK269wgKlSkBG0TBpVa2X1y4eqfPgInO2DbfdNpfANxMSZ1btX+Jr6cd/l5qXQ+VUwYecOF22rNky/1EYiOwDoWLZ3X4uXBxU2bsUDu/RGuFpsSBbD12/3nUO5/hDO+vPa7SgrNs0WYsG+UrO4fXh7/+27BSO/+h70bzA0jiqTCH0WcAf7+z8R3flw2tij5a4kuffOePw9ldWXiqWHqOl55Xlkn/XNw8oiY114yPpzaRtzbkbyKovbHi83QGjXLF+DwKDZ4/Hz5r5yEcHw1yUKLaO8DwxpVW7j5z1tl8WWLUIBrHkUQdLr+0A== X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: b08d9cb4-d221-4213-15fa-08dd0df1ece2 X-MS-Exchange-CrossTenant-AuthSource: CH3PR11MB8562.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 26 Nov 2024 08:11:27.0880 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: t78aP0GteWI6eHwa+QZM0z+eaW3IDx6MCS7nPe3Fr3iPoMUY3HXNXdM8blm2mq7GF2QUwpEVOQFR/1CFi+Ykp4qdSmY2oKYoVyzLijrwijA= X-MS-Exchange-Transport-CrossTenantHeadersStamped: CYYPR11MB8430 X-Proofpoint-ORIG-GUID: BimMPPQ8szRJgdqDEKSx6tQ1h-rZr40V X-Proofpoint-GUID: BimMPPQ8szRJgdqDEKSx6tQ1h-rZr40V X-Authority-Analysis: v=2.4 cv=O65rvw9W c=1 sm=1 tr=0 ts=674582b2 cx=c_pps a=AVVanhwSUc+LQPSikfBlbg==:117 a=wKuvFiaSGQ0qltdbU6+NXLB8nM8=:19 a=Ol13hO9ccFRV9qXi2t6ftBPywas=:19 a=xqWC_Br6kY4A:10 a=VlfZXiiP6vEA:10 a=bRTqI5nwn0kA:10 a=PYnjg3YJAAAA:8 a=NEAV23lmAAAA:8 a=t7CeM3EgAAAA:8 a=z9tbli-vAAAA:8 a=vggBfdFIAAAA:8 a=5GRdTUugMrekBrTu13IA:9 a=FdTzh2GWekK77mhwV6Dw:22 a=RmrFvp9qXTL7MAzcxlte:22 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1057,Hydra:6.0.680,FMLib:17.12.68.34 definitions=2024-11-26_06,2024-11-25_01,2024-11-22_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 suspectscore=0 clxscore=1015 mlxscore=0 bulkscore=0 mlxlogscore=999 spamscore=0 priorityscore=1501 lowpriorityscore=0 adultscore=0 malwarescore=0 impostorscore=0 classifier=spam authscore=0 adjust=0 reason=mlx scancount=1 engine=8.21.0-2409260000 definitions=main-2411260065 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 26 Nov 2024 08:11:41 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/114063 From: Zhang Peng CVE-2024-34088: In FRRouting (FRR) through 9.1, it is possible for the get_edge() function in ospf_te.c in the OSPF daemon to return a NULL pointer. In cases where calling functions do not handle the returned NULL value, the OSPF daemon crashes, leading to denial of service. Reference: [https://nvd.nist.gov/vuln/detail/CVE-2024-34088] Upstream patches: [https://github.com/FRRouting/frr/commit/8c177d69e32b91b45bda5fc5da6511fa03dc11ca] Signed-off-by: Zhang Peng --- .../frr/frr/CVE-2024-34088.patch | 83 +++++++++++++++++++ .../recipes-protocols/frr/frr_9.1.bb | 1 + 2 files changed, 84 insertions(+) create mode 100644 meta-networking/recipes-protocols/frr/frr/CVE-2024-34088.patch diff --git a/meta-networking/recipes-protocols/frr/frr/CVE-2024-34088.patch b/meta-networking/recipes-protocols/frr/frr/CVE-2024-34088.patch new file mode 100644 index 0000000000..72dffb1328 --- /dev/null +++ b/meta-networking/recipes-protocols/frr/frr/CVE-2024-34088.patch @@ -0,0 +1,83 @@ +From 8c177d69e32b91b45bda5fc5da6511fa03dc11ca Mon Sep 17 00:00:00 2001 +From: Olivier Dugeon +Date: Tue, 16 Apr 2024 16:42:06 +0200 +Subject: [PATCH] ospfd: protect call to get_edge() in ospf_te.c + +During fuzzing, Iggy Frankovic discovered that get_edge() function in ospf_te.c +could return null pointer, in particular when the link_id or advertised router +IP addresses are fuzzed. As the null pointer returned by get_edge() function is +not handlei by calling functions, this could cause ospfd crash. + +This patch introduces new verification of returned pointer by get_edge() +function and stop the processing in case of null pointer. In addition, link ID +and advertiser router ID are validated before calling ls_find_edge_by_key() to +avoid the creation of a new edge with an invalid key. + +CVE-2024-34088 + +Co-authored-by: Iggy Frankovic +Signed-off-by: Olivier Dugeon + +CVE: CVE-2024-34088 +Upstream-Status: Backport [https://github.com/FRRouting/frr/commit/8c177d69e32b91b45bda5fc5da6511fa03dc11ca] + +Signed-off-by: Zhang Peng +--- + ospfd/ospf_te.c | 19 ++++++++++++++++--- + 1 file changed, 16 insertions(+), 3 deletions(-) + +diff --git a/ospfd/ospf_te.c b/ospfd/ospf_te.c +index e68f9444f512..d57990e1a174 100644 +--- a/ospfd/ospf_te.c ++++ b/ospfd/ospf_te.c +@@ -1670,6 +1670,11 @@ static struct ls_edge *get_edge(struct ls_ted *ted, struct ls_node_id adv, + struct ls_edge *edge; + struct ls_attributes *attr; + ++ /* Check that Link ID and Node ID are valid */ ++ if (IPV4_NET0(link_id.s_addr) || IPV4_NET0(adv.id.ip.addr.s_addr) || ++ adv.origin != OSPFv2) ++ return NULL; ++ + /* Search Edge that corresponds to the Link ID */ + key.family = AF_INET; + IPV4_ADDR_COPY(&key.k.addr, &link_id); +@@ -1743,6 +1748,10 @@ static void ospf_te_update_link(struct ls_ted *ted, struct ls_vertex *vertex, + + /* Get Corresponding Edge from Link State Data Base */ + edge = get_edge(ted, vertex->node->adv, link_data); ++ if (!edge) { ++ ote_debug(" |- Found no edge from Link Data. Abort!"); ++ return; ++ } + attr = edge->attributes; + + /* re-attached edge to vertex if needed */ +@@ -2246,11 +2255,11 @@ static int ospf_te_parse_te(struct ls_ted *ted, struct ospf_lsa *lsa) + } + + /* Get corresponding Edge from Link State Data Base */ +- if (IPV4_NET0(attr.standard.local.s_addr) && !attr.standard.local_id) { +- ote_debug(" |- Found no TE Link local address/ID. Abort!"); ++ edge = get_edge(ted, attr.adv, attr.standard.local); ++ if (!edge) { ++ ote_debug(" |- Found no edge from Link local add./ID. Abort!"); + return -1; + } +- edge = get_edge(ted, attr.adv, attr.standard.local); + old = edge->attributes; + + ote_debug(" |- Process Traffic Engineering LSA %pI4 for Edge %pI4", +@@ -2759,6 +2768,10 @@ static int ospf_te_parse_ext_link(struct ls_ted *ted, struct ospf_lsa *lsa) + lnid.id.ip.area_id = lsa->area->area_id; + ext = (struct ext_tlv_link *)TLV_HDR_TOP(lsa->data); + edge = get_edge(ted, lnid, ext->link_data); ++ if (!edge) { ++ ote_debug(" |- Found no edge from Extended Link Data. Abort!"); ++ return -1; ++ } + atr = edge->attributes; + + ote_debug(" |- Process Extended Link LSA %pI4 for edge %pI4", +-- +2.34.1 \ No newline at end of file diff --git a/meta-networking/recipes-protocols/frr/frr_9.1.bb b/meta-networking/recipes-protocols/frr/frr_9.1.bb index eea6d62f5f..a172a4c6d3 100644 --- a/meta-networking/recipes-protocols/frr/frr_9.1.bb +++ b/meta-networking/recipes-protocols/frr/frr_9.1.bb @@ -13,6 +13,7 @@ LIC_FILES_CHKSUM = "file://doc/licenses/GPL-2.0;md5=b234ee4d69f5fce4486a80fdaf4a SRC_URI = "git://github.com/FRRouting/frr.git;protocol=https;branch=stable/9.1 \ file://frr.pam \ file://0001-zebra-Mimic-GNU-basename-API-for-non-glibc-library-e.patch \ + file://CVE-2024-34088.patch \ " SRCREV = "ca2d6f0f1e000951224a18973cc1827f7f5215b5" From patchwork Tue Nov 26 08:11:13 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peng Zhang X-Patchwork-Id: 53212 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 47A6ED5A6FD for ; Tue, 26 Nov 2024 08:11:41 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web10.40898.1732608692104230630 for ; Tue, 26 Nov 2024 00:11:32 -0800 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=1060a1ab4c=peng.zhang1.cn@windriver.com) Received: from pps.filterd (m0250812.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 4AQ52WdE005193 for ; Tue, 26 Nov 2024 08:11:31 GMT Received: from nam12-bn8-obe.outbound.protection.outlook.com (mail-bn8nam12lp2174.outbound.protection.outlook.com [104.47.55.174]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 433618aya9-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Tue, 26 Nov 2024 08:11:31 +0000 (GMT) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=Xhj+peiiNjNbengimM+LCtifmGO+ZHPEzcbhg8RxNWVpO9gzpX5T8JB1WR44GdHizmeo1UB6yCNhdiJp8EJktgJ4D7nWDTnQ7nyBO1lbWZguOuJ+aLJyg4xQ8AK47qU/o7bg2JeqQz+GKrg4NgJbF79Mtny9pDPf50b8vCXhDbuRwFn9vWLuo1rXCARc9iGOe4SmVIxbjW69vVKWrtrbsiBc6FTmhceNzuXLT9ovq4b3M3HJWzGIe9VerOpPfxg8Q//7GuxETlURx3ymDaQqc6BfyriWoVCdCSB8TAvGbPgwQ0FEkiWppx7KVNhPLqu3osomtwt35S7zSzSo/E9xJw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=UwAUG7GXyPJtdlpRzP5A16FRlSVXY37jOGHTEjdbGWM=; b=hw22p73Ljfaqlj77hf8TTk79da3qnl8DK/IzlHf5Dp0KxeZ14tUz+TsxN22hk4W+gnGqdEZlXajrORXaqlYf6uo7hMxb+NLi03M66rT/a56atAxG6lynK0H7gzHORs5XSqgX+k+yr/JAY+bP+pJMTue1t3Lr0Iw8sLoTDEdL5PkM+185zrIDU4i0tWu0+kA1KLbbauhuHcLn5/VmEMATzEmld3H3KkP+xm7bZW2Oz0J8ArHxMDTOoYVxCOoITqDjwPWOEK562U0zvGJcNhzGcHaFs5nMoh/xiYoAd8Z9Y3uy89rarORdyc6X2opnguC3XrBgGSmJAiA/5gAX+8x8Lw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none Received: from CH3PR11MB8562.namprd11.prod.outlook.com (2603:10b6:610:1b8::13) by CYYPR11MB8430.namprd11.prod.outlook.com (2603:10b6:930:c6::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8207.13; Tue, 26 Nov 2024 08:11:28 +0000 Received: from CH3PR11MB8562.namprd11.prod.outlook.com ([fe80::24c6:f8fc:1afe:179f]) by CH3PR11MB8562.namprd11.prod.outlook.com ([fe80::24c6:f8fc:1afe:179f%6]) with mapi id 15.20.8182.019; Tue, 26 Nov 2024 08:11:28 +0000 From: peng.zhang1.cn@windriver.com To: openembedded-devel@lists.openembedded.org Subject: [meta-networking][scarthgap][PATCH 2/5] frr: fix CVE-2024-31950 Date: Tue, 26 Nov 2024 16:11:13 +0800 Message-Id: <20241126081116.2535308-2-peng.zhang1.cn@windriver.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20241126081116.2535308-1-peng.zhang1.cn@windriver.com> References: <20241126081116.2535308-1-peng.zhang1.cn@windriver.com> X-ClientProxiedBy: TYCP286CA0066.JPNP286.PROD.OUTLOOK.COM (2603:1096:400:31a::10) To CH3PR11MB8562.namprd11.prod.outlook.com (2603:10b6:610:1b8::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CH3PR11MB8562:EE_|CYYPR11MB8430:EE_ X-MS-Office365-Filtering-Correlation-Id: 3a4539b2-d313-4c0e-4afc-08dd0df1ed9b X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|366016|52116014|376014|1800799024|38350700014; X-Microsoft-Antispam-Message-Info: DeOVVOQawKRn7fRdEYwU6gHP+iHxhxBJf/distC9VdQd3hMTKdM8+Rs0w3SRCgF2wjWYIy6KTTtV1qnZApT/q6+34dCsn2qNPfXpquYc3ciAusmSl0wH4O6SxzBr4jrv3+aF05Rpgwijm44AMJG5fDc3r4c56+2QvLLmf7rFKHnpNcN98dicAXiB4AX0NT2mJB/JzrCons1qu0rZAYo/c9o51kKigH170ZwBRZlbPtRJM5ACnY+de1DcYTdYZ0krn8GImK5BxFXyuUBAXxzZTOqlUSRBc3s+ei3sKkeNpeRt23WfaUcGqABlH61I0/XK3voZOlSMv3eZ76dqlpEwmujuh1Xc7ILmasJ4wZmjzsV2vU6R+GHWnglKQUVFS59dqzfIZ38OE1FhDjCWsGc+CKqvc1BCCsBw1uo3X+26uFeK+jN3IVoMn0H91BmqV/gh835Wej6p358r9Zhus94TPgqX8jUOD7hc5mlGQjcT/4luIIeT+LgP+Rgq3JpeZztTPCEWizESGufbPg27BzMOWL8peirSow2n5+dYqfXJCJDDNleXVCBG87w7ovCNBrpsHxz2eYJVB3m2kZE0LZ1ErIDnGDmz51XJzpHA6aMNEst/KwLa3IkwQZ1vom/CginWaFc/hFIHE6krJyGgbCG+Ny3KlDn422EtX1nZVGaKnPPCA0HB0Smo3pDVZK7ZWnIbOUrPI4AzhjRWIes1mGdrRHJBdDLZNuJr2SFb4ETvGdmkFeq+qAUhFd+i8RmMYIjIFfBMGNsm0qGcZKe5m97JO1p+1fYauQZkd/PJAqG64G/V/fJd4lOLrun1HqL/fFt0EVd10yhsXzg3qSMQ3trCndL01YO1sG889+O99HR6yXrDA1juZwBnrT10xbEfFgijcOA8ZYnNlXQ6yXREVTxaVBs5Oxt13hDpvCc0YU5xUzpJ8mTMatOKCT2fcT46FgFTJidd7X642sEIcs3fK5Yw5p3WNGn4pl+HB81Rk/+P2eJsuiuX7A8TMbw94HGmJzMFl74AkJkQcS4JhJbptphVit2o68r3j1ktNLSTlgZySEr6LB2rg/d3W9lTnd61eHcTd9Lm9Ga3ojJZSsuVQ2iLaCfWXBHFtOsofwTRENeJ6+XBBfhsJ+7Ez6DORrRwyLSEzy5v4N5Eq0TjuRFs6eRiX9QJtWtnRjXP3axtR9QEAbb4ARYGdnY9TsMSuYPnZgEEdVq5QwtCpo66rAHy9M8VyS79ovT65QpcSGsliSmm7sPrd1OrElFNBx6g2134t0bQxLIhG3J0O+NLA5P/Qg75elbtpZEQwPMeHQSZDiq+excoMKXOvmKlaWPP3jnmVOwaFDNBFK91wDw52oYg7nQUFVf5XFHowyu32owDawtaQHQ= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH3PR11MB8562.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(366016)(52116014)(376014)(1800799024)(38350700014);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: ZXc+ym9fvCKt7Qa3Cd85Bx1LDYWJMf1DWyUej3JaEGyWjTgOYGiMP+4O608ZOnWPaQ63GHj+zonGBBK2hvwCMuAyo7WdYGsJcMuKjajhy+UeXoHK7/eImx4GfxYYFpq9x43+1keqSEIMwRGQpzhkOh3FpvNni+kt0zc8bhtYqOSst1cpTLsj+insr0PIVyHPlJTigcBRwzAvz0GdZWL6LjxWsfc9ugzoP0qwMTStEvs0YtMDLHEetziQ0pwEzhDPmsEoVi/P4l73K+mYsbF64qIulWui/Hd6JjmHdricbZNbbPNQzl+6EUIN3VbxMcl+V/DRhMEQYaoOcZ1dAEJ4Y1tWOQR/zRVXTMCICKpjttNf9Ucb1dcsO7nsori1BLLlNsdsvIgwdiq4wmlbMQlYuWCjjTT7PZ3GNsFwuUGuaxI/rpCE9T17JjX5X/70pgt97hntG1jz/l8DsEpZ86X3/eXau5lfo0QBQkbM1G5nd6Nzcanf/drt0dle3R3uINc4u9hwzOu4tHq062s63ZPwXtULSbRWB9jpw8aD9WRxP5oEMr/BjKZ7vNr5H2zX+ynCJTg7sfd01jYxUz54vrDe9lwxZ+2a40MCyZuaQE3SUW0fg9olUCPicB+X71ueEfhUo6HR4Zh3Yh39DmOmr/7X1w4I48ITrxkXl7JqSYpxi843d6EA/hHJ6xaIu0+EVYlPkzzQfRqjk7gIZ98pMSvUmg1oTlrC6HrdVNcLUgtUDd9WoUUUpY9sDPd82t4NtODNVS09ltYn3ojObKiJQba2cxU08t52UZPVk31cKHcRS/e+0zLuhZK7V03V1rhfvxXM1MQ0cM8zJa+y+XMCpcMoIDEqjSuskubhwu6iPgHsC9mD0QMVW3C7DPLH5eYf9iGq3BcgcuNZC8XKCR271VIcOd9r5SLqfMMIqEZR4VQyJnP1TCoDaGPxTjARiqLPCFOZngSQxSXov76Wy7pHbPxJhav0lSX5Rcuzswc4IKsRgyPXNAPDWGtqD2p7m6820olYpRqgTFSAdoOcaF1jJlBcaXWLiH0cimnk6/M+JfK/Btle8qEpJMeH0jDNFkxWX6GkvIbqqM+Rgs1xPsNBJBAvEVm8OFUPaChesdCprxRJba7iF0ILKABRwHCmxPjZmD/CSYse/mQgxdYY4u/+dz3Gv8+WThaQXdj7lr7fNUjHBp8FIK7/5314HVc6tgHVySEGC7AmfUx4GbMzqar8d6AN+hcd1NULOEKsvNh3mqhI09oq5s5SPIKj/KRMHk6Ao6vUbuwVI3Hpov/y69EoxsgfcKQ3JRG2cZvDOWEntmFsUh3BLXUSwJVW4fbhj04NFmoW6++Py4cTju0RYriAb6HKHRSMeanFXZn7BfBOzlMJmtF0v5tcc9QL7onEEbQBKWyWSkM8HNFVPCakUxcWEerF7dDUJyPrglc5D91sOFcYT0o3gMCeJq8W3ShJsTd8Pby8oSFZw3Io59sncaTSaOe/tXzW2c+VN1NXjkyDG7Ik9o6aAjoN25hNwM/R07Vwu6OjbQ6b4Z9++i8q1yGi0lQsozPiqfAeeaxQOFdLAWzKSjjE+tUw9IlTuIjRW/7FeMYkGJxRC2CpEabmCwsPjK1J1A== X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: 3a4539b2-d313-4c0e-4afc-08dd0df1ed9b X-MS-Exchange-CrossTenant-AuthSource: CH3PR11MB8562.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 26 Nov 2024 08:11:28.3006 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: tJDmCTAcuuiSyHYWEQSrLyXN8Q3y/ZKNbBZeUNXvuWJW2g0+6EUBs/Ns1IBKKh8r4vjgNQ6dTZn8yscV9LwE2L+InhkGCPQJ+EGYWdFY/T8= X-MS-Exchange-Transport-CrossTenantHeadersStamped: CYYPR11MB8430 X-Proofpoint-ORIG-GUID: iuB5zo4_6QRu0MYOnzUWOnvuTfmlQqaA X-Proofpoint-GUID: iuB5zo4_6QRu0MYOnzUWOnvuTfmlQqaA X-Authority-Analysis: v=2.4 cv=O65rvw9W c=1 sm=1 tr=0 ts=674582b3 cx=c_pps a=AVVanhwSUc+LQPSikfBlbg==:117 a=wKuvFiaSGQ0qltdbU6+NXLB8nM8=:19 a=Ol13hO9ccFRV9qXi2t6ftBPywas=:19 a=xqWC_Br6kY4A:10 a=VlfZXiiP6vEA:10 a=bRTqI5nwn0kA:10 a=PYnjg3YJAAAA:8 a=NEAV23lmAAAA:8 a=t7CeM3EgAAAA:8 a=z9tbli-vAAAA:8 a=vggBfdFIAAAA:8 a=9J0IUMs9zsKUqv_KTz8A:9 a=FdTzh2GWekK77mhwV6Dw:22 a=RmrFvp9qXTL7MAzcxlte:22 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1057,Hydra:6.0.680,FMLib:17.12.68.34 definitions=2024-11-26_06,2024-11-25_01,2024-11-22_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 suspectscore=0 clxscore=1015 mlxscore=0 bulkscore=0 mlxlogscore=999 spamscore=0 priorityscore=1501 lowpriorityscore=0 adultscore=0 malwarescore=0 impostorscore=0 classifier=spam authscore=0 adjust=0 reason=mlx scancount=1 engine=8.21.0-2409260000 definitions=main-2411260065 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 26 Nov 2024 08:11:41 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/114064 From: Zhang Peng CVE-2024-31950: In FRRouting (FRR) through 9.1, there can be a buffer overflow and daemon crash in ospf_te_parse_ri for OSPF LSA packets during an attempt to read Segment Routing subTLVs (their size is not validated). Reference: [https://nvd.nist.gov/vuln/detail/CVE-2024-31950] Upstream patches: [https://github.com/FRRouting/frr/commit/f69d1313b19047d3d83fc2b36a518355b861dfc4] Signed-off-by: Zhang Peng --- .../frr/frr/CVE-2024-31950.patch | 68 +++++++++++++++++++ .../recipes-protocols/frr/frr_9.1.bb | 1 + 2 files changed, 69 insertions(+) create mode 100644 meta-networking/recipes-protocols/frr/frr/CVE-2024-31950.patch diff --git a/meta-networking/recipes-protocols/frr/frr/CVE-2024-31950.patch b/meta-networking/recipes-protocols/frr/frr/CVE-2024-31950.patch new file mode 100644 index 0000000000..c579ec283e --- /dev/null +++ b/meta-networking/recipes-protocols/frr/frr/CVE-2024-31950.patch @@ -0,0 +1,68 @@ +From f69d1313b19047d3d83fc2b36a518355b861dfc4 Mon Sep 17 00:00:00 2001 +From: Olivier Dugeon +Date: Wed, 3 Apr 2024 16:28:23 +0200 +Subject: [PATCH] ospfd: Solved crash in RI parsing with OSPF TE + +Iggy Frankovic discovered another ospfd crash when performing fuzzing of OSPF +LSA packets. The crash occurs in ospf_te_parse_ri() function when attemping to +read Segment Routing subTLVs. The original code doesn't check if the size of +the SR subTLVs have the correct length. In presence of erronous LSA, this will +cause a buffer overflow and ospfd crash. + +This patch introduces new verification of the subTLVs size for Router +Information TLV. + +Co-authored-by: Iggy Frankovic +Signed-off-by: Olivier Dugeon + +CVE: CVE-2024-31950 +Upstream-Status: Backport [https://github.com/FRRouting/frr/commit/f69d1313b19047d3d83fc2b36a518355b861dfc4] + +Signed-off-by: Zhang Peng +--- + ospfd/ospf_te.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/ospfd/ospf_te.c b/ospfd/ospf_te.c +index 359dc1f5d4b8..091669d8ed36 100644 +--- a/ospfd/ospf_te.c ++++ b/ospfd/ospf_te.c +@@ -2456,6 +2456,9 @@ static int ospf_te_parse_ri(struct ls_ted *ted, struct ospf_lsa *lsa) + + switch (ntohs(tlvh->type)) { + case RI_SR_TLV_SR_ALGORITHM: ++ if (TLV_BODY_SIZE(tlvh) < 1 || ++ TLV_BODY_SIZE(tlvh) > ALGORITHM_COUNT) ++ break; + algo = (struct ri_sr_tlv_sr_algorithm *)tlvh; + + for (int i = 0; i < ntohs(algo->header.length); i++) { +@@ -2480,6 +2483,8 @@ static int ospf_te_parse_ri(struct ls_ted *ted, struct ospf_lsa *lsa) + break; + + case RI_SR_TLV_SRGB_LABEL_RANGE: ++ if (TLV_BODY_SIZE(tlvh) != RI_SR_TLV_LABEL_RANGE_SIZE) ++ break; + range = (struct ri_sr_tlv_sid_label_range *)tlvh; + size = GET_RANGE_SIZE(ntohl(range->size)); + lower = GET_LABEL(ntohl(range->lower.value)); +@@ -2497,6 +2502,8 @@ static int ospf_te_parse_ri(struct ls_ted *ted, struct ospf_lsa *lsa) + break; + + case RI_SR_TLV_SRLB_LABEL_RANGE: ++ if (TLV_BODY_SIZE(tlvh) != RI_SR_TLV_LABEL_RANGE_SIZE) ++ break; + range = (struct ri_sr_tlv_sid_label_range *)tlvh; + size = GET_RANGE_SIZE(ntohl(range->size)); + lower = GET_LABEL(ntohl(range->lower.value)); +@@ -2514,6 +2521,8 @@ static int ospf_te_parse_ri(struct ls_ted *ted, struct ospf_lsa *lsa) + break; + + case RI_SR_TLV_NODE_MSD: ++ if (TLV_BODY_SIZE(tlvh) < RI_SR_TLV_NODE_MSD_SIZE) ++ break; + msd = (struct ri_sr_tlv_node_msd *)tlvh; + if ((CHECK_FLAG(node->flags, LS_NODE_MSD)) + && (node->msd == msd->value)) +-- +2.34.1 \ No newline at end of file diff --git a/meta-networking/recipes-protocols/frr/frr_9.1.bb b/meta-networking/recipes-protocols/frr/frr_9.1.bb index a172a4c6d3..305ef8f1b8 100644 --- a/meta-networking/recipes-protocols/frr/frr_9.1.bb +++ b/meta-networking/recipes-protocols/frr/frr_9.1.bb @@ -14,6 +14,7 @@ SRC_URI = "git://github.com/FRRouting/frr.git;protocol=https;branch=stable/9.1 \ file://frr.pam \ file://0001-zebra-Mimic-GNU-basename-API-for-non-glibc-library-e.patch \ file://CVE-2024-34088.patch \ + file://CVE-2024-31950.patch \ " SRCREV = "ca2d6f0f1e000951224a18973cc1827f7f5215b5" From patchwork Tue Nov 26 08:11:14 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peng Zhang X-Patchwork-Id: 53213 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 47A2ED5A6FA for ; Tue, 26 Nov 2024 08:11:41 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web10.40899.1732608692642311093 for ; Tue, 26 Nov 2024 00:11:32 -0800 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=1060a1ab4c=peng.zhang1.cn@windriver.com) Received: from pps.filterd (m0250812.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 4AQ52WdF005193 for ; Tue, 26 Nov 2024 08:11:32 GMT Received: from nam12-bn8-obe.outbound.protection.outlook.com (mail-bn8nam12lp2174.outbound.protection.outlook.com [104.47.55.174]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 433618aya9-3 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Tue, 26 Nov 2024 08:11:31 +0000 (GMT) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=REymT6fXk0hKIq1Bk+3mASAM119mUgUVxLs1IZuwe1BnXbKD/3z08DvnrWwd/oi+hFedMSV1TKRdoqdmYnJ08MTtAIWkvWg+fWQ8DUEmJSEO1ewusD3oEPkKUyqV67RjJEK4SbF5YMMxr2FFAErpMB7Tc/NtjzdH9a71AIYCZj+jeu+mbhroGzkQqXncseHcNtlUmKyj99Q8UlbEFQP/RR1H4UUhxG8+FFzVOEmcJMTZkK/MLkAAev7n1r1xPJcNPq95FHnw6oqTB9GG2WtUpTruQPfXacwNEApuA2V3pAoQHc7f70Wpauyp9UNYwH8I9wLEEdAbajC5nJWPucwwoQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=8G3xufLJperqK0gkrAldv0I2HXDXFR6cKZunfvHpzuw=; b=uo9TxDIfUaiYYCKC3wtMWe3TKL0hZTAGH0ovXLo0BOXT3j5J55awdMcuBtF8NOaWaGnJYUHIXipamR1YXOdnqCXZzQvrwX1DCDQ9fOW2l+eRNNWQVy7i3bi0tUSOMUQz3Qj2l/AjCJuF0VbRXUnrSMTJm+mTnTbCryLTITKNxTTJHnotQsfJt0EwUT0VqArL6b4qERyQYopd0Eu9l3u85VRo6MF04+Jrl3HXQ/kYu6t+7vuFAizTEz9ljqeYEx37YqNZggPgSX7Ap3Yr0Mbbu91zDhoZo6WUCRovxofBS8sn+graroe7AWGCVA27oKU062UYEx00qjU3gGsZvD1k8g== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none Received: from CH3PR11MB8562.namprd11.prod.outlook.com (2603:10b6:610:1b8::13) by CYYPR11MB8430.namprd11.prod.outlook.com (2603:10b6:930:c6::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8207.13; Tue, 26 Nov 2024 08:11:29 +0000 Received: from CH3PR11MB8562.namprd11.prod.outlook.com ([fe80::24c6:f8fc:1afe:179f]) by CH3PR11MB8562.namprd11.prod.outlook.com ([fe80::24c6:f8fc:1afe:179f%6]) with mapi id 15.20.8182.019; Tue, 26 Nov 2024 08:11:29 +0000 From: peng.zhang1.cn@windriver.com To: openembedded-devel@lists.openembedded.org Subject: [meta-networking][scarthgap][PATCH 3/5] frr: fix CVE-2024-31951 Date: Tue, 26 Nov 2024 16:11:14 +0800 Message-Id: <20241126081116.2535308-3-peng.zhang1.cn@windriver.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20241126081116.2535308-1-peng.zhang1.cn@windriver.com> References: <20241126081116.2535308-1-peng.zhang1.cn@windriver.com> X-ClientProxiedBy: TYCP286CA0066.JPNP286.PROD.OUTLOOK.COM (2603:1096:400:31a::10) To CH3PR11MB8562.namprd11.prod.outlook.com (2603:10b6:610:1b8::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CH3PR11MB8562:EE_|CYYPR11MB8430:EE_ X-MS-Office365-Filtering-Correlation-Id: c4df9a93-fcb8-4844-5e4c-08dd0df1ee55 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|366016|52116014|376014|1800799024|38350700014; X-Microsoft-Antispam-Message-Info: ElScjYuZnBikYw9frl2m8Oligvcdi6BhGBeo4ZX5KbDeEeLePKjtPbuskM/SdyRBZ9q6WYkmmmi1ttCaIhTRio9sBj9rzINBBVcPo0CNu4BpC/zWLvRXObRQSpRFQ3Ct6bGQry0RPflnUGAZXvc5psgmlxIGW/fjM1Tbh0WtYCAkcICXFumuYo365w9LKxEb1W3SJKskSHV9NDH730PQ4P8OD7520JxRdTQhexhgaP1qC5Svvs7T5HAd3cuoNLTl93hR664Dax/J40r7wJwhWMtP01tiRiCBRcqru0EJB2uiMlMw4aaxZJ5C7Dn1EO7y9hdE5qMV+jZsJt36j6ZPA07vjrIitIO/9ync2WyAKT91d7CDklmNtJEAJR7SPOkrIjYcNPseJP0MyV5Ou49QG27LB0EI0tUN27y7DekyE/pfA0eA86Hh+2W+Hwk6bZqVRP61BjGpaDWLZ11HUtqLknqkCEY5J408OOL43EJUlV9+r7rkxgcHfV2CbF6FAXIwJndAMJZe7wbIahE89vtr78uNYJENQwZttDLB4yNC5xfuXPkGPQ2KM4n8zi8iydbd4ZQ7/TjXZNoi1K5AvtBBfqgQOLY50uj4iIZr3fusZ53KOPg88IGIP60iXNsqUwSpsnA4JYeNGP0ntBW4km8xu0DaMRv9EY4W52KHC+kVWeehXhS71jODlablle626yER8GeulNFWkvBUsGk18Rtcm8jvT6HDK9cGrEC6YILbOmc6/m0NnHNpC0O4kKrf6fJnS5V8pe7gY8VLOs2ESAE+a25TjbFmHMuBSUXiIF3i5WOsnqceFvNzHBJm1eE+hFudmODb4NU6HcRKS7Gq6RO8a9M+93U8qvNyjRgsrANoRM2LFbzZQ5Wmh+ZplXhWaiKnXoPvTqqrVC0BoD4T8WYa8qDpfRL/JHwlBM52rqIXlGxdTgljxGXBgQLHwvwf1aLOxMgYyU79GESO7hd3JGatKaEZcNEGVZMbU6CN6GH9jTr6S3w2QgGqJXwO+xyri1FHKA5lac9CRmnzy5MWDKh9Lq4mzQG/xmV2XFC5hQ8Wv3hRW4zhgOxbVKJovo5sSdCO0cpUQf2W42i65vuQMrfVed9veBPwfCdr/ZUvWP1THmibdFI5rL2Bsr7jmkH+0Yqy2qHdxNs11vFzDzVXp9rnU+Z+/EnnY6c/zp0EFbOtM4lQtKDVBlj6p8BaFhDzfOOo5QM6EkaBlYmmcgsX3IBjcn7weGACC3kND/h6lvYEId6HkRbG/fNkl8PUQDioQIWvTbC+Rd7hYdsPizB2EL140sM3rR3A1n3YJ5RcySP76AifEzXQxdFTH+VN3XfoiqyCR2w077o8NhqX66dzUF7pTgcZcxGE3V0RxFCL5oKktYo= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH3PR11MB8562.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(366016)(52116014)(376014)(1800799024)(38350700014);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: gbjjE7viqLK7MrvYerpP6zE+HZTuTuGUhyX2wc0qEqwyRn4xJ2/bLZOTj/s5tpzr9BhFypBYDqr4zigfqSIJyxECsZZI6IKYlXAduEpE7YQePrrODIxnoOWvsojpvkfU/TEpVBS+ohe3UATPvEzvZmqv2chOTs31ICHzcKcjUvdKJn2dXG8/HrNcTMh3Ns4KDGIOTBMIoYhqALiV7YQLRxyepFumq8wF2qfWoVC+AjwdvceNRQAVyUXp/ou2eriscWtmI8flE+cQayNBGdQKaJu5HhjMmTm0yoC+3K5l3umuRp4ZL4+glxfa0CZpXOw6Gv6QIyAH+V1tiP356f4Rng7PFsykFUI51DJskw6Jmjlf7Hm1nY4HLc62JoOm8Bn2S78LAWqEkbWxLfzQRaAFNTnJQ8mYGt/tgNqhA9fEM1uCNqeMTohg+9LsirEqji+tfNW4zmRgWvQ0HnSxf8u95K8K+Xsw0JwkgLLMul85CDrlhveLmbFdWmeljGixwyAfVpJRgSXSiCgSMWYPiBpzu+KjQFLN8/I5EHvpddYXdh45pdK5ysjNonp4BC9Yqfc3G3i8jX6CfIM8JpZXjWaGu848wmVCbI4SmfA2w74thwHvFId33bEl2Lu2/RxffBxpH9XhQQL/DHOCpaMVn4hNmVByhbd8FjKXx5JYop27QCl2EgYSaQz4j546sCQrhnBAJmw++OeYQLmSuka2mKd54uMdG5rVJGfDT3uYlgNCf8J/M5zNr0xJZn+3o3qKBYjr7Dvx1KDFvytWKrBfzdb7iWaWZHGT0e0b5Zn3x9tOm6kvoog99GT3g1bR3cBysvRdIInQTtiugCzczkUgIr0pTIfpJf9gkwM+ndF7uzeowrJ1RhEyO6eU2/6WyKeUNwbZM8LIbehlnhNpvn+vGyPhHuQrwxShWZQlX8C46ELIFxUsMSrfWbzjLyMrcxBaEO/0T129DgQWygMzgGv1rr2+JDw3nWmQQb6gmR5RRy0Hq4hXbcCGwhCuQMhj0cgeg8skCcAmPXgljwRboFeiTI/IRcWuNaJ9wKZk/JBQXKzgCYEL7JF0GMbRq6quS0BxE4HVKDZtGwaeiwaVjRckc+G4tpDbrf16eWin3669IA8gS/G0VqdSye7Rlb1ypWNZAbU84ory/a0ff56KWZUTdt1j6Cj3IzzAeAEa1XbcA26VVmq+3rCXb0sgl0a19a2aSGU49MPVsPepbTZ9A8Lp9IBB8x90QH3RYhyL5LqSpR6cvDk4giaoZSBUrw+u0HDBFbb4jAhwiCXg6gO322YTvy1BVLICtaQxZjkZSH1yM2c4UwqUMxQRh1NSzz9amxhlaKxAMKuPTFV6Uluqhya5UPDqmJfutgzkYHqcjBCuABMGzOJHUP2J8Nw5PrDgCe/bSPKRCQnANABnF2M4C3WqDdOfNBU+CTzPe/mvB0YopMFdYQocGUqQeHb7XujHkdo9zI4srn8F7KFJvueT837sXaFTLLE2POQlM9G/72yPxt+B4kqDTUoiGotAZ5A0eu+rxIvf5R6iHRikCABwLREy0SnppEqsb/g0BGZz34K2YM2mr/IsACTDzswXGtNKKjN4dyc9sfurIa9iXfhfSVv+GY5tNQ== X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: c4df9a93-fcb8-4844-5e4c-08dd0df1ee55 X-MS-Exchange-CrossTenant-AuthSource: CH3PR11MB8562.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 26 Nov 2024 08:11:29.5124 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: B4d6SvHyTyOzTK4CyFoiuynOFjWQ6aLuwhMSTksXa+fb3dzk8HAZggXpPcgP+CUyjohp5BO2+Tf2JChNBsQHCkzPvAYfZKa2Ybh4Nexc8+0= X-MS-Exchange-Transport-CrossTenantHeadersStamped: CYYPR11MB8430 X-Proofpoint-ORIG-GUID: BE7OWfLZ-_ppGqjcVuT8yqMRmmnrlPYC X-Proofpoint-GUID: BE7OWfLZ-_ppGqjcVuT8yqMRmmnrlPYC X-Authority-Analysis: v=2.4 cv=O65rvw9W c=1 sm=1 tr=0 ts=674582b3 cx=c_pps a=AVVanhwSUc+LQPSikfBlbg==:117 a=wKuvFiaSGQ0qltdbU6+NXLB8nM8=:19 a=Ol13hO9ccFRV9qXi2t6ftBPywas=:19 a=xqWC_Br6kY4A:10 a=VlfZXiiP6vEA:10 a=bRTqI5nwn0kA:10 a=PYnjg3YJAAAA:8 a=NEAV23lmAAAA:8 a=t7CeM3EgAAAA:8 a=z9tbli-vAAAA:8 a=vggBfdFIAAAA:8 a=u3HfnkmMe0n-5SDO0joA:9 a=FdTzh2GWekK77mhwV6Dw:22 a=RmrFvp9qXTL7MAzcxlte:22 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1057,Hydra:6.0.680,FMLib:17.12.68.34 definitions=2024-11-26_06,2024-11-25_01,2024-11-22_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 suspectscore=0 clxscore=1015 mlxscore=0 bulkscore=0 mlxlogscore=999 spamscore=0 priorityscore=1501 lowpriorityscore=0 adultscore=0 malwarescore=0 impostorscore=0 classifier=spam authscore=0 adjust=0 reason=mlx scancount=1 engine=8.21.0-2409260000 definitions=main-2411260065 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 26 Nov 2024 08:11:41 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/114065 From: Zhang Peng CVE-2024-31951: In the Opaque LSA Extended Link parser in FRRouting (FRR) through 9.1, there can be a buffer overflow and daemon crash in ospf_te_parse_ext_link for OSPF LSA packets during an attempt to read Segment Routing Adjacency SID subTLVs (lengths are not validated). Reference: [https://nvd.nist.gov/vuln/detail/CVE-2024-31951] Upstream patches: [https://github.com/FRRouting/frr/commit/5557a289acdaeec8cc63ffc97b5c2abf6dee7b3a] Signed-off-by: Zhang Peng --- .../frr/frr/CVE-2024-31951.patch | 110 ++++++++++++++++++ .../recipes-protocols/frr/frr_9.1.bb | 1 + 2 files changed, 111 insertions(+) create mode 100644 meta-networking/recipes-protocols/frr/frr/CVE-2024-31951.patch diff --git a/meta-networking/recipes-protocols/frr/frr/CVE-2024-31951.patch b/meta-networking/recipes-protocols/frr/frr/CVE-2024-31951.patch new file mode 100644 index 0000000000..7f19b0312a --- /dev/null +++ b/meta-networking/recipes-protocols/frr/frr/CVE-2024-31951.patch @@ -0,0 +1,110 @@ +From 5557a289acdaeec8cc63ffc97b5c2abf6dee7b3a Mon Sep 17 00:00:00 2001 +From: Olivier Dugeon +Date: Fri, 5 Apr 2024 12:57:11 +0200 +Subject: [PATCH] ospfd: Correct Opaque LSA Extended parser + +Iggy Frankovic discovered another ospfd crash when performing fuzzing of OSPF +LSA packets. The crash occurs in ospf_te_parse_ext_link() function when +attemping to read Segment Routing Adjacency SID subTLVs. The original code +doesn't check if the size of the Extended Link TLVs and subTLVs have the correct +length. In presence of erronous LSA, this will cause a buffer overflow and ospfd +crashes. + +This patch introduces new verification of the subTLVs size for Extended Link +TLVs and subTLVs. Similar check has been also introduced for the Extended +Prefix TLV. + +Co-authored-by: Iggy Frankovic +Signed-off-by: Olivier Dugeon + +CVE: CVE-2024-31951 +Upstream-Status: Backport [https://github.com/FRRouting/frr/commit/5557a289acdaeec8cc63ffc97b5c2abf6dee7b3a] + +Signed-off-by: Zhang Peng +--- + ospfd/ospf_te.c | 35 +++++++++++++++++++++++++++++++++-- + 1 file changed, 33 insertions(+), 2 deletions(-) + +diff --git a/ospfd/ospf_te.c b/ospfd/ospf_te.c +index 091669d8ed36..e68f9444f512 100644 +--- a/ospfd/ospf_te.c ++++ b/ospfd/ospf_te.c +@@ -2620,6 +2620,7 @@ static int ospf_te_parse_ext_pref(struct ls_ted *ted, struct ospf_lsa *lsa) + struct ext_tlv_prefix *ext; + struct ext_subtlv_prefix_sid *pref_sid; + uint32_t label; ++ uint16_t len, size; + + /* Get corresponding Subnet from Link State Data Base */ + ext = (struct ext_tlv_prefix *)TLV_HDR_TOP(lsa->data); +@@ -2641,6 +2642,18 @@ static int ospf_te_parse_ext_pref(struct ls_ted *ted, struct ospf_lsa *lsa) + ote_debug(" |- Process Extended Prefix LSA %pI4 for subnet %pFX", + &lsa->data->id, &pref); + ++ /* ++ * Check Extended Prefix TLV size against LSA size ++ * as only one TLV is allowed per LSA ++ */ ++ len = TLV_BODY_SIZE(&ext->header); ++ size = lsa->size - (OSPF_LSA_HEADER_SIZE + TLV_HDR_SIZE); ++ if (len != size || len <= 0) { ++ ote_debug(" |- Wrong TLV size: %u instead of %u", ++ (uint32_t)len, (uint32_t)size); ++ return -1; ++ } ++ + /* Initialize TLV browsing */ + ls_pref = subnet->ls_pref; + pref_sid = (struct ext_subtlv_prefix_sid *)((char *)(ext) + TLV_HDR_SIZE +@@ -2751,8 +2764,20 @@ static int ospf_te_parse_ext_link(struct ls_ted *ted, struct ospf_lsa *lsa) + ote_debug(" |- Process Extended Link LSA %pI4 for edge %pI4", + &lsa->data->id, &edge->attributes->standard.local); + +- /* Initialize TLV browsing */ +- len = TLV_BODY_SIZE(&ext->header) - EXT_TLV_LINK_SIZE; ++ /* ++ * Check Extended Link TLV size against LSA size ++ * as only one TLV is allowed per LSA ++ */ ++ len = TLV_BODY_SIZE(&ext->header); ++ i = lsa->size - (OSPF_LSA_HEADER_SIZE + TLV_HDR_SIZE); ++ if (len != i || len <= 0) { ++ ote_debug(" |- Wrong TLV size: %u instead of %u", ++ (uint32_t)len, (uint32_t)i); ++ return -1; ++ } ++ ++ /* Initialize subTLVs browsing */ ++ len -= EXT_TLV_LINK_SIZE; + tlvh = (struct tlv_header *)((char *)(ext) + TLV_HDR_SIZE + + EXT_TLV_LINK_SIZE); + for (; sum < len; tlvh = TLV_HDR_NEXT(tlvh)) { +@@ -2762,6 +2787,8 @@ static int ospf_te_parse_ext_link(struct ls_ted *ted, struct ospf_lsa *lsa) + + switch (ntohs(tlvh->type)) { + case EXT_SUBTLV_ADJ_SID: ++ if (TLV_BODY_SIZE(tlvh) != EXT_SUBTLV_ADJ_SID_SIZE) ++ break; + adj = (struct ext_subtlv_adj_sid *)tlvh; + label = CHECK_FLAG(adj->flags, + EXT_SUBTLV_LINK_ADJ_SID_VFLG) +@@ -2788,6 +2815,8 @@ static int ospf_te_parse_ext_link(struct ls_ted *ted, struct ospf_lsa *lsa) + + break; + case EXT_SUBTLV_LAN_ADJ_SID: ++ if (TLV_BODY_SIZE(tlvh) != EXT_SUBTLV_LAN_ADJ_SID_SIZE) ++ break; + ladj = (struct ext_subtlv_lan_adj_sid *)tlvh; + label = CHECK_FLAG(ladj->flags, + EXT_SUBTLV_LINK_ADJ_SID_VFLG) +@@ -2817,6 +2846,8 @@ static int ospf_te_parse_ext_link(struct ls_ted *ted, struct ospf_lsa *lsa) + + break; + case EXT_SUBTLV_RMT_ITF_ADDR: ++ if (TLV_BODY_SIZE(tlvh) != EXT_SUBTLV_RMT_ITF_ADDR_SIZE) ++ break; + rmt = (struct ext_subtlv_rmt_itf_addr *)tlvh; + if (CHECK_FLAG(atr->flags, LS_ATTR_NEIGH_ADDR) + && IPV4_ADDR_SAME(&atr->standard.remote, +-- +2.34.1 \ No newline at end of file diff --git a/meta-networking/recipes-protocols/frr/frr_9.1.bb b/meta-networking/recipes-protocols/frr/frr_9.1.bb index 305ef8f1b8..807e4ef8ef 100644 --- a/meta-networking/recipes-protocols/frr/frr_9.1.bb +++ b/meta-networking/recipes-protocols/frr/frr_9.1.bb @@ -15,6 +15,7 @@ SRC_URI = "git://github.com/FRRouting/frr.git;protocol=https;branch=stable/9.1 \ file://0001-zebra-Mimic-GNU-basename-API-for-non-glibc-library-e.patch \ file://CVE-2024-34088.patch \ file://CVE-2024-31950.patch \ + file://CVE-2024-31951.patch \ " SRCREV = "ca2d6f0f1e000951224a18973cc1827f7f5215b5" From patchwork Tue Nov 26 08:11:15 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peng Zhang X-Patchwork-Id: 53214 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3870AD5A6F8 for ; Tue, 26 Nov 2024 08:11:41 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web10.40900.1732608693243139551 for ; Tue, 26 Nov 2024 00:11:33 -0800 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=1060a1ab4c=peng.zhang1.cn@windriver.com) Received: from pps.filterd (m0250812.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 4AQ52WdG005193 for ; Tue, 26 Nov 2024 08:11:32 GMT Received: from nam12-bn8-obe.outbound.protection.outlook.com (mail-bn8nam12lp2174.outbound.protection.outlook.com [104.47.55.174]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 433618aya9-4 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Tue, 26 Nov 2024 08:11:32 +0000 (GMT) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=Uh3w1HR/2o4GBp9EKCShPicSxh5UdzRY5h7q69WDSeQvEu5E0FoIOGp/MSFYmR9pxR+UtJqNuRWIKtdWigfLhuXv+F0rxCnxdI/busFg7zYJ5VE0YVRw1XzbmKZ+CvmnPolhCz0kVS8H4XO5Lyo1Ut41DlC5ce3oXPBK4MDMJeGdkhiAcn8pqjtsls//rJFexnnIMVBJfzBn3PjAHwt8sPWQEDtGkLh+L5eC3WYVZ0rHWBFHx6A3F/7FpBx7Er/rS/duqtYJSeMnd4W+QCFXMcw74vL0ls0tr0YXfugdfTLI6kMKm4nnRXLVpZr49wKO1ADr6aYDaNzsAN6GClOqsw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=1wmPoBNWy9sO3flp4Wh3a2CZfMcN8bURjdtHb2GuSJg=; b=zU58mQw3DFNabnHHtosDpe4+1ghSL1m2+CXw2CMtb+W7WnI3ifZfFqwmUZeH4JYaCZDfUapIjxanOq8zyEbcjBhG09zN3AWTOGt9/1HPpXpsVYwdzJj5SAQqh9Xg5u0CkjzYe3VwXYpqD4cPlzE6QhBuP4jwKiFqIAVaLsSiM59kjX8wuNx3iY2ze/l7yaGLJb4R9S8bdLbAZMEp32Uyx+i6Ko5yboZ1HA3FBcvYq1P7W80UOAR3XKM7hj3G3389gZ1D41h6DV1ZwOCNUd2OH1VN0iKET4fWc303KJU476g6uZYX8/TdTGlKse4p8iDkjzJVFJsyWI894ZiKhsU9Bg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none Received: from CH3PR11MB8562.namprd11.prod.outlook.com (2603:10b6:610:1b8::13) by CYYPR11MB8430.namprd11.prod.outlook.com (2603:10b6:930:c6::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8207.13; Tue, 26 Nov 2024 08:11:30 +0000 Received: from CH3PR11MB8562.namprd11.prod.outlook.com ([fe80::24c6:f8fc:1afe:179f]) by CH3PR11MB8562.namprd11.prod.outlook.com ([fe80::24c6:f8fc:1afe:179f%6]) with mapi id 15.20.8182.019; Tue, 26 Nov 2024 08:11:30 +0000 From: peng.zhang1.cn@windriver.com To: openembedded-devel@lists.openembedded.org Subject: [meta-networking][scarthgap][PATCH 4/5] frr: fix CVE-2024-31948 Date: Tue, 26 Nov 2024 16:11:15 +0800 Message-Id: <20241126081116.2535308-4-peng.zhang1.cn@windriver.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20241126081116.2535308-1-peng.zhang1.cn@windriver.com> References: <20241126081116.2535308-1-peng.zhang1.cn@windriver.com> X-ClientProxiedBy: TYCP286CA0066.JPNP286.PROD.OUTLOOK.COM (2603:1096:400:31a::10) To CH3PR11MB8562.namprd11.prod.outlook.com (2603:10b6:610:1b8::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CH3PR11MB8562:EE_|CYYPR11MB8430:EE_ X-MS-Office365-Filtering-Correlation-Id: 83b98b57-73ba-4827-b572-08dd0df1ef0c X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|366016|52116014|376014|1800799024|38350700014; X-Microsoft-Antispam-Message-Info: 58vk0taUySGdfKxxt4grBiFlgRYG3ENCoZy6zkq8PiOSNqsOy8tjaYifZVqVsj/eIbObQn2hBGhvLsDLRP89rcqaXP8T/DcnfUH3IWYb6/H2RLTWV1ElQ2IuiV1bQPB9QNgG7O7lwSl7Irk6kx7WKrjFMzeyt+agIVLcne4nt8ZBzfCIqZ8Jv0W9bSNZ3hxDTnbaMcdiSRJzKs5QdhjK9zAUyzkFnBMzQRhrwSHB7jAL6JVwDgj9e/2T80Uzik5ppu0yAeg79SCTbcBMELdWOCpw49CU2/xTS8I83jrmXmE925GIwzyxshQ7WcYTu9bM8qhKsU2aFlMpwG5qVsiAyXy4r8AvJzEFcnNsc1dsdx0EWkGJoAygVchW3hKT8QSq1vRxulpp2Yo3v/EhFhnPU1tV2vgMYQzMLvHzsoGQLm/J8abh82W+MNnPC7C6QhF8hWZd4ipJNgfcMUxoiEUKSIOXbnwi6YeS73A+xAPSepHbdXl71wIo3PWbZJA0wBe8B6qNpSVQ0aT8cOGnS+xEEUd146pphNDWc3Ec61XSHr4hX/md/j+PEG1cCnoTfFqT0tAXzdoSp4xTvmzZbrD7ODGGSGQXmJuczj49+sntaLkxX/3ddCIOXBy3munz9Y8425uVO+soPkPYMhdootYHvBpvIZjJ5qwDVFpr9FhJeFdYwL8QxZGvpLUZEBHLmPBrPLI87QvfStKQMvt6QWYi2/IgwVaZTmWhedetWm814AbOJmgImUtCw7EM2khFM8SdIpKV7kKzkMd/ZqRLENTvkgnaZRVFpN6YuRG9RZlpWInKUpUXwf/n2xsa+7YCjkTPTJCPxw+7tbg5A2PwsUkMnO3c63ovwnLblR/nDwCq8ENYjI3VJy7FvDEGaTWB4/x6Z986BxkX+Pn/hN6AQYxWdjWHqAN16aO1y9P5AMLS1OGz+ZdLn4K5Y58pHnUGIz+w2OiOWiJ75E5jeArpAx25m6uThsPebacDeyDHTiCttOfATgRNyIrcDggDxUb0R6Ya57l3C/PSbnm2ZEqb1FTWCXm+F7eM7QgmHexJ5axYcfGCdnNN6lZS2VsPuGKY8UDPp3W3O0lCmebJ8KKPKt3M16GxuivP1AaJlZzwJ8yGKx0C48HzDg6Hy8zGf2pruBshRbB15eU1NjstTr6QVDKZo24BirnY1fVbeWDkP2ROqdTvlk5U0HbyjSWV/NiYHBSY1WTbkDxh8Ljyp1+4NjxliHe/5nPR/KFqhXxvTEjf7L03eTPGnFfyzc9WUq+KOx7G3a5TQIxTAyO1TkEWyqqH9n7u96BWWymFJnfV+ajVida6OImiE5fnFHSxtbTn7FVzXFxgSBKTd4NJ/EdAkC5T4B6qreJEG7d5r+s9BuE2AfU= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH3PR11MB8562.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(366016)(52116014)(376014)(1800799024)(38350700014);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: aGavjd8+Y7aMKk1kqBwSYSUgOJiQ/2/Zt77wgvb1al6WK/EkKTt3XZR9WAS4z68MWx3N+38d87k2wC+KlXdi2sokIZS7coxxx6c5wxw7chr2wyFvVm0zjzmHjVsgW8PFjKQLWmYeAtNT7IpkemhpS7t2CuDwaeveGHEiZx1gD3YDxlbaKqJQNAX5JWKYOhCbJ7sx61uB15hJUK7OKXbcjJyBDbORlDgZuATk1hTG7POa9VAWzTd8k+SGi/JQrVK1J22T4E4ZML0InVORTrZAIqw000shc+PWZ9yoMYCIgZQW1hzEutzssiJVef3moxqljKVrhevZQLvaHasnAElkgyB27ksULQDV0/12QrxW+Q/GMMpG9Qr3TPsmp9eaY3gzm2xA+XXPDWIbj3gOLzRKRPN7mb9iFuYk61u7rha5qphuKbnB+LoYci0poE0TE08MfUOSMydf9tR8M+9UcrF+UirAW1UvdOjPx2jmVOCYeIDkDva/TLMbAWf3+EsEPwQtJ72VF/WMhH9tA7Wmaw6sQVGLJ0zDcXJh0E3xeOLLd8QQnQOXfAyKYNBejrBIL9Oli7VEvm/vwkilVJPEwPt+rF4QKtBfBnnAP8icj6eXDUbsz2VLLsjFk300UynGqxpnVk199I9KELJN3MGZpyYRijbWhhlN42uFOvSg2VFqWbc5ChWyj28mplJJREV7hLdygLl1f/FRhAxNdvELcUTs1zALJFFMHIlyYRUs6zXdrdt2Qm9vf7ClB6MX8WigASFasl+vhgwxPGXnpVsxw0Q8YNhpNLKXzu9if96+50cVP3gElHepxmXwFjWbpZyfKLVrwYoT7MMfqZd/lloyy84cyvcOjR3FaSIKs5UYouOpDQ8U+9PmkKMLOIUxljFKYqul53230ML796mS+Zpya0YdUQy2lxxTFEODa1i91vbs3ZF61CMF3S7vSpVi8mghY1hkq0cbxEragK18DojnhqnP36rnngDhH6vQPVw8xvrSBAmePB5C+DTdhWzE9dzVyBJTogVAvNhSCrvTgRgmRNocX8LWBjb9a2wqaFyjlW4P8wApKEhyjTiZ0Xfu34tyD73r4+DAgsX+6whcvO+R1mRN355L6lwVlCfATRjNFlNNgekrMYup6nfsdF8Q2XRg5Q+VXRLumfIJXIRVm6jQBRblkxE7++CYQxd7YDR6Fo7pI2cfA9Uw7Xqom9T44IoVLf8QxHjy1HLqOu9T1auLU8Q01xkMNWgHaA4mcOAmcMcIEEHtqlMNbNWugwQiAudcSTeA+u+LKCS7xq+JG4tH+YJjvCslgnAnl4e6QppvHkJkQxy4jqw67vaI2vxaBWRbT8isFari0M2JgbasPZqSwJWtfyXGuOm2oalMi0NVuy2bTtvQm5KMCl7mU8WofHPlk0JSMdPPybvdkai4MRZJbC7xnZDQutvFn7rDymistQcWAOOiPunEKq3hIU1SsBWZBmG+crJ/TvTKZ945h+xZNMdGE04X2mMt6fBnZXZrZ4YJ1voqN5cRGzWvIu+ZH7MptayTBal9UHuQjrJovH4f8cmHnuQaTAnatnZGmpxBTP819up9miXwZGd40SeO6HV4TZnnizKn4pzzV7NyldcKK72ooA== X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: 83b98b57-73ba-4827-b572-08dd0df1ef0c X-MS-Exchange-CrossTenant-AuthSource: CH3PR11MB8562.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 26 Nov 2024 08:11:30.7241 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: LeMDBgXrbgcZj1ZVgDuLHjsWz9Hzbn5fweukmnlnqtF5K4FCFuj8iEIuKK6TiHXgTfZ8u5zqQz3sirOjN87fkycJE8EiGe3Pgrf+oi7NFwk= X-MS-Exchange-Transport-CrossTenantHeadersStamped: CYYPR11MB8430 X-Proofpoint-ORIG-GUID: ylFlxxmCjdvlsm9d3N5UpQWdsy1ZMGBU X-Proofpoint-GUID: ylFlxxmCjdvlsm9d3N5UpQWdsy1ZMGBU X-Authority-Analysis: v=2.4 cv=O65rvw9W c=1 sm=1 tr=0 ts=674582b4 cx=c_pps a=AVVanhwSUc+LQPSikfBlbg==:117 a=wKuvFiaSGQ0qltdbU6+NXLB8nM8=:19 a=Ol13hO9ccFRV9qXi2t6ftBPywas=:19 a=xqWC_Br6kY4A:10 a=VlfZXiiP6vEA:10 a=bRTqI5nwn0kA:10 a=PYnjg3YJAAAA:8 a=NEAV23lmAAAA:8 a=t7CeM3EgAAAA:8 a=87jn28RfAAAA:8 a=vggBfdFIAAAA:8 a=u4Fk_TazrX1v4TD7wRYA:9 a=FdTzh2GWekK77mhwV6Dw:22 a=aVDrfO6s1PESLM1EhDzk:22 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1057,Hydra:6.0.680,FMLib:17.12.68.34 definitions=2024-11-26_06,2024-11-25_01,2024-11-22_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 suspectscore=0 clxscore=1015 mlxscore=0 bulkscore=0 mlxlogscore=999 spamscore=0 priorityscore=1501 lowpriorityscore=0 adultscore=0 malwarescore=0 impostorscore=0 classifier=spam authscore=0 adjust=0 reason=mlx scancount=1 engine=8.21.0-2409260000 definitions=main-2411260065 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 26 Nov 2024 08:11:41 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/114066 From: Zhang Peng CVE-2024-31948: In FRRouting (FRR) through 9.1, an attacker using a malformed Prefix SID attribute in a BGP UPDATE packet can cause the bgpd daemon to crash. Reference: [https://nvd.nist.gov/vuln/detail/CVE-2024-31948] Upstream patches: [https://github.com/FRRouting/frr/commit/ba6a8f1a31e1a88df2de69ea46068e8bd9b97138] [https://github.com/FRRouting/frr/commit/babb23b74855e23c987a63f8256d24e28c044d07] Signed-off-by: Zhang Peng --- .../frr/frr/CVE-2024-31948.patch | 130 ++++++++++++++++++ .../recipes-protocols/frr/frr_9.1.bb | 1 + 2 files changed, 131 insertions(+) create mode 100644 meta-networking/recipes-protocols/frr/frr/CVE-2024-31948.patch diff --git a/meta-networking/recipes-protocols/frr/frr/CVE-2024-31948.patch b/meta-networking/recipes-protocols/frr/frr/CVE-2024-31948.patch new file mode 100644 index 0000000000..bc1f2edc7d --- /dev/null +++ b/meta-networking/recipes-protocols/frr/frr/CVE-2024-31948.patch @@ -0,0 +1,130 @@ +From a11446687169c679b5e51b57f151a6f6c119656c Mon Sep 17 00:00:00 2001 +From: Donatas Abraitis +Date: Wed, 27 Mar 2024 18:42:56 +0200 +Subject: [PATCH 1/2] bgpd: Fix error handling when receiving BGP Prefix SID + attribute + +Without this patch, we always set the BGP Prefix SID attribute flag without +checking if it's malformed or not. RFC8669 says that this attribute MUST be discarded. + +Also, this fixes the bgpd crash when a malformed Prefix SID attribute is received, +with malformed transitive flags and/or TLVs. + +Reported-by: Iggy Frankovic +Signed-off-by: Donatas Abraitis + +CVE: CVE-2024-31948 +Upstream-Status: Backport [https://github.com/FRRouting/frr/commit/ba6a8f1a31e1a88df2de69ea46068e8bd9b97138] + +Signed-off-by: Zhang Peng +--- + bgpd/bgp_attr.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c +index 56e77eb3a..2639ff864 100644 +--- a/bgpd/bgp_attr.c ++++ b/bgpd/bgp_attr.c +@@ -1390,6 +1390,7 @@ bgp_attr_malformed(struct bgp_attr_parser_args *args, uint8_t subcode, + case BGP_ATTR_AS4_AGGREGATOR: + case BGP_ATTR_AGGREGATOR: + case BGP_ATTR_ATOMIC_AGGREGATE: ++ case BGP_ATTR_PREFIX_SID: + return BGP_ATTR_PARSE_PROCEED; + + /* Core attributes, particularly ones which may influence route +@@ -3144,8 +3145,6 @@ enum bgp_attr_parse_ret bgp_attr_prefix_sid(struct bgp_attr_parser_args *args) + struct attr *const attr = args->attr; + enum bgp_attr_parse_ret ret; + +- attr->flag |= ATTR_FLAG_BIT(BGP_ATTR_PREFIX_SID); +- + uint8_t type; + uint16_t length; + size_t headersz = sizeof(type) + sizeof(length); +@@ -3195,6 +3194,8 @@ enum bgp_attr_parse_ret bgp_attr_prefix_sid(struct bgp_attr_parser_args *args) + } + } + ++ SET_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_PREFIX_SID)); ++ + return BGP_ATTR_PARSE_PROCEED; + } + +-- +2.34.1 + +From 70555e1c0927b84f3aae9406379b00c976b2fa0c Mon Sep 17 00:00:00 2001 +From: Donatas Abraitis +Date: Wed, 27 Mar 2024 19:08:38 +0200 +Subject: [PATCH 2/2] bgpd: Prevent from one more CVE triggering this place + +If we receive an attribute that is handled by bgp_attr_malformed(), use +treat-as-withdraw behavior for unknown (or missing to add - if new) attributes. + +Signed-off-by: Donatas Abraitis + +CVE: CVE-2024-31948 +Upstream-Status: Backport [https://github.com/FRRouting/frr/commit/babb23b74855e23c987a63f8256d24e28c044d07] + +Signed-off-by: Zhang Peng +--- + bgpd/bgp_attr.c | 33 ++++++++++++++++++++++----------- + 1 file changed, 22 insertions(+), 11 deletions(-) + +diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c +index 2639ff864..797f05d60 100644 +--- a/bgpd/bgp_attr.c ++++ b/bgpd/bgp_attr.c +@@ -1381,6 +1381,15 @@ bgp_attr_malformed(struct bgp_attr_parser_args *args, uint8_t subcode, + (args->startp - STREAM_DATA(BGP_INPUT(peer))) + + args->total); + ++ /* Partial optional attributes that are malformed should not cause ++ * the whole session to be reset. Instead treat it as a withdrawal ++ * of the routes, if possible. ++ */ ++ if (CHECK_FLAG(flags, BGP_ATTR_FLAG_TRANS) && ++ CHECK_FLAG(flags, BGP_ATTR_FLAG_OPTIONAL) && ++ CHECK_FLAG(flags, BGP_ATTR_FLAG_PARTIAL)) ++ return BGP_ATTR_PARSE_WITHDRAW; ++ + switch (args->type) { + /* where an attribute is relatively inconsequential, e.g. it does not + * affect route selection, and can be safely ignored, then any such +@@ -1418,19 +1427,21 @@ bgp_attr_malformed(struct bgp_attr_parser_args *args, uint8_t subcode, + BGP_NOTIFY_UPDATE_ERR, subcode, + notify_datap, length); + return BGP_ATTR_PARSE_ERROR; ++ default: ++ /* Unknown attributes, that are handled by this function ++ * should be treated as withdraw, to prevent one more CVE ++ * from being introduced. ++ * RFC 7606 says: ++ * The "treat-as-withdraw" approach is generally preferred ++ * and the "session reset" approach is discouraged. ++ */ ++ flog_err(EC_BGP_ATTR_FLAG, ++ "%s(%u) attribute received, while it is not known how to handle it, treating as withdraw", ++ lookup_msg(attr_str, args->type, NULL), args->type); ++ break; + } + +- /* Partial optional attributes that are malformed should not cause +- * the whole session to be reset. Instead treat it as a withdrawal +- * of the routes, if possible. +- */ +- if (CHECK_FLAG(flags, BGP_ATTR_FLAG_TRANS) +- && CHECK_FLAG(flags, BGP_ATTR_FLAG_OPTIONAL) +- && CHECK_FLAG(flags, BGP_ATTR_FLAG_PARTIAL)) +- return BGP_ATTR_PARSE_WITHDRAW; +- +- /* default to reset */ +- return BGP_ATTR_PARSE_ERROR_NOTIFYPLS; ++ return BGP_ATTR_PARSE_WITHDRAW; + } + + /* Find out what is wrong with the path attribute flag bits and log the error. +-- +2.34.1 + diff --git a/meta-networking/recipes-protocols/frr/frr_9.1.bb b/meta-networking/recipes-protocols/frr/frr_9.1.bb index 807e4ef8ef..7043cad0f6 100644 --- a/meta-networking/recipes-protocols/frr/frr_9.1.bb +++ b/meta-networking/recipes-protocols/frr/frr_9.1.bb @@ -16,6 +16,7 @@ SRC_URI = "git://github.com/FRRouting/frr.git;protocol=https;branch=stable/9.1 \ file://CVE-2024-34088.patch \ file://CVE-2024-31950.patch \ file://CVE-2024-31951.patch \ + file://CVE-2024-31948.patch \ " SRCREV = "ca2d6f0f1e000951224a18973cc1827f7f5215b5" From patchwork Tue Nov 26 08:11:16 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peng Zhang X-Patchwork-Id: 53211 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 395B6D5A6F9 for ; Tue, 26 Nov 2024 08:11:41 +0000 (UTC) Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by mx.groups.io with SMTP id smtpd.web11.41207.1732608695151343170 for ; Tue, 26 Nov 2024 00:11:35 -0800 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.166.238, mailfrom: prvs=1060a1ab4c=peng.zhang1.cn@windriver.com) Received: from pps.filterd (m0250810.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 4AQ3mCEE025160 for ; Tue, 26 Nov 2024 00:11:34 -0800 Received: from nam12-bn8-obe.outbound.protection.outlook.com (mail-bn8nam12lp2169.outbound.protection.outlook.com [104.47.55.169]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 433b79arx0-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Tue, 26 Nov 2024 00:11:34 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=INsU/lTqiVV1QdXpm+P6l64Gmus38q3KU4rFoUGrR03OhmJsrvpwr1LPdRicfNVqN7KJzulZGgYP3fy3StdU2aC/Phf6p8micNT7poMkOulDqy0lN2VghiDGGJFLHr9N8apo04Otyn4lnFRgEHX8y8l/Oan6j64lugGy+LnK9YmqWChrAJSL8RY5BNykzkQVk/IpErk3Ym9tb25doavr0eR1hrvl6Cd+elKhTmjz4zhGEH+F+yIs05lUrl6/3A0w/7UkJDiCpilWNhkXDwp+YftjNZnpInYVBXGdsFi9I5W5+qv22VqeY67C4D2/CLkcAkF87+cbCf38TKVe6G1otA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=eKVRkvaLGkFtCRq5NhUmNWRgMdpLmhmiGkY9eTEDPX4=; b=Wy9zh+bw9Q+26Zp8Jtp0tQNAOZ46C4JJxmPUHdSoyZBig9J11LcTzGg9DX8CSjBDcpL5+K8i3He4hKOtwv6zjtQ/inlmwegesfVp5vgFpLFV7YNNION+5W5B0LQj7SdAoAo0qzJoRTO4mi1AUO7w9wNWumKVpNiLEHWQGHXBFsL1gU02ZHYWiLgkvWrKp5W2Ph4YXw6WDXz5xEFJUC2N6UA/NKJtNaa2M3bvygPcCRozVSEkaf8LDX/QJ92jybf4M7HU3UkMxiFhJWGWCplSbrkWHBWfT+10xSsfU7WQTV4/lNWgoQeBZBYhr96kd4jxXr6oNVk5CHEbOkyfVNsDUw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none Received: from CH3PR11MB8562.namprd11.prod.outlook.com (2603:10b6:610:1b8::13) by CYYPR11MB8430.namprd11.prod.outlook.com (2603:10b6:930:c6::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8207.13; Tue, 26 Nov 2024 08:11:32 +0000 Received: from CH3PR11MB8562.namprd11.prod.outlook.com ([fe80::24c6:f8fc:1afe:179f]) by CH3PR11MB8562.namprd11.prod.outlook.com ([fe80::24c6:f8fc:1afe:179f%6]) with mapi id 15.20.8182.019; Tue, 26 Nov 2024 08:11:32 +0000 From: peng.zhang1.cn@windriver.com To: openembedded-devel@lists.openembedded.org Subject: [meta-networking][scarthgap][PATCH 5/5] frr: fix CVE-2024-31949 Date: Tue, 26 Nov 2024 16:11:16 +0800 Message-Id: <20241126081116.2535308-5-peng.zhang1.cn@windriver.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20241126081116.2535308-1-peng.zhang1.cn@windriver.com> References: <20241126081116.2535308-1-peng.zhang1.cn@windriver.com> X-ClientProxiedBy: TYCP286CA0066.JPNP286.PROD.OUTLOOK.COM (2603:1096:400:31a::10) To CH3PR11MB8562.namprd11.prod.outlook.com (2603:10b6:610:1b8::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CH3PR11MB8562:EE_|CYYPR11MB8430:EE_ X-MS-Office365-Filtering-Correlation-Id: 80bed554-f942-4ddc-9903-08dd0df1efc6 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|366016|52116014|376014|1800799024|38350700014; X-Microsoft-Antispam-Message-Info: TRH2lW8dVYWCgj0p/CwsuPq0wxXJgyjAmOpuH+YqE3btyS+JyXrjYZUeVRwwi/RSG82VEhl1QVNkVGVI2/x9xMqZBZgssbnAPK9zxO+Lmn7+UP9kgmhp39yxvysyZQBA+0YOA4jN7AnwXbVjDwfnV+v0IP+xnbyf8S9sS/RXcQ4fM52slpAG+UB/AWKgu14xVChwnbXery8kDh/8/FoKjD8hZpPx2JnSQ4d8ix9sZ5Vi32r0TixdZLA2jtvfiaJuDSQDKzQphrKCnZRo9rLGpG7uW5OEVDKRPEV/02tmPD+F+vrs4w0tzSr/484vJx85W7bqvaLxP1RI0BMIp1xWfgAq85dxPZZqfjfJQcz9n/U84rbP0szj3E5GuJWgyob/DZr/PklPYyIqrys8+wqYSCpvEt7ph6OyYup+U6TB4RQOJyybluFP3z8IbIiLt8qww9RhYDacQZirEzqS+WVUIAVh1+M+ExHqDXZJFk4usL9kGlCSx1X+7NNMcKCnqF7UcsVbU4M5L4seC4WIBgyip7HoChvqgijYMJqVkD6xwNb/aXdMIrPnt3idxLyZd3LSMa37Ft1DdCoA2OJfqr5OK1a/CCSIdLAezn4GIl3pCl9rzgjHudveS1R9G4P5RpHSMppyFK3bU4vle+MJ3cpZSlqC7GYG3anX1jibIi+eXgqPeKX/l7Yi0ihzW0xkVoRf5pCGvS+q+o3c3im0sQZOV1So4qECZaqQmdnbQWsVHHd1fCiwq+2axkFuxS6K7EeYlL6gbOhVluQNFUNJgxT0KAiTkBWh7SpEPa8PRYvtPATIEz6YqAU9DK1VWzSh5LO7EOgX2EhMCOdyQNxWF3pL9kMbBAuKrab9A25yD6us9CXZseL7CKy3Z1ZYee2gNb4w6XyiQrhVmov6zMMxhHM1pwfjSrEoSMFXcdD7RX4CGQN2tphFcnWcvsDzrL1ikBkA5AUQEh8sSwJEeALpLXIM2AaF6Z7H+r807lFQYbWyMpxnsCDfts+p6w2+uU88uGQ1koACvln5JoOXB4SAhNTEHePxYFhsOWlmT2ySCpAeK6722h3IrJ7E7NSf7DvVaKjgOOdnNvMmcuu3nlTJyrCiXc8Kd9CiWJDalG0GHnAY+vZrtp0gdSwKs1/GAZoeKEDgvoHX2AKzXMGsE7+93Zey5050EM8fb8H5VVQQKIKVJi5DMMM+1bybZ9Z3gN16fLsYMILhFHhzWtbFwIrgM1moUpAbprc/GX6Q73Hl8c481GrSzT8aPLRpi98tsHUbINgc3zD0ELqD8kxVqayPdnl5GiKgBERNZjpvEYhmcEs80OH/GRQJXnBsAj3U2UK/bzxhVcd83aN5H7dguTgFho/MKtAVyqEUwqhg+AuLOFKGGuY= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH3PR11MB8562.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(366016)(52116014)(376014)(1800799024)(38350700014);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: uvoMN+Qe0mw+pba75GdqNmRqosZn69lIefT+hXYhOwGwpJAx8nB3uLFs0OVcO8z1n/D1u8QvKX0gemD70r9OiaFTCf6o2VTvceuxToZvMvDcimSw+3G+HpXi6UsiGb0o1KODsgZrED1aASj5GpqlbE9hFlLVxjsLP81glFDWssCUxv50S1ve5zDgxSv0PtC5z6REmX+uzbnApc4kEbA1GrI+gcckVAEoVWevxDlxNIospXpn0d144A4mJ4PZWznkHqXj6NxK6FAaYqQQ1SafjqOKYui3G+/8MZ0wsU0SW1C7Oo4yYezXsVZgLmawaxLPv+xFjdS7XQB+Pyv2+PbAyuwLobPiQgqARR6RlWBBtM4qihkydbbMR8B3ELVfJ/8Zc4/CIiqOVp1WR80IaGNqmma4fqhQ9RYaPNqn4bedt99QXx0xUkDQEKgmdn7tseJmX/IT+Bb2aIvdZmQwudY6Rw1nmyCagRSoxA1rYcyZb6au5MMGlA5a2WPSLZ2QFAp9gRcvfLU9jGTOS11XJXnLp6gU60ZIyC9FboGfVEF+aeMlagclSM+mA3G6MFSMKe1BRco4gJQBCXcV2aRVGjKkJO0GikVCljF7gRkWzjXe5Mlk2DHHFl/fhg9oWJK76yNOdmVPbgGdVdYJWT24FmIH7rapXC0EZhoqo4wBkzA4g/zZn/Ko7JICcrzpH5NfYuPmBSEPwLNYmqOrRFsLB/8DuwlHRgbdFsKQ0SmR/9Oyo8HILk2u4g9kCXGM24heJiK2YCi2AVF9JAXUFTL4cNgh1+3H2MKmc8qo8MWGQVOIXrvZdn0CcwfON64bqn8glxjwaIxYI2W+A+JFFrsjdQVZG/VERlQ3krZdCUDB7TZENjnGAGCJoOHnPh/pdhe7EaqBq6wr/K+ctarOmuoYGisYDdah3ipCVO+aUG+1kAGHywL396cz6Xycyxk3girENXnGeP8tojwtqVZuYjJpF79dkg/W6p6krJt5qLnKreWMVOTKHNQQDSpM/h2jjIZrGhHJP0kkSfc6PSRwu4Oyk373SSMWTtzt/aIaIZEXFd5+vVPZZRwAobhchZOJ8sueis491dIuI6S2trevu69Y02MmcyHIQkGkvHIOUnyOCTEXsUFUfByzDFMjotXYT6FddrVWGW27llzKTgLk+l5Ngr2IWKz58QPKu5h8ox+Fstm99t37hPspHLlrL9iOuVyUJ3Qj0QziKewzRkYVURb9cyszc6U3SPXitkZqz64Q3yE9xt95lGoe4/WRl7ykqyl2YtFsYPACMrc6/mXRbldebT7C6I4UrsViFWzsoW49s+DOvDRjRimy0QpAw16WC5A36YAi1VFufU2KthTZrkLYqr9pInEU9mbQsWw8wMOPtgkKaR59AqhqmwXICV/9yyAhUnmeKPDI1/es6TzhQb7i5PPckuOFM0QXph3T5i2WpdgtyQrx32wf5z119aRY7t4UYQhiwN2mnrvz933zTYZYodDi/1ObBArWzVwsDZFcFIe2B8bL887q7+65ms2KUdZBPSn3kz71KCaiRqzFF2qzGXMzetR7MGGH1PThcn9ir8mhaHOFFzBdh4nU4vVcDn41IDDWilwrDlfyqo2APlR+Uxbg4w== X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: 80bed554-f942-4ddc-9903-08dd0df1efc6 X-MS-Exchange-CrossTenant-AuthSource: CH3PR11MB8562.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 26 Nov 2024 08:11:31.9924 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: kutTcS9bm6aDaWwaOytVN92pD9G8zdCakSgl4pp/c/P09IrIHu86As/DSey4GYpN0QzZe+N0zvDiBcTeTT1ThaCClv/N/FL3MKf45Zz17D8= X-MS-Exchange-Transport-CrossTenantHeadersStamped: CYYPR11MB8430 X-Authority-Analysis: v=2.4 cv=atbgCjZV c=1 sm=1 tr=0 ts=674582b6 cx=c_pps a=LxkDbUgDkQmSfly3BTNqMw==:117 a=wKuvFiaSGQ0qltdbU6+NXLB8nM8=:19 a=Ol13hO9ccFRV9qXi2t6ftBPywas=:19 a=xqWC_Br6kY4A:10 a=VlfZXiiP6vEA:10 a=bRTqI5nwn0kA:10 a=PYnjg3YJAAAA:8 a=NEAV23lmAAAA:8 a=t7CeM3EgAAAA:8 a=87jn28RfAAAA:8 a=vggBfdFIAAAA:8 a=yYmdAl_N23lnizRUK2oA:9 a=FdTzh2GWekK77mhwV6Dw:22 a=aVDrfO6s1PESLM1EhDzk:22 X-Proofpoint-GUID: teIX8yBRUHKXnkERSUoMoFtYeEIm-V8L X-Proofpoint-ORIG-GUID: teIX8yBRUHKXnkERSUoMoFtYeEIm-V8L X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1057,Hydra:6.0.680,FMLib:17.12.68.34 definitions=2024-11-26_06,2024-11-25_01,2024-11-22_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 phishscore=0 adultscore=0 mlxlogscore=999 bulkscore=0 lowpriorityscore=0 clxscore=1015 malwarescore=0 spamscore=0 impostorscore=0 mlxscore=0 priorityscore=1501 classifier=spam authscore=0 adjust=0 reason=mlx scancount=1 engine=8.21.0-2409260000 definitions=main-2411260065 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 26 Nov 2024 08:11:41 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/114067 From: Zhang Peng CVE-2024-31949: In FRRouting (FRR) through 9.1, an infinite loop can occur when receiving a MP/GR capability as a dynamic capability because malformed data results in a pointer not advancing. Reference: [https://nvd.nist.gov/vuln/detail/CVE-2024-31949] Upstream patches: [https://github.com/FRRouting/frr/commit/30a332dad86fafd2b0b6c61d23de59ed969a219b] Signed-off-by: Zhang Peng --- .../frr/frr/CVE-2024-31949.patch | 163 ++++++++++++++++++ .../recipes-protocols/frr/frr_9.1.bb | 1 + 2 files changed, 164 insertions(+) create mode 100644 meta-networking/recipes-protocols/frr/frr/CVE-2024-31949.patch diff --git a/meta-networking/recipes-protocols/frr/frr/CVE-2024-31949.patch b/meta-networking/recipes-protocols/frr/frr/CVE-2024-31949.patch new file mode 100644 index 0000000000..dad0255ead --- /dev/null +++ b/meta-networking/recipes-protocols/frr/frr/CVE-2024-31949.patch @@ -0,0 +1,163 @@ +From 2779d7d7c4f465f8e117aa4c47982dd60d620bc9 Mon Sep 17 00:00:00 2001 +From: Donatas Abraitis +Date: Sat, 30 Mar 2024 15:35:18 +0200 +Subject: [PATCH] bgpd: Fix errors handling for MP/GR capabilities as dynamic + capability + +When receiving a MP/GR capability as dynamic capability, but malformed, do not +forget to advance the pointer to avoid hitting infinity loop. + +After: +``` +Mar 29 11:15:28 donatas-laptop bgpd[353550]: [GS0AQ-HKY0X] 127.0.0.1 rcv CAPABILITY +Mar 29 11:15:28 donatas-laptop bgpd[353550]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 5, length 0 +Mar 29 11:15:28 donatas-laptop bgpd[353550]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 0, length 0 +Mar 29 11:15:28 donatas-laptop bgpd[353550]: [HFHDS-QT71N][EC 33554494] 127.0.0.1(donatas-pc): unrecognized capability code: 0 - ignored +Mar 29 11:15:28 donatas-laptop bgpd[353550]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 0, code: 0, length 0 +Mar 29 11:15:28 donatas-laptop bgpd[353550]: [HFHDS-QT71N][EC 33554494] 127.0.0.1(donatas-pc): unrecognized capability code: 0 - ignored +Mar 29 11:15:28 donatas-laptop bgpd[353550]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 0, code: 0, length 0 +Mar 29 11:15:28 donatas-laptop bgpd[353550]: [HFHDS-QT71N][EC 33554494] 127.0.0.1(donatas-pc): unrecognized capability code: 0 - ignored +Mar 29 11:15:28 donatas-laptop bgpd[353550]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 0, code: 0, length 1 +Mar 29 11:15:28 donatas-laptop bgpd[353550]: [HFHDS-QT71N][EC 33554494] 127.0.0.1(donatas-pc): unrecognized capability code: 0 - ignored +Mar 29 11:15:28 donatas-laptop bgpd[353550]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10 +Mar 29 11:15:28 donatas-laptop bgpd[353550]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast) +``` + +Before: +``` +Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10 +Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast) +Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10 +Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast) +Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10 +Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast) +Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10 +Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast) +Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10 +Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast) +Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10 +Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast) +Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10 +Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast) +Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10 +Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast) +Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10 +Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast) +Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10 +Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast) +Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10 +Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast) +Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10 +Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast) +Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10 +Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast) +Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10 +Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast) +Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10 +Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast) +Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10 +``` + +Reported-by: Iggy Frankovic +Signed-off-by: Donatas Abraitis + +CVE: CVE-2024-31949 +Upstream-Status: Backport [https://github.com/FRRouting/frr/commit/30a332dad86fafd2b0b6c61d23de59ed969a219b] + +Signed-off-by: Zhang Peng +--- + bgpd/bgp_packet.c | 17 ++++++++++------- + 1 file changed, 10 insertions(+), 7 deletions(-) + +diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c +index cae82cbbb..50e5b54ab 100644 +--- a/bgpd/bgp_packet.c ++++ b/bgpd/bgp_packet.c +@@ -3121,6 +3121,7 @@ static int bgp_capability_msg_parse(struct peer *peer, uint8_t *pnt, + zlog_err("%pBP: Capability length error", peer); + bgp_notify_send(peer->connection, BGP_NOTIFY_CEASE, + BGP_NOTIFY_SUBCODE_UNSPECIFIC); ++ pnt += length; + return BGP_Stop; + } + action = *pnt; +@@ -3133,7 +3134,7 @@ static int bgp_capability_msg_parse(struct peer *peer, uint8_t *pnt, + action); + bgp_notify_send(peer->connection, BGP_NOTIFY_CEASE, + BGP_NOTIFY_SUBCODE_UNSPECIFIC); +- return BGP_Stop; ++ goto done; + } + + if (bgp_debug_neighbor_events(peer)) +@@ -3145,12 +3146,13 @@ static int bgp_capability_msg_parse(struct peer *peer, uint8_t *pnt, + zlog_err("%pBP: Capability length error", peer); + bgp_notify_send(peer->connection, BGP_NOTIFY_CEASE, + BGP_NOTIFY_SUBCODE_UNSPECIFIC); ++ pnt += length; + return BGP_Stop; + } + + /* Ignore capability when override-capability is set. */ + if (CHECK_FLAG(peer->flags, PEER_FLAG_OVERRIDE_CAPABILITY)) +- continue; ++ goto done; + + capability = lookup_msg(capcode_str, hdr->code, "Unknown"); + +@@ -3165,7 +3167,7 @@ static int bgp_capability_msg_parse(struct peer *peer, uint8_t *pnt, + peer, capability, + sizeof(struct capability_mp_data), + hdr->length); +- return BGP_Stop; ++ goto done; + } + + memcpy(&mpc, pnt + 3, sizeof(struct capability_mp_data)); +@@ -3180,7 +3182,7 @@ static int bgp_capability_msg_parse(struct peer *peer, uint8_t *pnt, + peer, capability, + iana_afi2str(pkt_afi), + iana_safi2str(pkt_safi)); +- continue; ++ goto done; + } + + /* Address family check. */ +@@ -3207,7 +3209,7 @@ static int bgp_capability_msg_parse(struct peer *peer, uint8_t *pnt, + if (peer_active_nego(peer)) + bgp_clear_route(peer, afi, safi); + else +- return BGP_Stop; ++ goto done; + } + break; + case CAPABILITY_CODE_RESTART: +@@ -3217,7 +3219,7 @@ static int bgp_capability_msg_parse(struct peer *peer, uint8_t *pnt, + bgp_notify_send(peer->connection, + BGP_NOTIFY_CEASE, + BGP_NOTIFY_SUBCODE_UNSPECIFIC); +- return BGP_Stop; ++ goto done; + } + + bgp_dynamic_capability_graceful_restart(pnt, action, +@@ -3243,7 +3245,7 @@ static int bgp_capability_msg_parse(struct peer *peer, uint8_t *pnt, + bgp_notify_send(peer->connection, + BGP_NOTIFY_CEASE, + BGP_NOTIFY_SUBCODE_UNSPECIFIC); +- return BGP_Stop; ++ goto done; + } + + uint8_t role; +@@ -3265,6 +3267,7 @@ static int bgp_capability_msg_parse(struct peer *peer, uint8_t *pnt, + break; + } + ++done: + pnt += hdr->length + 3; + } + +-- +2.34.1 + diff --git a/meta-networking/recipes-protocols/frr/frr_9.1.bb b/meta-networking/recipes-protocols/frr/frr_9.1.bb index 7043cad0f6..7c1691259d 100644 --- a/meta-networking/recipes-protocols/frr/frr_9.1.bb +++ b/meta-networking/recipes-protocols/frr/frr_9.1.bb @@ -17,6 +17,7 @@ SRC_URI = "git://github.com/FRRouting/frr.git;protocol=https;branch=stable/9.1 \ file://CVE-2024-31950.patch \ file://CVE-2024-31951.patch \ file://CVE-2024-31948.patch \ + file://CVE-2024-31949.patch \ " SRCREV = "ca2d6f0f1e000951224a18973cc1827f7f5215b5"