frr: fix CVE-2024-31950

CVE-2024-31950:
In FRRouting (FRR) through 9.1, there can be a buffer overflow and daemon crash in
ospf_te_parse_ri for OSPF LSA packets during an attempt to read Segment Routing subTLVs
(their size is not validated).

Reference:
[https://nvd.nist.gov/vuln/detail/CVE-2024-31950]

Upstream patches:
[https://github.com/FRRouting/frr/commit/f69d1313b19047d3d83fc2b36a518355b861dfc4]

Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>

meta-networking/recipes-protocols/frr/frr/CVE-2024-31950.patch

@@ -0,0 +1,68 @@
+From f69d1313b19047d3d83fc2b36a518355b861dfc4 Mon Sep 17 00:00:00 2001
+From: Olivier Dugeon <olivier.dugeon@orange.com>
+Date: Wed, 3 Apr 2024 16:28:23 +0200
+Subject: [PATCH] ospfd: Solved crash in RI parsing with OSPF TE
+
+Iggy Frankovic discovered another ospfd crash when performing fuzzing of OSPF
+LSA packets. The crash occurs in ospf_te_parse_ri() function when attemping to
+read Segment Routing subTLVs. The original code doesn't check if the size of
+the SR subTLVs have the correct length. In presence of erronous LSA, this will
+cause a buffer overflow and ospfd crash.
+
+This patch introduces new verification of the subTLVs size for Router
+Information TLV.
+
+Co-authored-by: Iggy Frankovic <iggyfran@amazon.com>
+Signed-off-by: Olivier Dugeon <olivier.dugeon@orange.com>
+
+CVE: CVE-2024-31950
+Upstream-Status: Backport [https://github.com/FRRouting/frr/commit/f69d1313b19047d3d83fc2b36a518355b861dfc4]
+
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ ospfd/ospf_te.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/ospfd/ospf_te.c b/ospfd/ospf_te.c
+index 359dc1f5d4b8..091669d8ed36 100644
+--- a/ospfd/ospf_te.c
++++ b/ospfd/ospf_te.c
+@@ -2456,6 +2456,9 @@ static int ospf_te_parse_ri(struct ls_ted *ted, struct ospf_lsa *lsa)
+ 
+ 		switch (ntohs(tlvh->type)) {
+ 		case RI_SR_TLV_SR_ALGORITHM:
++			if (TLV_BODY_SIZE(tlvh) < 1 ||
++			    TLV_BODY_SIZE(tlvh) > ALGORITHM_COUNT)
++				break;
+ 			algo = (struct ri_sr_tlv_sr_algorithm *)tlvh;
+ 
+ 			for (int i = 0; i < ntohs(algo->header.length); i++) {
+@@ -2480,6 +2483,8 @@ static int ospf_te_parse_ri(struct ls_ted *ted, struct ospf_lsa *lsa)
+ 			break;
+ 
+ 		case RI_SR_TLV_SRGB_LABEL_RANGE:
++			if (TLV_BODY_SIZE(tlvh) != RI_SR_TLV_LABEL_RANGE_SIZE)
++				break;
+ 			range = (struct ri_sr_tlv_sid_label_range *)tlvh;
+ 			size = GET_RANGE_SIZE(ntohl(range->size));
+ 			lower = GET_LABEL(ntohl(range->lower.value));
+@@ -2497,6 +2502,8 @@ static int ospf_te_parse_ri(struct ls_ted *ted, struct ospf_lsa *lsa)
+ 			break;
+ 
+ 		case RI_SR_TLV_SRLB_LABEL_RANGE:
++			if (TLV_BODY_SIZE(tlvh) != RI_SR_TLV_LABEL_RANGE_SIZE)
++				break;
+ 			range = (struct ri_sr_tlv_sid_label_range *)tlvh;
+ 			size = GET_RANGE_SIZE(ntohl(range->size));
+ 			lower = GET_LABEL(ntohl(range->lower.value));
+@@ -2514,6 +2521,8 @@ static int ospf_te_parse_ri(struct ls_ted *ted, struct ospf_lsa *lsa)
+ 			break;
+ 
+ 		case RI_SR_TLV_NODE_MSD:
++			if (TLV_BODY_SIZE(tlvh) < RI_SR_TLV_NODE_MSD_SIZE)
++				break;
+ 			msd = (struct ri_sr_tlv_node_msd *)tlvh;
+ 			if ((CHECK_FLAG(node->flags, LS_NODE_MSD))
+ 			    && (node->msd == msd->value))
+--
+2.34.1

meta-networking/recipes-protocols/frr/frr_9.1.bb

@@ -14,6 +14,7 @@ SRC_URI = "git://github.com/FRRouting/frr.git;protocol=https;branch=stable/9.1 \
            file://frr.pam \
            file://0001-zebra-Mimic-GNU-basename-API-for-non-glibc-library-e.patch \
            file://CVE-2024-34088.patch \
+           file://CVE-2024-31950.patch \
            "
 
 SRCREV = "ca2d6f0f1e000951224a18973cc1827f7f5215b5"