mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-07-16 04:17:25 +00:00
frr: fix CVE-2024-31950
CVE-2024-31950: In FRRouting (FRR) through 9.1, there can be a buffer overflow and daemon crash in ospf_te_parse_ri for OSPF LSA packets during an attempt to read Segment Routing subTLVs (their size is not validated). Reference: [https://nvd.nist.gov/vuln/detail/CVE-2024-31950] Upstream patches: [https://github.com/FRRouting/frr/commit/f69d1313b19047d3d83fc2b36a518355b861dfc4] Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
This commit is contained in:
@@ -0,0 +1,68 @@
|
|||||||
|
From f69d1313b19047d3d83fc2b36a518355b861dfc4 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Olivier Dugeon <olivier.dugeon@orange.com>
|
||||||
|
Date: Wed, 3 Apr 2024 16:28:23 +0200
|
||||||
|
Subject: [PATCH] ospfd: Solved crash in RI parsing with OSPF TE
|
||||||
|
|
||||||
|
Iggy Frankovic discovered another ospfd crash when performing fuzzing of OSPF
|
||||||
|
LSA packets. The crash occurs in ospf_te_parse_ri() function when attemping to
|
||||||
|
read Segment Routing subTLVs. The original code doesn't check if the size of
|
||||||
|
the SR subTLVs have the correct length. In presence of erronous LSA, this will
|
||||||
|
cause a buffer overflow and ospfd crash.
|
||||||
|
|
||||||
|
This patch introduces new verification of the subTLVs size for Router
|
||||||
|
Information TLV.
|
||||||
|
|
||||||
|
Co-authored-by: Iggy Frankovic <iggyfran@amazon.com>
|
||||||
|
Signed-off-by: Olivier Dugeon <olivier.dugeon@orange.com>
|
||||||
|
|
||||||
|
CVE: CVE-2024-31950
|
||||||
|
Upstream-Status: Backport [https://github.com/FRRouting/frr/commit/f69d1313b19047d3d83fc2b36a518355b861dfc4]
|
||||||
|
|
||||||
|
Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
|
||||||
|
---
|
||||||
|
ospfd/ospf_te.c | 9 +++++++++
|
||||||
|
1 file changed, 9 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/ospfd/ospf_te.c b/ospfd/ospf_te.c
|
||||||
|
index 359dc1f5d4b8..091669d8ed36 100644
|
||||||
|
--- a/ospfd/ospf_te.c
|
||||||
|
+++ b/ospfd/ospf_te.c
|
||||||
|
@@ -2456,6 +2456,9 @@ static int ospf_te_parse_ri(struct ls_ted *ted, struct ospf_lsa *lsa)
|
||||||
|
|
||||||
|
switch (ntohs(tlvh->type)) {
|
||||||
|
case RI_SR_TLV_SR_ALGORITHM:
|
||||||
|
+ if (TLV_BODY_SIZE(tlvh) < 1 ||
|
||||||
|
+ TLV_BODY_SIZE(tlvh) > ALGORITHM_COUNT)
|
||||||
|
+ break;
|
||||||
|
algo = (struct ri_sr_tlv_sr_algorithm *)tlvh;
|
||||||
|
|
||||||
|
for (int i = 0; i < ntohs(algo->header.length); i++) {
|
||||||
|
@@ -2480,6 +2483,8 @@ static int ospf_te_parse_ri(struct ls_ted *ted, struct ospf_lsa *lsa)
|
||||||
|
break;
|
||||||
|
|
||||||
|
case RI_SR_TLV_SRGB_LABEL_RANGE:
|
||||||
|
+ if (TLV_BODY_SIZE(tlvh) != RI_SR_TLV_LABEL_RANGE_SIZE)
|
||||||
|
+ break;
|
||||||
|
range = (struct ri_sr_tlv_sid_label_range *)tlvh;
|
||||||
|
size = GET_RANGE_SIZE(ntohl(range->size));
|
||||||
|
lower = GET_LABEL(ntohl(range->lower.value));
|
||||||
|
@@ -2497,6 +2502,8 @@ static int ospf_te_parse_ri(struct ls_ted *ted, struct ospf_lsa *lsa)
|
||||||
|
break;
|
||||||
|
|
||||||
|
case RI_SR_TLV_SRLB_LABEL_RANGE:
|
||||||
|
+ if (TLV_BODY_SIZE(tlvh) != RI_SR_TLV_LABEL_RANGE_SIZE)
|
||||||
|
+ break;
|
||||||
|
range = (struct ri_sr_tlv_sid_label_range *)tlvh;
|
||||||
|
size = GET_RANGE_SIZE(ntohl(range->size));
|
||||||
|
lower = GET_LABEL(ntohl(range->lower.value));
|
||||||
|
@@ -2514,6 +2521,8 @@ static int ospf_te_parse_ri(struct ls_ted *ted, struct ospf_lsa *lsa)
|
||||||
|
break;
|
||||||
|
|
||||||
|
case RI_SR_TLV_NODE_MSD:
|
||||||
|
+ if (TLV_BODY_SIZE(tlvh) < RI_SR_TLV_NODE_MSD_SIZE)
|
||||||
|
+ break;
|
||||||
|
msd = (struct ri_sr_tlv_node_msd *)tlvh;
|
||||||
|
if ((CHECK_FLAG(node->flags, LS_NODE_MSD))
|
||||||
|
&& (node->msd == msd->value))
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
@@ -14,6 +14,7 @@ SRC_URI = "git://github.com/FRRouting/frr.git;protocol=https;branch=stable/9.1 \
|
|||||||
file://frr.pam \
|
file://frr.pam \
|
||||||
file://0001-zebra-Mimic-GNU-basename-API-for-non-glibc-library-e.patch \
|
file://0001-zebra-Mimic-GNU-basename-API-for-non-glibc-library-e.patch \
|
||||||
file://CVE-2024-34088.patch \
|
file://CVE-2024-34088.patch \
|
||||||
|
file://CVE-2024-31950.patch \
|
||||||
"
|
"
|
||||||
|
|
||||||
SRCREV = "ca2d6f0f1e000951224a18973cc1827f7f5215b5"
|
SRCREV = "ca2d6f0f1e000951224a18973cc1827f7f5215b5"
|
||||||
|
|||||||
Reference in New Issue
Block a user