rpms/frr
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Resolves: RHEL-32134 - buffer overflow and daemon crash in ospf_te_parse_ri

Browse Source
This commit is contained in:
Michal Ruprich 2024-06-12 09:28:42 +02:00
parent cdeacb4fe0
commit 2d1a531a5b
2 changed files with 46 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
0010-CVE-2024-31950.patch Normal file
View File

@ -0,0 +1,41 @@
diff --git a/ospfd/ospf_te.c b/ospfd/ospf_te.c
index ce6533a..70ea4af 100644
--- a/ospfd/ospf_te.c
+++ b/ospfd/ospf_te.c
@@ -2477,6 +2477,9 @@ static int ospf_te_parse_ri(struct ls_ted *ted, struct ospf_lsa *lsa)
switch (ntohs(tlvh->type)) {
case RI_SR_TLV_SR_ALGORITHM:
+ if (TLV_BODY_SIZE(tlvh) < 1 ||
+ TLV_BODY_SIZE(tlvh) > ALGORITHM_COUNT)
+ break;
algo = (struct ri_sr_tlv_sr_algorithm *)tlvh;
for (int i = 0; i < ntohs(algo->header.length); i++) {
@@ -2501,6 +2504,8 @@ static int ospf_te_parse_ri(struct ls_ted *ted, struct ospf_lsa *lsa)
break;
case RI_SR_TLV_SRGB_LABEL_RANGE:
+ if (TLV_BODY_SIZE(tlvh) != RI_SR_TLV_LABEL_RANGE_SIZE)
+ break;
range = (struct ri_sr_tlv_sid_label_range *)tlvh;
size = GET_RANGE_SIZE(ntohl(range->size));
lower = GET_LABEL(ntohl(range->lower.value));
@@ -2518,6 +2523,8 @@ static int ospf_te_parse_ri(struct ls_ted *ted, struct ospf_lsa *lsa)
break;
case RI_SR_TLV_SRLB_LABEL_RANGE:
+ if (TLV_BODY_SIZE(tlvh) != RI_SR_TLV_LABEL_RANGE_SIZE)
+ break;
range = (struct ri_sr_tlv_sid_label_range *)tlvh;
size = GET_RANGE_SIZE(ntohl(range->size));
lower = GET_LABEL(ntohl(range->lower.value));
@@ -2535,6 +2542,8 @@ static int ospf_te_parse_ri(struct ls_ted *ted, struct ospf_lsa *lsa)
break;
case RI_SR_TLV_NODE_MSD:
+ if (TLV_BODY_SIZE(tlvh) < RI_SR_TLV_NODE_MSD_SIZE)
+ break;
msd = (struct ri_sr_tlv_node_msd *)tlvh;
if ((CHECK_FLAG(node->flags, LS_NODE_MSD))
&& (node->msd == msd->value))

6
frr.spec
View File

@ -9,7 +9,7 @@
Name: frr Name: frr
Version: 9.1 Version: 9.1
Release: 9%{?dist} Release: 10%{?dist}
Summary: Routing daemon Summary: Routing daemon
License: GPL-2.0-or-later AND ISC AND LGPL-2.0-or-later AND BSD-2-Clause AND BSD-3-Clause AND (GPL-2.0-or-later OR ISC) AND MIT License: GPL-2.0-or-later AND ISC AND LGPL-2.0-or-later AND BSD-2-Clause AND BSD-3-Clause AND (GPL-2.0-or-later OR ISC) AND MIT
URL: http://www.frrouting.org URL: http://www.frrouting.org
@ -30,6 +30,7 @@ Patch0006: 0006-CVE-2024-31948.patch
Patch0007: 0007-CVE-2024-31949.patch Patch0007: 0007-CVE-2024-31949.patch
Patch0008: 0008-CVE-2024-34088.patch Patch0008: 0008-CVE-2024-34088.patch
Patch0009: 0009-CVE-2024-31951.patch Patch0009: 0009-CVE-2024-31951.patch
Patch0010: 0010-CVE-2024-31950.patch
BuildRequires: autoconf BuildRequires: autoconf
BuildRequires: automake BuildRequires: automake
@ -280,6 +281,9 @@ rm tests/lib/*grpc*
%endif %endif
%changelog %changelog
* Wed Jun 12 2024 Michal Ruprich <mruprich@redhat.com> - 9.1-10
- Resolves: RHEL-32134 - buffer overflow and daemon crash in ospf_te_parse_ri
* Wed Jun 12 2024 Michal Ruprich <mruprich@redhat.com> - 9.1-9 * Wed Jun 12 2024 Michal Ruprich <mruprich@redhat.com> - 9.1-9
- Resolves: RHEL-32138 - buffer overflow in ospf_te_parse_ext_link - Resolves: RHEL-32138 - buffer overflow in ospf_te_parse_ext_link