diff --git a/.gitignore b/.gitignore index 59edda5..a258b7f 100644 --- a/.gitignore +++ b/.gitignore @@ -19,3 +19,4 @@ /frr-8.5.2.tar.gz /frr-9.0.1.tar.gz /frr-9.1.tar.gz +/frr-10.1.tar.gz diff --git a/0004-fips-mode.patch b/0004-fips-mode.patch index ed324e8..6c0501b 100644 --- a/0004-fips-mode.patch +++ b/0004-fips-mode.patch @@ -2,6 +2,17 @@ diff --git a/ospfd/ospf_vty.c b/ospfd/ospf_vty.c index 631465f..e084ff3 100644 --- a/ospfd/ospf_vty.c +++ b/ospfd/ospf_vty.c +@@ -7,6 +7,10 @@ + #include + #include + ++#ifdef CRYPTO_OPENSSL ++#include ++#endif ++ + #include "printfrr.h" + #include "monotime.h" + #include "memory.h" @@ -1136,6 +1136,11 @@ DEFUN (ospf_area_vlink, vl_config.keychain = argv[idx+1]->arg; } else if (argv_find(argv, argc, "message-digest", &idx)) { @@ -58,6 +69,17 @@ diff --git a/isisd/isis_circuit.c b/isisd/isis_circuit.c index 81b4b39..cce33d9 100644 --- a/isisd/isis_circuit.c +++ b/isisd/isis_circuit.c +@@ -13,6 +13,10 @@ + #include + #endif + ++#ifdef CRYPTO_OPENSSL ++#include ++#endif ++ + #include "log.h" + #include "memory.h" + #include "vrf.h" @@ -1318,6 +1318,10 @@ static int isis_circuit_passwd_set(struct isis_circuit *circuit, return ferr_code_bug( "circuit password too long (max 254 chars)"); @@ -73,6 +95,17 @@ diff --git a/isisd/isisd.c b/isisd/isisd.c index 419127c..a6c36af 100644 --- a/isisd/isisd.c +++ b/isisd/isisd.c +@@ -9,6 +9,10 @@ + + #include + ++#ifdef CRYPTO_OPENSSL ++#include ++#endif ++ + #include "frrevent.h" + #include "vty.h" + #include "command.h" @@ -1638,6 +1638,10 @@ static int isis_area_passwd_set(struct isis_area *area, int level, if (len > 254) return -1; @@ -88,6 +121,17 @@ diff --git a/ripd/rip_cli.c b/ripd/rip_cli.c index 5bb81ef..02a09ef 100644 --- a/ripd/rip_cli.c +++ b/ripd/rip_cli.c +@@ -7,6 +7,10 @@ + + #include + ++#ifdef CRYPTO_OPENSSL ++#include ++#endif ++ + #include "if.h" + #include "if_rmap.h" + #include "vrf.h" @@ -796,6 +796,12 @@ DEFPY (ip_rip_authentication_mode, value = "20"; } @@ -101,15 +145,3 @@ index 5bb81ef..02a09ef 100644 nb_cli_enqueue_change(vty, "./authentication-scheme/mode", NB_OP_MODIFY, strmatch(mode, "md5") ? "md5" : "plain-text"); if (strmatch(mode, "md5")) -diff --git a/lib/zebra.h b/lib/zebra.h -index 53ae5b4..930307f 100644 ---- a/lib/zebra.h -+++ b/lib/zebra.h -@@ -114,6 +114,7 @@ - #ifdef CRYPTO_OPENSSL - #include - #include -+#include - #endif - - #include "openbsd-tree.h" diff --git a/0005-remove-grpc-test.patch b/0005-remove-grpc-test.patch index a22d9d6..148c1ea 100644 --- a/0005-remove-grpc-test.patch +++ b/0005-remove-grpc-test.patch @@ -2,12 +2,12 @@ diff --git a/tests/lib/subdir.am b/tests/lib/subdir.am index 7b5eaa4..5c82f69 100644 --- a/tests/lib/subdir.am +++ b/tests/lib/subdir.am -@@ -18,18 +18,6 @@ tests_lib_test_frrscript_SOURCES = tests/lib/test_frrscript.c +@@ -18,22 +18,6 @@ tests_lib_test_frrscript_SOURCES = tests/lib/test_frrscript.c test -e tests/lib/script1.lua || \ $(INSTALL_SCRIPT) $< tests/lib/script1.lua -############################################################################## --GRPC_TESTS_LDADD = staticd/libstatic.a grpc/libfrrgrpc_pb.la -lgrpc++ -lprotobuf $(ALL_TESTS_LDADD) $(LIBYANG_LIBS) -lm +-GRPC_TESTS_LDADD = mgmtd/libmgmt_be_nb.la staticd/libstatic.a grpc/libfrrgrpc_pb.la $(GRPC_LIBS) $(ALL_TESTS_LDADD) $(LIBYANG_LIBS) -lm - -if GRPC -check_PROGRAMS += tests/lib/test_grpc @@ -16,6 +16,10 @@ index 7b5eaa4..5c82f69 100644 -tests_lib_test_grpc_CPPFLAGS = $(TESTS_CPPFLAGS) -tests_lib_test_grpc_LDADD = $(GRPC_TESTS_LDADD) -tests_lib_test_grpc_SOURCES = tests/lib/test_grpc.cpp +-nodist_tests_lib_test_grpc_SOURCES = \ +- yang/frr-bfdd.yang.c \ +- yang/frr-staticd.yang.c \ +- # end - - ############################################################################## diff --git a/0006-CVE-2024-31948.patch b/0006-CVE-2024-31948.patch deleted file mode 100644 index 9aa1a89..0000000 --- a/0006-CVE-2024-31948.patch +++ /dev/null @@ -1,79 +0,0 @@ -diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c -index 56e77eb..797f05d 100644 ---- a/bgpd/bgp_attr.c -+++ b/bgpd/bgp_attr.c -@@ -1381,6 +1381,15 @@ bgp_attr_malformed(struct bgp_attr_parser_args *args, uint8_t subcode, - (args->startp - STREAM_DATA(BGP_INPUT(peer))) - + args->total); - -+ /* Partial optional attributes that are malformed should not cause -+ * the whole session to be reset. Instead treat it as a withdrawal -+ * of the routes, if possible. -+ */ -+ if (CHECK_FLAG(flags, BGP_ATTR_FLAG_TRANS) && -+ CHECK_FLAG(flags, BGP_ATTR_FLAG_OPTIONAL) && -+ CHECK_FLAG(flags, BGP_ATTR_FLAG_PARTIAL)) -+ return BGP_ATTR_PARSE_WITHDRAW; -+ - switch (args->type) { - /* where an attribute is relatively inconsequential, e.g. it does not - * affect route selection, and can be safely ignored, then any such -@@ -1390,6 +1399,7 @@ bgp_attr_malformed(struct bgp_attr_parser_args *args, uint8_t subcode, - case BGP_ATTR_AS4_AGGREGATOR: - case BGP_ATTR_AGGREGATOR: - case BGP_ATTR_ATOMIC_AGGREGATE: -+ case BGP_ATTR_PREFIX_SID: - return BGP_ATTR_PARSE_PROCEED; - - /* Core attributes, particularly ones which may influence route -@@ -1417,19 +1427,21 @@ bgp_attr_malformed(struct bgp_attr_parser_args *args, uint8_t subcode, - BGP_NOTIFY_UPDATE_ERR, subcode, - notify_datap, length); - return BGP_ATTR_PARSE_ERROR; -+ default: -+ /* Unknown attributes, that are handled by this function -+ * should be treated as withdraw, to prevent one more CVE -+ * from being introduced. -+ * RFC 7606 says: -+ * The "treat-as-withdraw" approach is generally preferred -+ * and the "session reset" approach is discouraged. -+ */ -+ flog_err(EC_BGP_ATTR_FLAG, -+ "%s(%u) attribute received, while it is not known how to handle it, treating as withdraw", -+ lookup_msg(attr_str, args->type, NULL), args->type); -+ break; - } - -- /* Partial optional attributes that are malformed should not cause -- * the whole session to be reset. Instead treat it as a withdrawal -- * of the routes, if possible. -- */ -- if (CHECK_FLAG(flags, BGP_ATTR_FLAG_TRANS) -- && CHECK_FLAG(flags, BGP_ATTR_FLAG_OPTIONAL) -- && CHECK_FLAG(flags, BGP_ATTR_FLAG_PARTIAL)) -- return BGP_ATTR_PARSE_WITHDRAW; -- -- /* default to reset */ -- return BGP_ATTR_PARSE_ERROR_NOTIFYPLS; -+ return BGP_ATTR_PARSE_WITHDRAW; - } - - /* Find out what is wrong with the path attribute flag bits and log the error. -@@ -3144,8 +3156,6 @@ enum bgp_attr_parse_ret bgp_attr_prefix_sid(struct bgp_attr_parser_args *args) - struct attr *const attr = args->attr; - enum bgp_attr_parse_ret ret; - -- attr->flag |= ATTR_FLAG_BIT(BGP_ATTR_PREFIX_SID); -- - uint8_t type; - uint16_t length; - size_t headersz = sizeof(type) + sizeof(length); -@@ -3195,6 +3205,8 @@ enum bgp_attr_parse_ret bgp_attr_prefix_sid(struct bgp_attr_parser_args *args) - } - } - -+ SET_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_PREFIX_SID)); -+ - return BGP_ATTR_PARSE_PROCEED; - } - diff --git a/0006-noprefixroute-network-manager.patch b/0006-noprefixroute-network-manager.patch new file mode 100644 index 0000000..a1c2c79 --- /dev/null +++ b/0006-noprefixroute-network-manager.patch @@ -0,0 +1,167 @@ +--- b/tests/topotests/zebra_multiple_connected/test_zebra_multiple_connected.py ++++ a/tests/topotests/zebra_multiple_connected/test_zebra_multiple_connected.py +@@ -144,23 +144,6 @@ + assert result is None, "Kernel route is missing from zebra" + + +-def test_zebra_noprefix_connected(): +- "Test that a noprefixroute created does not create a connected route" +- +- tgen = get_topogen() +- if tgen.routers_have_failure(): +- pytest.skip(tgen.errors) +- +- router = tgen.gears["r1"] +- router.run("ip addr add 192.168.44.1/24 dev r1-eth1 noprefixroute") +- expected = "% Network not in table" +- test_func = partial( +- topotest.router_output_cmp, router, "show ip route 192.168.44.0/24", expected +- ) +- result, diff = topotest.run_and_expect(test_func, "", count=20, wait=1) +- assert result, "Connected Route should not have been added" +- +- + if __name__ == "__main__": + args = ["-s"] + sys.argv[1:] + sys.exit(pytest.main(args)) +--- b/zebra/if_netlink.c ++++ a/zebra/if_netlink.c +@@ -1423,9 +1423,6 @@ + if (kernel_flags & IFA_F_SECONDARY) + dplane_ctx_intf_set_secondary(ctx); + +- if (kernel_flags & IFA_F_NOPREFIXROUTE) +- dplane_ctx_intf_set_noprefixroute(ctx); +- + /* Label */ + if (tb[IFA_LABEL]) { + label = (char *)RTA_DATA(tb[IFA_LABEL]); +--- b/zebra/zebra_dplane.c ++++ a/zebra/zebra_dplane.c +@@ -230,7 +230,6 @@ + #define DPLANE_INTF_BROADCAST (1 << 2) + #define DPLANE_INTF_HAS_DEST DPLANE_INTF_CONNECTED + #define DPLANE_INTF_HAS_LABEL (1 << 4) +-#define DPLANE_INTF_NOPREFIXROUTE (1 << 5) + + /* Interface address/prefix */ + struct prefix prefix; +@@ -2542,13 +2541,6 @@ + return (ctx->u.intf.flags & DPLANE_INTF_CONNECTED); + } + +-bool dplane_ctx_intf_is_noprefixroute(const struct zebra_dplane_ctx *ctx) +-{ +- DPLANE_CTX_VALID(ctx); +- +- return (ctx->u.intf.flags & DPLANE_INTF_NOPREFIXROUTE); +-} +- + bool dplane_ctx_intf_is_secondary(const struct zebra_dplane_ctx *ctx) + { + DPLANE_CTX_VALID(ctx); +@@ -2577,13 +2569,6 @@ + ctx->u.intf.flags |= DPLANE_INTF_SECONDARY; + } + +-void dplane_ctx_intf_set_noprefixroute(struct zebra_dplane_ctx *ctx) +-{ +- DPLANE_CTX_VALID(ctx); +- +- ctx->u.intf.flags |= DPLANE_INTF_NOPREFIXROUTE; +-} +- + void dplane_ctx_intf_set_broadcast(struct zebra_dplane_ctx *ctx) + { + DPLANE_CTX_VALID(ctx); +--- b/zebra/zebra_dplane.h ++++ a/zebra/zebra_dplane.h +@@ -658,8 +658,6 @@ + void dplane_ctx_intf_set_connected(struct zebra_dplane_ctx *ctx); + bool dplane_ctx_intf_is_secondary(const struct zebra_dplane_ctx *ctx); + void dplane_ctx_intf_set_secondary(struct zebra_dplane_ctx *ctx); +-bool dplane_ctx_intf_is_noprefixroute(const struct zebra_dplane_ctx *ctx); +-void dplane_ctx_intf_set_noprefixroute(struct zebra_dplane_ctx *ctx); + bool dplane_ctx_intf_is_broadcast(const struct zebra_dplane_ctx *ctx); + void dplane_ctx_intf_set_broadcast(struct zebra_dplane_ctx *ctx); + const struct prefix *dplane_ctx_get_intf_addr( +--- b/lib/if.h ++++ a/lib/if.h +@@ -434,8 +434,6 @@ + #define ZEBRA_IFA_SECONDARY (1 << 0) + #define ZEBRA_IFA_PEER (1 << 1) + #define ZEBRA_IFA_UNNUMBERED (1 << 2) +-#define ZEBRA_IFA_NOPREFIXROUTE (1 << 3) +- + /* N.B. the ZEBRA_IFA_PEER flag should be set if and only if + a peer address has been configured. If this flag is set, + the destination field must contain the peer address. +--- b/zebra/connected.c ++++ a/zebra/connected.c +@@ -282,15 +282,13 @@ + return; + } + ++ rib_add(afi, SAFI_UNICAST, zvrf->vrf->vrf_id, ZEBRA_ROUTE_CONNECT, 0, ++ flags, &p, NULL, &nh, 0, zvrf->table_id, metric, 0, 0, 0, ++ false); +- if (!CHECK_FLAG(ifc->flags, ZEBRA_IFA_NOPREFIXROUTE)) { +- rib_add(afi, SAFI_UNICAST, zvrf->vrf->vrf_id, +- ZEBRA_ROUTE_CONNECT, 0, flags, &p, NULL, &nh, 0, +- zvrf->table_id, metric, 0, 0, 0, false); + ++ rib_add(afi, SAFI_MULTICAST, zvrf->vrf->vrf_id, ZEBRA_ROUTE_CONNECT, 0, ++ flags, &p, NULL, &nh, 0, zvrf->table_id, metric, 0, 0, 0, ++ false); +- rib_add(afi, SAFI_MULTICAST, zvrf->vrf->vrf_id, +- ZEBRA_ROUTE_CONNECT, 0, flags, &p, NULL, &nh, 0, +- zvrf->table_id, metric, 0, 0, 0, false); +- } + + if (install_local) { + rib_add(afi, SAFI_UNICAST, zvrf->vrf->vrf_id, ZEBRA_ROUTE_LOCAL, +@@ -483,15 +481,11 @@ + * Same logic as for connected_up(): push the changes into the + * head. + */ ++ rib_delete(afi, SAFI_UNICAST, zvrf->vrf->vrf_id, ZEBRA_ROUTE_CONNECT, 0, ++ 0, &p, NULL, &nh, 0, zvrf->table_id, 0, 0, false); +- if (!CHECK_FLAG(ifc->flags, ZEBRA_IFA_NOPREFIXROUTE)) { +- rib_delete(afi, SAFI_UNICAST, zvrf->vrf->vrf_id, +- ZEBRA_ROUTE_CONNECT, 0, 0, &p, NULL, &nh, 0, +- zvrf->table_id, 0, 0, false); + ++ rib_delete(afi, SAFI_MULTICAST, zvrf->vrf->vrf_id, ZEBRA_ROUTE_CONNECT, ++ 0, 0, &p, NULL, &nh, 0, zvrf->table_id, 0, 0, false); +- rib_delete(afi, SAFI_MULTICAST, zvrf->vrf->vrf_id, +- ZEBRA_ROUTE_CONNECT, 0, 0, &p, NULL, &nh, 0, +- zvrf->table_id, 0, 0, false); +- } + + if (remove_local) { + rib_delete(afi, SAFI_UNICAST, zvrf->vrf->vrf_id, +--- b/zebra/interface.c ++++ a/zebra/interface.c +@@ -1317,9 +1317,6 @@ + if (dplane_ctx_intf_is_secondary(ctx)) + SET_FLAG(flags, ZEBRA_IFA_SECONDARY); + +- if (dplane_ctx_intf_is_noprefixroute(ctx)) +- SET_FLAG(flags, ZEBRA_IFA_NOPREFIXROUTE); +- + /* Label? */ + if (dplane_ctx_intf_has_label(ctx)) + label = dplane_ctx_get_intf_label(ctx); +@@ -2337,12 +2334,6 @@ + else if (CHECK_FLAG(connected->flags, ZEBRA_IFA_SECONDARY)) + vty_out(vty, " secondary"); + +- if (json) +- json_object_boolean_add(json_addr, "noPrefixRoute", +- CHECK_FLAG(connected->flags, ZEBRA_IFA_NOPREFIXROUTE)); +- else if (CHECK_FLAG(connected->flags, ZEBRA_IFA_NOPREFIXROUTE)) +- vty_out(vty, " noprefixroute"); +- + if (json) + json_object_boolean_add( + json_addr, "unnumbered", diff --git a/0007-CVE-2024-31949.patch b/0007-CVE-2024-31949.patch deleted file mode 100644 index 95260bb..0000000 --- a/0007-CVE-2024-31949.patch +++ /dev/null @@ -1,156 +0,0 @@ -From 2a5ea423efe179c018b836a1c5a256c93ae429ef Mon Sep 17 00:00:00 2001 -From: Donatas Abraitis -Date: Sat, 30 Mar 2024 15:35:18 +0200 -Subject: [PATCH] bgpd: Fix errors handling for MP/GR capabilities as dynamic - capability - -When receiving a MP/GR capability as dynamic capability, but malformed, do not -forget to advance the pointer to avoid hitting infinity loop. - -After: -``` -Mar 29 11:15:28 donatas-laptop bgpd[353550]: [GS0AQ-HKY0X] 127.0.0.1 rcv CAPABILITY -Mar 29 11:15:28 donatas-laptop bgpd[353550]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 5, length 0 -Mar 29 11:15:28 donatas-laptop bgpd[353550]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 0, length 0 -Mar 29 11:15:28 donatas-laptop bgpd[353550]: [HFHDS-QT71N][EC 33554494] 127.0.0.1(donatas-pc): unrecognized capability code: 0 - ignored -Mar 29 11:15:28 donatas-laptop bgpd[353550]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 0, code: 0, length 0 -Mar 29 11:15:28 donatas-laptop bgpd[353550]: [HFHDS-QT71N][EC 33554494] 127.0.0.1(donatas-pc): unrecognized capability code: 0 - ignored -Mar 29 11:15:28 donatas-laptop bgpd[353550]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 0, code: 0, length 0 -Mar 29 11:15:28 donatas-laptop bgpd[353550]: [HFHDS-QT71N][EC 33554494] 127.0.0.1(donatas-pc): unrecognized capability code: 0 - ignored -Mar 29 11:15:28 donatas-laptop bgpd[353550]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 0, code: 0, length 1 -Mar 29 11:15:28 donatas-laptop bgpd[353550]: [HFHDS-QT71N][EC 33554494] 127.0.0.1(donatas-pc): unrecognized capability code: 0 - ignored -Mar 29 11:15:28 donatas-laptop bgpd[353550]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10 -Mar 29 11:15:28 donatas-laptop bgpd[353550]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast) -``` - -Before: -``` -Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10 -Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast) -Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10 -Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast) -Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10 -Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast) -Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10 -Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast) -Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10 -Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast) -Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10 -Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast) -Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10 -Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast) -Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10 -Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast) -Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10 -Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast) -Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10 -Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast) -Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10 -Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast) -Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10 -Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast) -Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10 -Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast) -Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10 -Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast) -Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10 -Mar 29 11:14:54 donatas-laptop bgpd[347675]: [Z1DRQ-N6Z5F] 127.0.0.1(donatas-pc): Dynamic Capability MultiProtocol Extensions afi/safi invalid (bad-value/unicast) -Mar 29 11:14:54 donatas-laptop bgpd[347675]: [JTVED-VGTQQ] 127.0.0.1(donatas-pc): CAPABILITY has action: 1, code: 1, length 10 -``` - -Reported-by: Iggy Frankovic -Signed-off-by: Donatas Abraitis -(cherry picked from commit 30a332dad86fafd2b0b6c61d23de59ed969a219b) ---- - bgpd/bgp_packet.c | 17 ++++++++++------- - 1 file changed, 10 insertions(+), 7 deletions(-) - -diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c -index 7d6a6b55e8d8..1f808eea725a 100644 ---- a/bgpd/bgp_packet.c -+++ b/bgpd/bgp_packet.c -@@ -3610,6 +3610,7 @@ static int bgp_capability_msg_parse(struct peer *peer, uint8_t *pnt, - zlog_err("%pBP: Capability length error", peer); - bgp_notify_send(peer->connection, BGP_NOTIFY_CEASE, - BGP_NOTIFY_SUBCODE_UNSPECIFIC); -+ pnt += length; - return BGP_Stop; - } - action = *pnt; -@@ -3622,7 +3623,7 @@ static int bgp_capability_msg_parse(struct peer *peer, uint8_t *pnt, - action); - bgp_notify_send(peer->connection, BGP_NOTIFY_CEASE, - BGP_NOTIFY_SUBCODE_UNSPECIFIC); -- return BGP_Stop; -+ goto done; - } - - if (bgp_debug_neighbor_events(peer)) -@@ -3634,12 +3635,13 @@ static int bgp_capability_msg_parse(struct peer *peer, uint8_t *pnt, - zlog_err("%pBP: Capability length error", peer); - bgp_notify_send(peer->connection, BGP_NOTIFY_CEASE, - BGP_NOTIFY_SUBCODE_UNSPECIFIC); -+ pnt += length; - return BGP_Stop; - } - - /* Ignore capability when override-capability is set. */ - if (CHECK_FLAG(peer->flags, PEER_FLAG_OVERRIDE_CAPABILITY)) -- continue; -+ goto done; - - capability = lookup_msg(capcode_str, hdr->code, "Unknown"); - -@@ -3654,7 +3656,7 @@ static int bgp_capability_msg_parse(struct peer *peer, uint8_t *pnt, - peer, capability, - sizeof(struct capability_mp_data), - hdr->length); -- return BGP_Stop; -+ goto done; - } - - memcpy(&mpc, pnt + 3, sizeof(struct capability_mp_data)); -@@ -3669,7 +3671,7 @@ static int bgp_capability_msg_parse(struct peer *peer, uint8_t *pnt, - peer, capability, - iana_afi2str(pkt_afi), - iana_safi2str(pkt_safi)); -- continue; -+ goto done; - } - - /* Address family check. */ -@@ -3696,7 +3698,7 @@ static int bgp_capability_msg_parse(struct peer *peer, uint8_t *pnt, - if (peer_active_nego(peer)) - bgp_clear_route(peer, afi, safi); - else -- return BGP_Stop; -+ goto done; - } - break; - case CAPABILITY_CODE_RESTART: -@@ -3706,7 +3708,7 @@ static int bgp_capability_msg_parse(struct peer *peer, uint8_t *pnt, - bgp_notify_send(peer->connection, - BGP_NOTIFY_CEASE, - BGP_NOTIFY_SUBCODE_UNSPECIFIC); -- return BGP_Stop; -+ goto done; - } - - bgp_dynamic_capability_graceful_restart(pnt, action, -@@ -3738,7 +3740,7 @@ static int bgp_capability_msg_parse(struct peer *peer, uint8_t *pnt, - bgp_notify_send(peer->connection, - BGP_NOTIFY_CEASE, - BGP_NOTIFY_SUBCODE_UNSPECIFIC); -- return BGP_Stop; -+ goto done; - } - - uint8_t role; -@@ -3760,6 +3762,7 @@ static int bgp_capability_msg_parse(struct peer *peer, uint8_t *pnt, - break; - } - -+done: - pnt += hdr->length + 3; - } - diff --git a/0008-CVE-2024-34088.patch b/0008-CVE-2024-34088.patch deleted file mode 100644 index 38f32f5..0000000 --- a/0008-CVE-2024-34088.patch +++ /dev/null @@ -1,49 +0,0 @@ -diff --git a/ospfd/ospf_te.c b/ospfd/ospf_te.c -index 3cf39e5..1c94a2c 100644 ---- a/ospfd/ospf_te.c -+++ b/ospfd/ospf_te.c -@@ -1669,6 +1669,11 @@ static struct ls_edge *get_edge(struct ls_ted *ted, struct ls_node_id adv, - struct ls_edge *edge; - struct ls_attributes *attr; - -+ /* Check that Link ID and Node ID are valid */ -+ if (IPV4_NET0(link_id.s_addr) || IPV4_NET0(adv.id.ip.addr.s_addr) || -+ adv.origin != OSPFv2) -+ return NULL; -+ - /* Search Edge that corresponds to the Link ID */ - key.family = AF_INET; - IPV4_ADDR_COPY(&key.k.addr, &link_id); -@@ -1742,6 +1747,10 @@ static void ospf_te_update_link(struct ls_ted *ted, struct ls_vertex *vertex, - - /* Get Corresponding Edge from Link State Data Base */ - edge = get_edge(ted, vertex->node->adv, link_data); -+ if (!edge) { -+ ote_debug(" |- Found no edge from Link Data. Abort!"); -+ return; -+ } - attr = edge->attributes; - - /* re-attached edge to vertex if needed */ -@@ -2261,6 +2270,10 @@ static int ospf_te_parse_te(struct ls_ted *ted, struct ospf_lsa *lsa) - - /* Get corresponding Edge from Link State Data Base */ - edge = get_edge(ted, attr.adv, attr.standard.local); -+ if (!edge) { -+ ote_debug(" |- Found no edge from Link local add./ID. Abort!"); -+ return -1; -+ } - old = edge->attributes; - - ote_debug(" |- Process Traffic Engineering LSA %pI4 for Edge %pI4", -@@ -2745,6 +2758,10 @@ static int ospf_te_parse_ext_link(struct ls_ted *ted, struct ospf_lsa *lsa) - lnid.id.ip.area_id = lsa->area->area_id; - ext = (struct ext_tlv_link *)TLV_HDR_TOP(lsa->data); - edge = get_edge(ted, lnid, ext->link_data); -+ if (!edge) { -+ ote_debug(" |- Found no edge from Extended Link Data. Abort!"); -+ return -1; -+ } - atr = edge->attributes; - - ote_debug(" |- Process Extended Link LSA %pI4 for edge %pI4", diff --git a/0009-CVE-2024-31951.patch b/0009-CVE-2024-31951.patch deleted file mode 100644 index a1f3247..0000000 --- a/0009-CVE-2024-31951.patch +++ /dev/null @@ -1,81 +0,0 @@ -diff --git a/ospfd/ospf_te.c b/ospfd/ospf_te.c -index 1c94a2c..ce6533a 100644 ---- a/ospfd/ospf_te.c -+++ b/ospfd/ospf_te.c -@@ -2632,6 +2632,7 @@ static int ospf_te_parse_ext_pref(struct ls_ted *ted, struct ospf_lsa *lsa) - struct ext_tlv_prefix *ext; - struct ext_subtlv_prefix_sid *pref_sid; - uint32_t label; -+ uint16_t len, size; - - /* Get corresponding Subnet from Link State Data Base */ - ext = (struct ext_tlv_prefix *)TLV_HDR_TOP(lsa->data); -@@ -2653,6 +2654,18 @@ static int ospf_te_parse_ext_pref(struct ls_ted *ted, struct ospf_lsa *lsa) - ote_debug(" |- Process Extended Prefix LSA %pI4 for subnet %pFX", - &lsa->data->id, &pref); - -+ /* -+ * Check Extended Prefix TLV size against LSA size -+ * as only one TLV is allowed per LSA -+ */ -+ len = TLV_BODY_SIZE(&ext->header); -+ size = lsa->size - (OSPF_LSA_HEADER_SIZE + TLV_HDR_SIZE); -+ if (len != size || len <= 0) { -+ ote_debug(" |- Wrong TLV size: %u instead of %u", -+ (uint32_t)len, (uint32_t)size); -+ return -1; -+ } -+ - /* Initialize TLV browsing */ - ls_pref = subnet->ls_pref; - pref_sid = (struct ext_subtlv_prefix_sid *)((char *)(ext) + TLV_HDR_SIZE -@@ -2767,8 +2780,20 @@ static int ospf_te_parse_ext_link(struct ls_ted *ted, struct ospf_lsa *lsa) - ote_debug(" |- Process Extended Link LSA %pI4 for edge %pI4", - &lsa->data->id, &edge->attributes->standard.local); - -- /* Initialize TLV browsing */ -- len = TLV_BODY_SIZE(&ext->header) - EXT_TLV_LINK_SIZE; -+ /* -+ * Check Extended Link TLV size against LSA size -+ * as only one TLV is allowed per LSA -+ */ -+ len = TLV_BODY_SIZE(&ext->header); -+ i = lsa->size - (OSPF_LSA_HEADER_SIZE + TLV_HDR_SIZE); -+ if (len != i || len <= 0) { -+ ote_debug(" |- Wrong TLV size: %u instead of %u", -+ (uint32_t)len, (uint32_t)i); -+ return -1; -+ } -+ -+ /* Initialize subTLVs browsing */ -+ len -= EXT_TLV_LINK_SIZE; - tlvh = (struct tlv_header *)((char *)(ext) + TLV_HDR_SIZE - + EXT_TLV_LINK_SIZE); - for (; sum < len; tlvh = TLV_HDR_NEXT(tlvh)) { -@@ -2778,6 +2803,8 @@ static int ospf_te_parse_ext_link(struct ls_ted *ted, struct ospf_lsa *lsa) - - switch (ntohs(tlvh->type)) { - case EXT_SUBTLV_ADJ_SID: -+ if (TLV_BODY_SIZE(tlvh) != EXT_SUBTLV_ADJ_SID_SIZE) -+ break; - adj = (struct ext_subtlv_adj_sid *)tlvh; - label = CHECK_FLAG(adj->flags, - EXT_SUBTLV_LINK_ADJ_SID_VFLG) -@@ -2804,6 +2831,8 @@ static int ospf_te_parse_ext_link(struct ls_ted *ted, struct ospf_lsa *lsa) - - break; - case EXT_SUBTLV_LAN_ADJ_SID: -+ if (TLV_BODY_SIZE(tlvh) != EXT_SUBTLV_LAN_ADJ_SID_SIZE) -+ break; - ladj = (struct ext_subtlv_lan_adj_sid *)tlvh; - label = CHECK_FLAG(ladj->flags, - EXT_SUBTLV_LINK_ADJ_SID_VFLG) -@@ -2833,6 +2862,8 @@ static int ospf_te_parse_ext_link(struct ls_ted *ted, struct ospf_lsa *lsa) - - break; - case EXT_SUBTLV_RMT_ITF_ADDR: -+ if (TLV_BODY_SIZE(tlvh) != EXT_SUBTLV_RMT_ITF_ADDR_SIZE) -+ break; - rmt = (struct ext_subtlv_rmt_itf_addr *)tlvh; - if (CHECK_FLAG(atr->flags, LS_ATTR_NEIGH_ADDR) - && IPV4_ADDR_SAME(&atr->standard.remote, diff --git a/0010-CVE-2024-31950.patch b/0010-CVE-2024-31950.patch deleted file mode 100644 index 20a8893..0000000 --- a/0010-CVE-2024-31950.patch +++ /dev/null @@ -1,41 +0,0 @@ -diff --git a/ospfd/ospf_te.c b/ospfd/ospf_te.c -index ce6533a..70ea4af 100644 ---- a/ospfd/ospf_te.c -+++ b/ospfd/ospf_te.c -@@ -2477,6 +2477,9 @@ static int ospf_te_parse_ri(struct ls_ted *ted, struct ospf_lsa *lsa) - - switch (ntohs(tlvh->type)) { - case RI_SR_TLV_SR_ALGORITHM: -+ if (TLV_BODY_SIZE(tlvh) < 1 || -+ TLV_BODY_SIZE(tlvh) > ALGORITHM_COUNT) -+ break; - algo = (struct ri_sr_tlv_sr_algorithm *)tlvh; - - for (int i = 0; i < ntohs(algo->header.length); i++) { -@@ -2501,6 +2504,8 @@ static int ospf_te_parse_ri(struct ls_ted *ted, struct ospf_lsa *lsa) - break; - - case RI_SR_TLV_SRGB_LABEL_RANGE: -+ if (TLV_BODY_SIZE(tlvh) != RI_SR_TLV_LABEL_RANGE_SIZE) -+ break; - range = (struct ri_sr_tlv_sid_label_range *)tlvh; - size = GET_RANGE_SIZE(ntohl(range->size)); - lower = GET_LABEL(ntohl(range->lower.value)); -@@ -2518,6 +2523,8 @@ static int ospf_te_parse_ri(struct ls_ted *ted, struct ospf_lsa *lsa) - break; - - case RI_SR_TLV_SRLB_LABEL_RANGE: -+ if (TLV_BODY_SIZE(tlvh) != RI_SR_TLV_LABEL_RANGE_SIZE) -+ break; - range = (struct ri_sr_tlv_sid_label_range *)tlvh; - size = GET_RANGE_SIZE(ntohl(range->size)); - lower = GET_LABEL(ntohl(range->lower.value)); -@@ -2535,6 +2542,8 @@ static int ospf_te_parse_ri(struct ls_ted *ted, struct ospf_lsa *lsa) - break; - - case RI_SR_TLV_NODE_MSD: -+ if (TLV_BODY_SIZE(tlvh) < RI_SR_TLV_NODE_MSD_SIZE) -+ break; - msd = (struct ri_sr_tlv_node_msd *)tlvh; - if ((CHECK_FLAG(node->flags, LS_NODE_MSD)) - && (node->msd == msd->value)) diff --git a/frr.spec b/frr.spec index 7085208..faab6cf 100644 --- a/frr.spec +++ b/frr.spec @@ -8,8 +8,8 @@ %bcond selinux 1 Name: frr -Version: 9.1 -Release: 11%{?dist} +Version: 10.1 +Release: 1%{?dist} Summary: Routing daemon License: GPL-2.0-or-later AND ISC AND LGPL-2.0-or-later AND BSD-2-Clause AND BSD-3-Clause AND (GPL-2.0-or-later OR ISC) AND MIT URL: http://www.frrouting.org @@ -26,11 +26,7 @@ Patch0002: 0002-enable-openssl.patch Patch0003: 0003-disable-eigrp-crypto.patch Patch0004: 0004-fips-mode.patch Patch0005: 0005-remove-grpc-test.patch -Patch0006: 0006-CVE-2024-31948.patch -Patch0007: 0007-CVE-2024-31949.patch -Patch0008: 0008-CVE-2024-34088.patch -Patch0009: 0009-CVE-2024-31951.patch -Patch0010: 0010-CVE-2024-31950.patch +Patch0006: 0006-noprefixroute-network-manager.patch BuildRequires: autoconf BuildRequires: automake @@ -281,6 +277,9 @@ rm tests/lib/*grpc* %endif %changelog +* Thu Aug 22 2024 Michal Ruprich - 10.1-1 +- New version 10.1 + * Mon Jun 24 2024 Troy Dawson - 9.1-11 - Bump release for June 2024 mass rebuild diff --git a/sources b/sources index 5f8e436..0cd4e6a 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (frr-9.1.tar.gz) = 5e77de9d26275ac8babd3bd467fe05c7fb6fa50c80fe61e13057784945372debe24f44557d9d52e76e2e785919cdfb4d5a80e7b2a06558f2a52745d0e0b92766 +SHA512 (frr-10.1.tar.gz) = 7484238a502ab12f178e4a210e6e4a33d0ce53edbb49b127fdc3167e31dd61c1122c1ef2d30e4bcb83b7f520b37fb9ad73e2a6a16790b608b1adf2e23b556445 SHA512 (remove-babeld-ldpd.sh) = a5bf67a3722cb20d43cef1dac28f839db68df73a1b7d34d8438e4f9366da3b67d85c1f44281f93434e8dd8ebcb2d3dc258b77eaa5627475b7395d207f020839d