import CS git frr-7.5.1-24.el8_10
This commit is contained in:
AlmaLinux RelEng Bot
parent
ec6e239fed
commit
bf00a96cb7
48
SOURCES/RHEL-174676.patch
Normal file
48
SOURCES/RHEL-174676.patch
Normal file
@ -0,0 +1,48 @@
|
||||
From c27757965a55e181b3f63239249bbd6ce249a082 Mon Sep 17 00:00:00 2001
|
||||
From: Jafar Al-Gharaibeh <jafar@atcorp.com>
|
||||
Date: Mon, 9 Mar 2026 14:36:22 -0500
|
||||
Subject: [PATCH] bgpd: fix off-by-one error in FlowSpec operator array bounds
|
||||
check
|
||||
|
||||
Change loop > BGP_PBR_MATCH_VAL_MAX to loop >= BGP_PBR_MATCH_VAL_MAX
|
||||
in bgp_flowspec_op_decode() and bgp_flowspec_bitmask_decode() to
|
||||
prevent writing one element past the end of the mval[] array when
|
||||
more than 5 chained operators are present in a FlowSpec component.
|
||||
|
||||
Reported-by: Jiahao Lei
|
||||
Signed-off-by: Jafar Al-Gharaibeh <jafar@atcorp.com>
|
||||
---
|
||||
bgpd/bgp_flowspec_util.c | 8 ++++++--
|
||||
1 file changed, 6 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/bgpd/bgp_flowspec_util.c b/bgpd/bgp_flowspec_util.c
|
||||
index 90e9236..4dd5034 100644
|
||||
--- a/bgpd/bgp_flowspec_util.c
|
||||
+++ b/bgpd/bgp_flowspec_util.c
|
||||
@@ -266,8 +266,10 @@ int bgp_flowspec_op_decode(enum bgp_flowspec_util_nlri_t type,
|
||||
|
||||
*error = 0;
|
||||
do {
|
||||
- if (loop > BGP_PBR_MATCH_VAL_MAX)
|
||||
+ if (loop >= BGP_PBR_MATCH_VAL_MAX) {
|
||||
*error = -2;
|
||||
+ return offset;
|
||||
+ }
|
||||
hex2bin(&nlri_ptr[offset], op);
|
||||
offset++;
|
||||
len = 2*op[2]+op[3];
|
||||
@@ -370,8 +372,10 @@ int bgp_flowspec_bitmask_decode(enum bgp_flowspec_util_nlri_t type,
|
||||
|
||||
*error = 0;
|
||||
do {
|
||||
- if (loop > BGP_PBR_MATCH_VAL_MAX)
|
||||
+ if (loop >= BGP_PBR_MATCH_VAL_MAX) {
|
||||
*error = -2;
|
||||
+ return offset;
|
||||
+ }
|
||||
hex2bin(&nlri_ptr[offset], op);
|
||||
/* if first element, AND bit can not be set */
|
||||
if (op[1] == 1 && loop == 0)
|
||||
--
|
||||
2.52.0
|
||||
|
||||
@ -7,7 +7,7 @@
|
||||
|
||||
Name: frr
|
||||
Version: 7.5.1
|
||||
Release: 23%{?checkout}%{?dist}
|
||||
Release: 24%{?checkout}%{?dist}
|
||||
Summary: Routing daemon
|
||||
License: GPLv2+
|
||||
URL: http://www.frrouting.org
|
||||
@ -68,6 +68,8 @@ Patch0025: 0025-CVE-2023-31490.patch
|
||||
Patch0026: 0026-CVE-2023-41909.patch
|
||||
Patch0027: 0027-dynamic-netlink-buffer.patch
|
||||
Patch0028: 0028-vtysh-in-namespaces.patch
|
||||
# https://github.com/FRRouting/frr/commit/0e6882bc72c0278988a47b2f0f73b7a91099a25c
|
||||
Patch0029: RHEL-174676.patch
|
||||
|
||||
%description
|
||||
FRRouting is free software that manages TCP/IP based routing protocols. It takes
|
||||
@ -288,6 +290,10 @@ make check PYTHON=%{__python3}
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Wed May 20 2026 RHEL Packaging Agent <redhat-ymir-agent@redhat.com> - 7.5.1-24
|
||||
- Fix off-by-one error in FlowSpec operator array bounds checking (CVE-2026-37457)
|
||||
- Resolves: RHEL-174676
|
||||
|
||||
* Fri Apr 04 2025 Michal Ruprich <mruprich@redhat.com> - 7.5.1-23
|
||||
- Resolves: RHEL-65250 - When using namespaces, integrated configs for frr fail to write
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user