From bf00a96cb7294652486342275b9cc62beaf25d5e Mon Sep 17 00:00:00 2001
From: AlmaLinux RelEng Bot <eabdullin@almalinux.org>
Date: Sun, 7 Jun 2026 22:46:36 -0400
Subject: [PATCH] import CS git frr-7.5.1-24.el8_10

---
 SOURCES/RHEL-174676.patch | 48 +++++++++++++++++++++++++++++++++++++++
 SPECS/frr.spec            |  8 ++++++-
 2 files changed, 55 insertions(+), 1 deletion(-)
 create mode 100644 SOURCES/RHEL-174676.patch

diff --git a/SOURCES/RHEL-174676.patch b/SOURCES/RHEL-174676.patch
new file mode 100644
index 0000000..09b25a8
--- /dev/null
+++ b/SOURCES/RHEL-174676.patch
@@ -0,0 +1,48 @@
+From c27757965a55e181b3f63239249bbd6ce249a082 Mon Sep 17 00:00:00 2001
+From: Jafar Al-Gharaibeh <jafar@atcorp.com>
+Date: Mon, 9 Mar 2026 14:36:22 -0500
+Subject: [PATCH] bgpd: fix off-by-one error in FlowSpec operator array bounds
+ check
+
+Change loop > BGP_PBR_MATCH_VAL_MAX to loop >= BGP_PBR_MATCH_VAL_MAX
+in bgp_flowspec_op_decode() and bgp_flowspec_bitmask_decode() to
+prevent writing one element past the end of the mval[] array when
+more than 5 chained operators are present in a FlowSpec component.
+
+Reported-by: Jiahao Lei
+Signed-off-by: Jafar Al-Gharaibeh <jafar@atcorp.com>
+---
+ bgpd/bgp_flowspec_util.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/bgpd/bgp_flowspec_util.c b/bgpd/bgp_flowspec_util.c
+index 90e9236..4dd5034 100644
+--- a/bgpd/bgp_flowspec_util.c
++++ b/bgpd/bgp_flowspec_util.c
+@@ -266,8 +266,10 @@ int bgp_flowspec_op_decode(enum bgp_flowspec_util_nlri_t type,
+ 
+ 	*error = 0;
+ 	do {
+-		if (loop > BGP_PBR_MATCH_VAL_MAX)
++		if (loop >= BGP_PBR_MATCH_VAL_MAX) {
+ 			*error = -2;
++			return offset;
++		}
+ 		hex2bin(&nlri_ptr[offset], op);
+ 		offset++;
+ 		len = 2*op[2]+op[3];
+@@ -370,8 +372,10 @@ int bgp_flowspec_bitmask_decode(enum bgp_flowspec_util_nlri_t type,
+ 
+ 	*error = 0;
+ 	do {
+-		if (loop > BGP_PBR_MATCH_VAL_MAX)
++		if (loop >= BGP_PBR_MATCH_VAL_MAX) {
+ 			*error = -2;
++			return offset;
++		}
+ 		hex2bin(&nlri_ptr[offset], op);
+ 		/* if first element, AND bit can not be set */
+ 		if (op[1] == 1 && loop == 0)
+-- 
+2.52.0
+
diff --git a/SPECS/frr.spec b/SPECS/frr.spec
index 99b553a..034f363 100644
--- a/SPECS/frr.spec
+++ b/SPECS/frr.spec
@@ -7,7 +7,7 @@
 
 Name: frr
 Version: 7.5.1
-Release: 23%{?checkout}%{?dist}
+Release: 24%{?checkout}%{?dist}
 Summary: Routing daemon
 License: GPLv2+
 URL: http://www.frrouting.org
@@ -68,6 +68,8 @@ Patch0025: 0025-CVE-2023-31490.patch
 Patch0026: 0026-CVE-2023-41909.patch
 Patch0027: 0027-dynamic-netlink-buffer.patch
 Patch0028: 0028-vtysh-in-namespaces.patch
+# https://github.com/FRRouting/frr/commit/0e6882bc72c0278988a47b2f0f73b7a91099a25c
+Patch0029: RHEL-174676.patch
 
 %description
 FRRouting is free software that manages TCP/IP based routing protocols. It takes
@@ -288,6 +290,10 @@ make check PYTHON=%{__python3}
 %endif
 
 %changelog
+* Wed May 20 2026 RHEL Packaging Agent <redhat-ymir-agent@redhat.com> - 7.5.1-24
+- Fix off-by-one error in FlowSpec operator array bounds checking (CVE-2026-37457)
+- Resolves: RHEL-174676
+
 * Fri Apr 04 2025 Michal Ruprich <mruprich@redhat.com> - 7.5.1-23
 - Resolves: RHEL-65250 - When using namespaces, integrated configs for frr fail to write