Resolves: RHEL-34911 - null pointer via get_edge() function can trigger a denial of service

This commit is contained in:
Michal Ruprich 2024-06-12 09:24:25 +02:00
parent 832ce93ff8
commit c2bc5c9c4f
2 changed files with 54 additions and 1 deletions

49
0008-CVE-2024-34088.patch Normal file
View File

@ -0,0 +1,49 @@
diff --git a/ospfd/ospf_te.c b/ospfd/ospf_te.c
index 3cf39e5..1c94a2c 100644
--- a/ospfd/ospf_te.c
+++ b/ospfd/ospf_te.c
@@ -1669,6 +1669,11 @@ static struct ls_edge *get_edge(struct ls_ted *ted, struct ls_node_id adv,
struct ls_edge *edge;
struct ls_attributes *attr;
+ /* Check that Link ID and Node ID are valid */
+ if (IPV4_NET0(link_id.s_addr) || IPV4_NET0(adv.id.ip.addr.s_addr) ||
+ adv.origin != OSPFv2)
+ return NULL;
+
/* Search Edge that corresponds to the Link ID */
key.family = AF_INET;
IPV4_ADDR_COPY(&key.k.addr, &link_id);
@@ -1742,6 +1747,10 @@ static void ospf_te_update_link(struct ls_ted *ted, struct ls_vertex *vertex,
/* Get Corresponding Edge from Link State Data Base */
edge = get_edge(ted, vertex->node->adv, link_data);
+ if (!edge) {
+ ote_debug(" |- Found no edge from Link Data. Abort!");
+ return;
+ }
attr = edge->attributes;
/* re-attached edge to vertex if needed */
@@ -2261,6 +2270,10 @@ static int ospf_te_parse_te(struct ls_ted *ted, struct ospf_lsa *lsa)
/* Get corresponding Edge from Link State Data Base */
edge = get_edge(ted, attr.adv, attr.standard.local);
+ if (!edge) {
+ ote_debug(" |- Found no edge from Link local add./ID. Abort!");
+ return -1;
+ }
old = edge->attributes;
ote_debug(" |- Process Traffic Engineering LSA %pI4 for Edge %pI4",
@@ -2745,6 +2758,10 @@ static int ospf_te_parse_ext_link(struct ls_ted *ted, struct ospf_lsa *lsa)
lnid.id.ip.area_id = lsa->area->area_id;
ext = (struct ext_tlv_link *)TLV_HDR_TOP(lsa->data);
edge = get_edge(ted, lnid, ext->link_data);
+ if (!edge) {
+ ote_debug(" |- Found no edge from Extended Link Data. Abort!");
+ return -1;
+ }
atr = edge->attributes;
ote_debug(" |- Process Extended Link LSA %pI4 for edge %pI4",

View File

@ -9,7 +9,7 @@
Name: frr
Version: 9.1
Release: 7%{?dist}
Release: 8%{?dist}
Summary: Routing daemon
License: GPL-2.0-or-later AND ISC AND LGPL-2.0-or-later AND BSD-2-Clause AND BSD-3-Clause AND (GPL-2.0-or-later OR ISC) AND MIT
URL: http://www.frrouting.org
@ -28,6 +28,7 @@ Patch0004: 0004-fips-mode.patch
Patch0005: 0005-remove-grpc-test.patch
Patch0006: 0006-CVE-2024-31948.patch
Patch0007: 0007-CVE-2024-31949.patch
Patch0008: 0008-CVE-2024-34088.patch
BuildRequires: autoconf
BuildRequires: automake
@ -278,6 +279,9 @@ rm tests/lib/*grpc*
%endif
%changelog
* Wed Jun 12 2024 Michal Ruprich <mruprich@redhat.com> - 9.1-8
- Resolves: RHEL-34911 - null pointer via get_edge() function can trigger a denial of service
* Mon May 27 2024 Michal Ruprich <mruprich@redhat.com> - 9.1-7
- Resolves: RHEL-38834 - Missing selinux rules for .history_frr file for FRR