From cdeacb4fe0770a597bb03b46efabed3024c9c76b Mon Sep 17 00:00:00 2001
From: Michal Ruprich <mruprich@redhat.com>
Date: Wed, 12 Jun 2024 09:26:35 +0200
Subject: [PATCH] Resolves: RHEL-32138 - buffer overflow in
 ospf_te_parse_ext_link

---
 0009-CVE-2024-31951.patch | 81 +++++++++++++++++++++++++++++++++++++++
 frr.spec                  |  6 ++-
 2 files changed, 86 insertions(+), 1 deletion(-)
 create mode 100644 0009-CVE-2024-31951.patch

diff --git a/0009-CVE-2024-31951.patch b/0009-CVE-2024-31951.patch
new file mode 100644
index 0000000..a1f3247
--- /dev/null
+++ b/0009-CVE-2024-31951.patch
@@ -0,0 +1,81 @@
+diff --git a/ospfd/ospf_te.c b/ospfd/ospf_te.c
+index 1c94a2c..ce6533a 100644
+--- a/ospfd/ospf_te.c
++++ b/ospfd/ospf_te.c
+@@ -2632,6 +2632,7 @@ static int ospf_te_parse_ext_pref(struct ls_ted *ted, struct ospf_lsa *lsa)
+ 	struct ext_tlv_prefix *ext;
+ 	struct ext_subtlv_prefix_sid *pref_sid;
+ 	uint32_t label;
++	uint16_t len, size;
+ 
+ 	/* Get corresponding Subnet from Link State Data Base */
+ 	ext = (struct ext_tlv_prefix *)TLV_HDR_TOP(lsa->data);
+@@ -2653,6 +2654,18 @@ static int ospf_te_parse_ext_pref(struct ls_ted *ted, struct ospf_lsa *lsa)
+ 	ote_debug("  |- Process Extended Prefix LSA %pI4 for subnet %pFX",
+ 		  &lsa->data->id, &pref);
+ 
++	/*
++	 * Check Extended Prefix TLV size against LSA size
++	 * as only one TLV is allowed per LSA
++	 */
++	len = TLV_BODY_SIZE(&ext->header);
++	size = lsa->size - (OSPF_LSA_HEADER_SIZE + TLV_HDR_SIZE);
++	if (len != size || len <= 0) {
++		ote_debug("  |- Wrong TLV size: %u instead of %u",
++			  (uint32_t)len, (uint32_t)size);
++		return -1;
++	}
++
+ 	/* Initialize TLV browsing */
+ 	ls_pref = subnet->ls_pref;
+ 	pref_sid = (struct ext_subtlv_prefix_sid *)((char *)(ext) + TLV_HDR_SIZE
+@@ -2767,8 +2780,20 @@ static int ospf_te_parse_ext_link(struct ls_ted *ted, struct ospf_lsa *lsa)
+ 	ote_debug("  |- Process Extended Link LSA %pI4 for edge %pI4",
+ 		  &lsa->data->id, &edge->attributes->standard.local);
+ 
+-	/* Initialize TLV browsing */
+-	len = TLV_BODY_SIZE(&ext->header) - EXT_TLV_LINK_SIZE;
++	/*
++	 * Check Extended Link TLV size against LSA size
++	 * as only one TLV is allowed per LSA
++	 */
++	len = TLV_BODY_SIZE(&ext->header);
++	i = lsa->size - (OSPF_LSA_HEADER_SIZE + TLV_HDR_SIZE);
++	if (len != i || len <= 0) {
++		ote_debug("  |- Wrong TLV size: %u instead of %u",
++			  (uint32_t)len, (uint32_t)i);
++		return -1;
++	}
++
++	/* Initialize subTLVs browsing */
++	len -= EXT_TLV_LINK_SIZE;
+ 	tlvh = (struct tlv_header *)((char *)(ext) + TLV_HDR_SIZE
+ 				     + EXT_TLV_LINK_SIZE);
+ 	for (; sum < len; tlvh = TLV_HDR_NEXT(tlvh)) {
+@@ -2778,6 +2803,8 @@ static int ospf_te_parse_ext_link(struct ls_ted *ted, struct ospf_lsa *lsa)
+ 
+ 		switch (ntohs(tlvh->type)) {
+ 		case EXT_SUBTLV_ADJ_SID:
++			if (TLV_BODY_SIZE(tlvh) != EXT_SUBTLV_ADJ_SID_SIZE)
++				break;
+ 			adj = (struct ext_subtlv_adj_sid *)tlvh;
+ 			label = CHECK_FLAG(adj->flags,
+ 					   EXT_SUBTLV_LINK_ADJ_SID_VFLG)
+@@ -2804,6 +2831,8 @@ static int ospf_te_parse_ext_link(struct ls_ted *ted, struct ospf_lsa *lsa)
+ 
+ 			break;
+ 		case EXT_SUBTLV_LAN_ADJ_SID:
++			if (TLV_BODY_SIZE(tlvh) != EXT_SUBTLV_LAN_ADJ_SID_SIZE)
++				break;
+ 			ladj = (struct ext_subtlv_lan_adj_sid *)tlvh;
+ 			label = CHECK_FLAG(ladj->flags,
+ 					   EXT_SUBTLV_LINK_ADJ_SID_VFLG)
+@@ -2833,6 +2862,8 @@ static int ospf_te_parse_ext_link(struct ls_ted *ted, struct ospf_lsa *lsa)
+ 
+ 			break;
+ 		case EXT_SUBTLV_RMT_ITF_ADDR:
++			if (TLV_BODY_SIZE(tlvh) != EXT_SUBTLV_RMT_ITF_ADDR_SIZE)
++				break;
+ 			rmt = (struct ext_subtlv_rmt_itf_addr *)tlvh;
+ 			if (CHECK_FLAG(atr->flags, LS_ATTR_NEIGH_ADDR)
+ 			    && IPV4_ADDR_SAME(&atr->standard.remote,
diff --git a/frr.spec b/frr.spec
index 96c68aa..c61379d 100644
--- a/frr.spec
+++ b/frr.spec
@@ -9,7 +9,7 @@
 
 Name:           frr
 Version:        9.1
-Release:        8%{?dist}
+Release:        9%{?dist}
 Summary:        Routing daemon
 License:        GPL-2.0-or-later AND ISC AND LGPL-2.0-or-later AND BSD-2-Clause AND BSD-3-Clause AND (GPL-2.0-or-later  OR ISC) AND MIT
 URL:            http://www.frrouting.org
@@ -29,6 +29,7 @@ Patch0005:      0005-remove-grpc-test.patch
 Patch0006:      0006-CVE-2024-31948.patch
 Patch0007:      0007-CVE-2024-31949.patch
 Patch0008:      0008-CVE-2024-34088.patch
+Patch0009:      0009-CVE-2024-31951.patch
 
 BuildRequires:  autoconf
 BuildRequires:  automake
@@ -279,6 +280,9 @@ rm tests/lib/*grpc*
 %endif
 
 %changelog
+* Wed Jun 12 2024 Michal Ruprich <mruprich@redhat.com> - 9.1-9
+- Resolves: RHEL-32138 - buffer overflow in ospf_te_parse_ext_link
+
 * Wed Jun 12 2024 Michal Ruprich <mruprich@redhat.com> - 9.1-8
 - Resolves: RHEL-34911 - null pointer via get_edge() function can trigger a denial of service