3 changed files with 1 additions and 155 deletions
--- a/SOURCES/0028-vtysh-in-namespaces.patch
+++ b/SOURCES/0028-vtysh-in-namespaces.patch
@ -1,96 +0,0 @@
 From a91f5417d8e7188b61ddecd4224fbba0f0c61e78 Mon Sep 17 00:00:00 2001
 From: Donald Sharp <sharpd@nvidia.com>
 Date: Mon, 4 Oct 2021 20:32:25 -0400
 Subject: [PATCH] watchfrr: Allow an integrated config to work within a
 namespace
 Since watchfrr invokes vtysh to gather the show run output and
 write the data, if we are operating inside of a namespace FRR
 must also pass this in.
 Yes. This seems hacky.  I don't fully understand why vtysh
 is invoked this way.
 New output:
 sharpd@eva:~/frr3$ sudo vtysh -N one
 Hello, this is FRRouting (version 8.1-dev).
 Copyright 1996-2005 Kunihiro Ishiguro, et al.
 eva# wr mem
 Note: this version of vtysh never writes vtysh.conf
 % Can't open configuration file /etc/frr/one/vtysh.conf due to 'No such file or directory'.
 Building Configuration...
 Integrated configuration saved to /etc/frr/one/frr.conf
 [OK]
 eva#
 Signed-off-by: Donald Sharp <sharpd@nvidia.com>
 ---
 watchfrr/watchfrr.c     | 8 ++++++++
 watchfrr/watchfrr.h     | 6 ++++++
 watchfrr/watchfrr_vty.c | 5 ++++-
 3 files changed, 18 insertions(+), 1 deletion(-)
 diff --git a/watchfrr/watchfrr.c b/watchfrr/watchfrr.c
 index 40749e8fc262..b09d09245884 100644
 --- a/watchfrr/watchfrr.c
 +++ b/watchfrr/watchfrr.c
@@ -68,6 +68,7 @@ DEFINE_MTYPE_STATIC(WATCHFRR, WATCHFRR_DAEMON, "watchfrr daemon entry");
 struct thread_master *master;
 static bool watch_only = false;
 +const char *pathspace;
 typedef enum {
 	PHASE_NONE = 0,
@@ -1513,8 +1514,15 @@ int main(int argc, char **argv)
 	else
 		unsetenv("FRR_PATHSPACE");
 +	/*
 +	 * when watchfrr_di.pathspace is read, if it is not specified
 +	 * pathspace is NULL as expected
 +	 */
 +	pathspace = watchfrr_di.pathspace;
 +
 	if (netns_en && !netns)
 		netns = watchfrr_di.pathspace;
 +
 	if (netns_en && netns && netns[0])
 		netns_setup(netns);
 diff --git a/watchfrr/watchfrr.h b/watchfrr/watchfrr.h
 index 4df1bf74afb7..4987a932c03c 100644
 --- a/watchfrr/watchfrr.h
 +++ b/watchfrr/watchfrr.h
@@ -25,6 +25,12 @@
 DECLARE_MGROUP(WATCHFRR)
 +/*
 + * This is the name of the pathspace we are in `-N XXX`
 + * If the default then this is NULL
 + */
 +extern const char *pathspace;
 +
 extern void watchfrr_vty_init(void);
 extern pid_t integrated_write_pid;
 diff --git a/watchfrr/watchfrr_vty.c b/watchfrr/watchfrr_vty.c
 index eda4f5d516bf..1492ee37b600 100644
 --- a/watchfrr/watchfrr_vty.c
 +++ b/watchfrr/watchfrr_vty.c
@@ -105,7 +105,10 @@ DEFUN(config_write_integrated,
 	/* don't allow the user to pass parameters, we're root here!
 	 * should probably harden vtysh at some point too... */
 -	execl(VTYSH_BIN_PATH, "vtysh", "-w", NULL);
 +	if (pathspace)
 +		execl(VTYSH_BIN_PATH, "vtysh", "-N", pathspace, "-w", NULL);
 +	else
 +		execl(VTYSH_BIN_PATH, "vtysh", "-w", NULL);
 	/* unbuffered write; we just messed with stdout... */
 	char msg[512];
--- a/SOURCES/RHEL-174676.patch
+++ b/SOURCES/RHEL-174676.patch
@ -1,48 +0,0 @@
 From c27757965a55e181b3f63239249bbd6ce249a082 Mon Sep 17 00:00:00 2001
 From: Jafar Al-Gharaibeh <jafar@atcorp.com>
 Date: Mon, 9 Mar 2026 14:36:22 -0500
 Subject: [PATCH] bgpd: fix off-by-one error in FlowSpec operator array bounds
 check
 Change loop > BGP_PBR_MATCH_VAL_MAX to loop >= BGP_PBR_MATCH_VAL_MAX
 in bgp_flowspec_op_decode() and bgp_flowspec_bitmask_decode() to
 prevent writing one element past the end of the mval[] array when
 more than 5 chained operators are present in a FlowSpec component.
 Reported-by: Jiahao Lei
 Signed-off-by: Jafar Al-Gharaibeh <jafar@atcorp.com>
 ---
 bgpd/bgp_flowspec_util.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)
 diff --git a/bgpd/bgp_flowspec_util.c b/bgpd/bgp_flowspec_util.c
 index 90e9236..4dd5034 100644
 --- a/bgpd/bgp_flowspec_util.c
 +++ b/bgpd/bgp_flowspec_util.c
@@ -266,8 +266,10 @@ int bgp_flowspec_op_decode(enum bgp_flowspec_util_nlri_t type,
 	*error = 0;
 	do {
 -		if (loop > BGP_PBR_MATCH_VAL_MAX)
 +		if (loop >= BGP_PBR_MATCH_VAL_MAX) {
 			*error = -2;
 +			return offset;
 +		}
 		hex2bin(&nlri_ptr[offset], op);
 		offset++;
 		len = 2*op[2]+op[3];
@@ -370,8 +372,10 @@ int bgp_flowspec_bitmask_decode(enum bgp_flowspec_util_nlri_t type,
 	*error = 0;
 	do {
 -		if (loop > BGP_PBR_MATCH_VAL_MAX)
 +		if (loop >= BGP_PBR_MATCH_VAL_MAX) {
 			*error = -2;
 +			return offset;
 +		}
 		hex2bin(&nlri_ptr[offset], op);
 		/* if first element, AND bit can not be set */
 		if (op[1] == 1 && loop == 0)
 -- 
 2.52.0
--- a/SPECS/frr.spec
+++ b/SPECS/frr.spec
@ -7,7 +7,7 @@
 Name: frr
 Version: 7.5.1
-Release: 24%{?checkout}%{?dist}
+Release: 22%{?checkout}%{?dist}
 Summary: Routing daemon
 License: GPLv2+
 URL: http://www.frrouting.org
@ -67,9 +67,6 @@ Patch0024: 0024-CVE-2023-46753.patch
 Patch0025: 0025-CVE-2023-31490.patch
 Patch0026: 0026-CVE-2023-41909.patch
 Patch0027: 0027-dynamic-netlink-buffer.patch
 Patch0028: 0028-vtysh-in-namespaces.patch
 # https://github.com/FRRouting/frr/commit/0e6882bc72c0278988a47b2f0f73b7a91099a25c
 Patch0029: RHEL-174676.patch
 %description
 FRRouting is free software that manages TCP/IP based routing protocols. It takes
@ -290,13 +287,6 @@ make check PYTHON=%{__python3}
 %endif
 %changelog
 * Wed May 20 2026 RHEL Packaging Agent <redhat-ymir-agent@redhat.com> - 7.5.1-24
 - Fix off-by-one error in FlowSpec operator array bounds checking (CVE-2026-37457)
 - Resolves: RHEL-174676
 * Fri Apr 04 2025 Michal Ruprich <mruprich@redhat.com> - 7.5.1-23
 - Resolves: RHEL-65250 - When using namespaces, integrated configs for frr fail to write
 * Wed Feb 07 2024 Michal Ruprich <mruprich@redhat.com> - 7.5.1-22
 - Resolves: RHEL-22303 - Zebra not fetching host routes