rpms/frr
7
0
Fork 0
Code Issues Pull Requests Releases Activity
c8s
frr/RHEL-174676.patch
RHEL Packaging Agent 4acbe765c8 frr: fix CVE-2026-37457 off-by-one error in FlowSpec operator array bounds check 
Backport upstream commit 0e6882bc72c0278988a47b2f0f73b7a91099a25c to
fix an off-by-one error in FlowSpec operator array bounds checking in
bgpd/bgp_flowspec_util.c. The patch changes the comparison from
`loop > BGP_PBR_MATCH_VAL_MAX` to `loop >= BGP_PBR_MATCH_VAL_MAX`
and adds an early return in both bgp_flowspec_op_decode() and
bgp_flowspec_bitmask_decode() to prevent writing one element past
the end of the mval[] array when more than 5 chained operators are
present in a FlowSpec component.

CVE: CVE-2026-37457
Upstream patches:
 - 0e6882bc72.patch
Resolves: RHEL-174676

This commit was backported by Ymir, a Red Hat Enterprise Linux software maintenance AI agent.

Assisted-by: Ymir
2026-05-21 12:07:49 +00:00

49 lines
1.5 KiB
Diff
Raw Permalink Blame History

From c27757965a55e181b3f63239249bbd6ce249a082 Mon Sep 17 00:00:00 2001
From: Jafar Al-Gharaibeh <jafar@atcorp.com>
Date: Mon, 9 Mar 2026 14:36:22 -0500
Subject: [PATCH] bgpd: fix off-by-one error in FlowSpec operator array bounds
check
Change loop > BGP_PBR_MATCH_VAL_MAX to loop >= BGP_PBR_MATCH_VAL_MAX
in bgp_flowspec_op_decode() and bgp_flowspec_bitmask_decode() to
prevent writing one element past the end of the mval[] array when
more than 5 chained operators are present in a FlowSpec component.
Reported-by: Jiahao Lei
Signed-off-by: Jafar Al-Gharaibeh <jafar@atcorp.com>
---
bgpd/bgp_flowspec_util.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/bgpd/bgp_flowspec_util.c b/bgpd/bgp_flowspec_util.c
index 90e9236..4dd5034 100644
--- a/bgpd/bgp_flowspec_util.c
+++ b/bgpd/bgp_flowspec_util.c
@@ -266,8 +266,10 @@ int bgp_flowspec_op_decode(enum bgp_flowspec_util_nlri_t type,
*error = 0;
do {
- if (loop > BGP_PBR_MATCH_VAL_MAX)
+ if (loop >= BGP_PBR_MATCH_VAL_MAX) {
*error = -2;
+ return offset;
+ }
hex2bin(&nlri_ptr[offset], op);
offset++;
len = 2*op[2]+op[3];
@@ -370,8 +372,10 @@ int bgp_flowspec_bitmask_decode(enum bgp_flowspec_util_nlri_t type,
*error = 0;
do {
- if (loop > BGP_PBR_MATCH_VAL_MAX)
+ if (loop >= BGP_PBR_MATCH_VAL_MAX) {
*error = -2;
+ return offset;
+ }
hex2bin(&nlri_ptr[offset], op);
/* if first element, AND bit can not be set */
if (op[1] == 1 && loop == 0)
--
2.52.0
Reference in New Issue View Git Blame Copy Permalink