Resolves: RHEL-174696 - denial of service via crafted BGP UPDATE message
This commit is contained in:
Michal Ruprich
parent
d9a7f42709
commit
fbfb307843
30
0016-fix-CVE-2026-37459.patch
Normal file
30
0016-fix-CVE-2026-37459.patch
Normal file
@ -0,0 +1,30 @@
|
||||
From 693a2e02687cdc9d16501275e05136edea9650d9 Mon Sep 17 00:00:00 2001
|
||||
From: Donatas Abraitis <donatas@opensourcerouting.org>
|
||||
Date: Tue, 10 Mar 2026 20:16:10 +0200
|
||||
Subject: [PATCH] bgpd: Check if the NHC length is enough to fill TLV value +
|
||||
TLV header
|
||||
|
||||
BGP_NHC_TLV_MIN_LEN is 4 bytes (TLV code + TLV length), and when we parse TLVs,
|
||||
we subtract BGP_NHC_TLV_MIN_LEN as well, so we should include BGP_NHC_TLV_MIN_LEN
|
||||
when checking the remaining length too.
|
||||
|
||||
Reported-by: Jiahao Lei
|
||||
|
||||
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
|
||||
---
|
||||
bgpd/bgp_attr.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
|
||||
index 6bcf5f690613..b707e0531e94 100644
|
||||
--- a/bgpd/bgp_attr.c
|
||||
+++ b/bgpd/bgp_attr.c
|
||||
@@ -3887,7 +3887,7 @@ static int bgp_attr_nhc(struct bgp_attr_parser_args *args)
|
||||
tlv_code = stream_getw(s);
|
||||
tlv_length = stream_getw(s);
|
||||
|
||||
- if (length < tlv_length) {
|
||||
+ if (length < tlv_length + BGP_NHC_TLV_MIN_LEN) {
|
||||
zlog_err("%pBP rcvd BGP NHC TLV length %d exceeds remaining length %d",
|
||||
peer, tlv_length, length);
|
||||
bgp_nhc_free(nhc);
|
||||
@ -8,7 +8,7 @@
|
||||
|
||||
Name: frr10
|
||||
Version: 10.4.3
|
||||
Release: 2%{?checkout}%{?dist}
|
||||
Release: 3%{?checkout}%{?dist}
|
||||
Summary: Routing daemon
|
||||
License: GPLv2+
|
||||
URL: http://www.frrouting.org
|
||||
@ -75,6 +75,8 @@ Patch0004: 0004-fips-mode.patch
|
||||
Patch0014: 0014-isisd-fuzz-test.patch
|
||||
# https://github.com/FRRouting/frr/commit/0e6882bc
|
||||
Patch0015: 0015-fix-CVE-2026-37457.patch
|
||||
# https://github.com/FRRouting/frr/commit/693a2e02
|
||||
Patch0016: 0016-fix-CVE-2026-37459.patch
|
||||
|
||||
%description
|
||||
FRRouting is free software that manages TCP/IP based routing protocols. It takes
|
||||
@ -283,6 +285,9 @@ make check PYTHON=%{__python3}
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Thu May 21 2026 Michal Ruprich <mruprich@redhat.com> - 10.4.3-3
|
||||
- Resolves: RHEL-174696 - denial of service via crafted BGP UPDATE message
|
||||
|
||||
* Thu May 21 2026 Michal Ruprich <mruprich@redhat.com> - 10.4.3-2
|
||||
- Resolves: RHEL-174678 - denial of service via crafted FlowSpec component
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user