From fbfb307843ba61590fcf77f5bc49a4bfe57b5b00 Mon Sep 17 00:00:00 2001 From: Michal Ruprich Date: Thu, 21 May 2026 16:35:23 +0200 Subject: [PATCH] Resolves: RHEL-174696 - denial of service via crafted BGP UPDATE message --- 0016-fix-CVE-2026-37459.patch | 30 ++++++++++++++++++++++++++++++ frr10.spec | 7 ++++++- 2 files changed, 36 insertions(+), 1 deletion(-) create mode 100644 0016-fix-CVE-2026-37459.patch diff --git a/0016-fix-CVE-2026-37459.patch b/0016-fix-CVE-2026-37459.patch new file mode 100644 index 0000000..4792c99 --- /dev/null +++ b/0016-fix-CVE-2026-37459.patch @@ -0,0 +1,30 @@ +From 693a2e02687cdc9d16501275e05136edea9650d9 Mon Sep 17 00:00:00 2001 +From: Donatas Abraitis +Date: Tue, 10 Mar 2026 20:16:10 +0200 +Subject: [PATCH] bgpd: Check if the NHC length is enough to fill TLV value + + TLV header + +BGP_NHC_TLV_MIN_LEN is 4 bytes (TLV code + TLV length), and when we parse TLVs, +we subtract BGP_NHC_TLV_MIN_LEN as well, so we should include BGP_NHC_TLV_MIN_LEN +when checking the remaining length too. + +Reported-by: Jiahao Lei + +Signed-off-by: Donatas Abraitis +--- + bgpd/bgp_attr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c +index 6bcf5f690613..b707e0531e94 100644 +--- a/bgpd/bgp_attr.c ++++ b/bgpd/bgp_attr.c +@@ -3887,7 +3887,7 @@ static int bgp_attr_nhc(struct bgp_attr_parser_args *args) + tlv_code = stream_getw(s); + tlv_length = stream_getw(s); + +- if (length < tlv_length) { ++ if (length < tlv_length + BGP_NHC_TLV_MIN_LEN) { + zlog_err("%pBP rcvd BGP NHC TLV length %d exceeds remaining length %d", + peer, tlv_length, length); + bgp_nhc_free(nhc); diff --git a/frr10.spec b/frr10.spec index e3fdfa8..854ffb8 100644 --- a/frr10.spec +++ b/frr10.spec @@ -8,7 +8,7 @@ Name: frr10 Version: 10.4.3 -Release: 2%{?checkout}%{?dist} +Release: 3%{?checkout}%{?dist} Summary: Routing daemon License: GPLv2+ URL: http://www.frrouting.org @@ -75,6 +75,8 @@ Patch0004: 0004-fips-mode.patch Patch0014: 0014-isisd-fuzz-test.patch # https://github.com/FRRouting/frr/commit/0e6882bc Patch0015: 0015-fix-CVE-2026-37457.patch +# https://github.com/FRRouting/frr/commit/693a2e02 +Patch0016: 0016-fix-CVE-2026-37459.patch %description FRRouting is free software that manages TCP/IP based routing protocols. It takes @@ -283,6 +285,9 @@ make check PYTHON=%{__python3} %endif %changelog +* Thu May 21 2026 Michal Ruprich - 10.4.3-3 +- Resolves: RHEL-174696 - denial of service via crafted BGP UPDATE message + * Thu May 21 2026 Michal Ruprich - 10.4.3-2 - Resolves: RHEL-174678 - denial of service via crafted FlowSpec component