Resolves: RHEL-174696 - denial of service via crafted BGP UPDATE message

0015-fix-CVE-2026-37457.patch

@@ -0,0 +1,42 @@
+From 0e6882bc72c0278988a47b2f0f73b7a91099a25c Mon Sep 17 00:00:00 2001
+From: Jafar Al-Gharaibeh <jafar@atcorp.com>
+Date: Mon, 9 Mar 2026 14:36:22 -0500
+Subject: [PATCH] bgpd: fix off-by-one error in FlowSpec operator array bounds
+ check
+
+Change loop > BGP_PBR_MATCH_VAL_MAX to loop >= BGP_PBR_MATCH_VAL_MAX
+in bgp_flowspec_op_decode() and bgp_flowspec_bitmask_decode() to
+prevent writing one element past the end of the mval[] array when
+more than 5 chained operators are present in a FlowSpec component.
+
+Reported-by: Jiahao Lei
+Signed-off-by: Jafar Al-Gharaibeh <jafar@atcorp.com>
+---
+ bgpd/bgp_flowspec_util.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/bgpd/bgp_flowspec_util.c b/bgpd/bgp_flowspec_util.c
+index f2da778c2e66..5528a4f6a0e3 100644
+--- a/bgpd/bgp_flowspec_util.c
++++ b/bgpd/bgp_flowspec_util.c
+@@ -274,8 +274,10 @@ int bgp_flowspec_op_decode(enum bgp_flowspec_util_nlri_t type,
+ 	}
+ 
+ 	do {
+-		if (loop > BGP_PBR_MATCH_VAL_MAX)
++		if (loop >= BGP_PBR_MATCH_VAL_MAX) {
+ 			*error = -2;
++			return offset;
++		}
+ 
+ 		if (offset >= max_len) {
+ 			*error = -1;
+@@ -397,7 +399,7 @@ int bgp_flowspec_bitmask_decode(enum bgp_flowspec_util_nlri_t type,
+ 	}
+ 
+ 	do {
+-		if (loop > BGP_PBR_MATCH_VAL_MAX) {
++		if (loop >= BGP_PBR_MATCH_VAL_MAX) {
+ 			*error = -2;
+ 			return offset;
+ 		}

0016-fix-CVE-2026-37459.patch

@@ -0,0 +1,30 @@
+From 693a2e02687cdc9d16501275e05136edea9650d9 Mon Sep 17 00:00:00 2001
+From: Donatas Abraitis <donatas@opensourcerouting.org>
+Date: Tue, 10 Mar 2026 20:16:10 +0200
+Subject: [PATCH] bgpd: Check if the NHC length is enough to fill TLV value +
+ TLV header
+
+BGP_NHC_TLV_MIN_LEN is 4 bytes (TLV code + TLV length), and when we parse TLVs,
+we subtract BGP_NHC_TLV_MIN_LEN as well, so we should include BGP_NHC_TLV_MIN_LEN
+when checking the remaining length too.
+
+Reported-by: Jiahao Lei
+
+Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
+---
+ bgpd/bgp_attr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
+index 6bcf5f690613..b707e0531e94 100644
+--- a/bgpd/bgp_attr.c
++++ b/bgpd/bgp_attr.c
+@@ -3887,7 +3887,7 @@ static int bgp_attr_nhc(struct bgp_attr_parser_args *args)
+ 		tlv_code = stream_getw(s);
+ 		tlv_length = stream_getw(s);
+ 
+-		if (length < tlv_length) {
++		if (length < tlv_length + BGP_NHC_TLV_MIN_LEN) {
+ 			zlog_err("%pBP rcvd BGP NHC TLV length %d exceeds remaining length %d",
+ 				 peer, tlv_length, length);
+ 			bgp_nhc_free(nhc);

frr10.spec

@@ -8,7 +8,7 @@
 
 Name: frr10
 Version: 10.4.3
-Release: 1%{?checkout}%{?dist}
+Release: 3%{?checkout}%{?dist}
 Summary: Routing daemon
 License: GPLv2+
 URL: http://www.frrouting.org
@@ -73,6 +73,10 @@ Patch0003: 0003-disable-eigrp-crypto.patch
 Patch0004: 0004-fips-mode.patch
 # Turn off one fuzz test that fails with the new glibc
 Patch0014: 0014-isisd-fuzz-test.patch
+# https://github.com/FRRouting/frr/commit/0e6882bc
+Patch0015: 0015-fix-CVE-2026-37457.patch
+# https://github.com/FRRouting/frr/commit/693a2e02
+Patch0016: 0016-fix-CVE-2026-37459.patch
 
 %description
 FRRouting is free software that manages TCP/IP based routing protocols. It takes
@@ -281,6 +285,12 @@ make check PYTHON=%{__python3}
 %endif
 
 %changelog
+* Thu May 21 2026 Michal Ruprich <mruprich@redhat.com> - 10.4.3-3
+- Resolves: RHEL-174696 - denial of service via crafted BGP UPDATE message
+
+* Thu May 21 2026 Michal Ruprich <mruprich@redhat.com> - 10.4.3-2
+- Resolves: RHEL-174678 - denial of service via crafted FlowSpec component
+
 * Thu Apr 09 2026 Michal Ruprich <mruprich@redhat.com> - 10.4.3-1
 - Resolves: RHEL-157859 - Bump FRR to 10.4.3 to fix EVPN problems