pool/frr
SHA256
3
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
0d23942aca
frr/0020-ospfd-Solved-crash-in-OSPF-TE-parsing.patch
Erico Mendonca 0d23942aca - Update to version 10.0.1 from official sources. 
- Clean slate: removing all previous patches.
- The following patches were obsoleted:
  - 0001-disable-zmq-test.patch
  - harden_frr.service.patch
  - 0003-tools-Run-as-FRR_USER-install-chown-commands-to-avoi.patch
  - 0004-tools-remove-backslash-from-declare-check-regex.patch
  - 0005-root-ok-in-account-frr.pam.patch
  - 0006-bgpd-Check-7-bytes-for-Long-lived-Graceful-Restart-c.patch
  - 0007-bgpd-Ensure-stream-received-has-enough-data.patch
  - 0008-bgpd-Don-t-read-the-first-byte-of-ORF-header-if-we-a.patch
  - 0009-bgpd-Do-not-process-NLRIs-if-the-attribute-length-is.patch
  - 0010-bgpd-Use-treat-as-withdraw-for-tunnel-encapsulation-.patch
  - 0011-babeld-fix-11808-to-avoid-infinite-loops.patch
  - 0012-bgpd-Limit-flowspec-to-no-attribute-means-a-implicit.patch
  - 0013-bgpd-Check-mandatory-attributes-more-carefully-for-U.patch
  - 0014-bgpd-Handle-MP_REACH_NLRI-malformed-packets-with-ses.patch
  - 0015-bgpd-Treat-EOR-as-withdrawn-to-avoid-unwanted-handli.patch
  - 0016-bgpd-Ignore-handling-NLRIs-if-we-received-MP_UNREACH.patch
  - 0017-bgpd-Fix-use-beyond-end-of-stream-of-labeled-unicast.patch
  - 0018-bgpd-Flowspec-overflow-issue.patch
  - 0019-bgpd-fix-error-handling-when-receiving-BGP-Prefix-SID-attribute.patch
  - 0020-ospfd-Solved-crash-in-OSPF-TE-parsing.patch
  - 0021-ospfd-Solved-crash-in-RI-parsing-with-OSPF-TE.patch
  - 0022-ospfd-Correct-Opaque-LSA-Extended-parser.patch
  - 0023-ospfd-protect-call-to-get_edge-in-ospf_te.c.patch

OBS-URL: https://build.opensuse.org/package/show/network/frr?expand=0&rev=69
2024-08-08 12:14:43 +00:00

38 lines
1.4 KiB
Diff
Raw Blame History

From 285c19a3c665087720e1fea7d8d944c961c52288 Mon Sep 17 00:00:00 2001
From: Olivier Dugeon <olivier.dugeon@orange.com>
Date: Mon, 26 Feb 2024 10:40:34 +0100
Subject: [PATCH] ospfd: Solved crash in OSPF TE parsing
Upstream: yes
References: bsc#1220548, CVE-2024-27913, gh#FRRouting/frr#15431
Iggy Frankovic discovered an ospfd crash when perfomring fuzzing of OSPF LSA
packets. The crash occurs in ospf_te_parse_te() function when attemping to
create corresponding egde from TE Link parameters. If there is no local
address, an edge is created but without any attributes. During parsing, the
function try to access to this attribute fields which has not been created
causing an ospfd crash.
The patch simply check if the te parser has found a valid local address. If not
found, we stop the parser which avoid the crash.
Signed-off-by: Olivier Dugeon <olivier.dugeon@orange.com>
diff --git a/ospfd/ospf_te.c b/ospfd/ospf_te.c
index 75f4e0c9f0..45eb205759 100644
--- a/ospfd/ospf_te.c
+++ b/ospfd/ospf_te.c
@@ -2276,6 +2276,10 @@ static int ospf_te_parse_te(struct ls_ted *ted, struct ospf_lsa *lsa)
}
/* Get corresponding Edge from Link State Data Base */
+ if (IPV4_NET0(attr.standard.local.s_addr) && !attr.standard.local_id) {
+ ote_debug(" |- Found no TE Link local address/ID. Abort!");
+ return -1;
+ }
edge = get_edge(ted, attr.adv, attr.standard.local);
old = edge->attributes;
--
2.35.3
Reference in New Issue View Git Blame Copy Permalink