From 52c44b19aeb44ff8c8742e8cdf65275ada3ef71b40350c442da21b2ad768042f Mon Sep 17 00:00:00 2001 From: Martin Hauke Date: Sun, 28 Apr 2024 13:12:33 +0000 Subject: [PATCH] Accepting request 1170057 from home:mtomaschewski:branches:network - Apply upstream fix solving crash in OSPF TE parsing (bsc#1220548, CVE-2024-27913, gh#FRRouting/frr#15431) [+ 0020-ospfd-Solved-crash-in-OSPF-TE-parsing.patch] OBS-URL: https://build.opensuse.org/request/show/1170057 OBS-URL: https://build.opensuse.org/package/show/network/frr?expand=0&rev=65 --- ...spfd-Solved-crash-in-OSPF-TE-parsing.patch | 37 +++++++++++++++++++ frr.changes | 7 ++++ frr.spec | 3 +- 3 files changed, 46 insertions(+), 1 deletion(-) create mode 100644 0020-ospfd-Solved-crash-in-OSPF-TE-parsing.patch diff --git a/0020-ospfd-Solved-crash-in-OSPF-TE-parsing.patch b/0020-ospfd-Solved-crash-in-OSPF-TE-parsing.patch new file mode 100644 index 0000000..2c1979e --- /dev/null +++ b/0020-ospfd-Solved-crash-in-OSPF-TE-parsing.patch @@ -0,0 +1,37 @@ +From 285c19a3c665087720e1fea7d8d944c961c52288 Mon Sep 17 00:00:00 2001 +From: Olivier Dugeon +Date: Mon, 26 Feb 2024 10:40:34 +0100 +Subject: [PATCH] ospfd: Solved crash in OSPF TE parsing +Upstream: yes +References: bsc#1220548, CVE-2024-27913, gh#FRRouting/frr#15431 + +Iggy Frankovic discovered an ospfd crash when perfomring fuzzing of OSPF LSA +packets. The crash occurs in ospf_te_parse_te() function when attemping to +create corresponding egde from TE Link parameters. If there is no local +address, an edge is created but without any attributes. During parsing, the +function try to access to this attribute fields which has not been created +causing an ospfd crash. + +The patch simply check if the te parser has found a valid local address. If not +found, we stop the parser which avoid the crash. + +Signed-off-by: Olivier Dugeon + +diff --git a/ospfd/ospf_te.c b/ospfd/ospf_te.c +index 75f4e0c9f0..45eb205759 100644 +--- a/ospfd/ospf_te.c ++++ b/ospfd/ospf_te.c +@@ -2276,6 +2276,10 @@ static int ospf_te_parse_te(struct ls_ted *ted, struct ospf_lsa *lsa) + } + + /* Get corresponding Edge from Link State Data Base */ ++ if (IPV4_NET0(attr.standard.local.s_addr) && !attr.standard.local_id) { ++ ote_debug(" |- Found no TE Link local address/ID. Abort!"); ++ return -1; ++ } + edge = get_edge(ted, attr.adv, attr.standard.local); + old = edge->attributes; + +-- +2.35.3 + diff --git a/frr.changes b/frr.changes index a38b3e9..8ab2300 100644 --- a/frr.changes +++ b/frr.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Wed Apr 24 10:40:57 UTC 2024 - Marius Tomaschewski + +- Apply upstream fix solving crash in OSPF TE parsing (bsc#1220548, + CVE-2024-27913, gh#FRRouting/frr#15431) + [+ 0020-ospfd-Solved-crash-in-OSPF-TE-parsing.patch] + ------------------------------------------------------------------- Wed Apr 10 18:59:00 UTC 2024 - Clemens Famulla-Conrad diff --git a/frr.spec b/frr.spec index 2835ab9..0e867d2 100644 --- a/frr.spec +++ b/frr.spec @@ -58,6 +58,7 @@ Patch16: 0016-bgpd-Ignore-handling-NLRIs-if-we-received-MP_UNREACH.patch Patch17: 0017-bgpd-Fix-use-beyond-end-of-stream-of-labeled-unicast.patch Patch18: 0018-bgpd-Flowspec-overflow-issue.patch Patch19: 0019-bgpd-fix-error-handling-when-receiving-BGP-Prefix-SID-attribute.patch +Patch20: 0020-ospfd-Solved-crash-in-OSPF-TE-parsing.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: bison >= 2.7 @@ -93,7 +94,7 @@ BuildRequires: pkgconfig(sqlite3) Requires(post): %{install_info_prereq} Requires(pre): %{install_info_prereq} Requires(pre): shadow -Requires(preun): %{install_info_prereq} +Requires(preun):%{install_info_prereq} Recommends: logrotate Conflicts: quagga Provides: zebra = %{version}