rpm/frr
SHA256
1
0
Fork 0
forked from pool/frr
Code Pull Requests Activity

Accepting request 1170057 from home:mtomaschewski:branches:network

Browse Source 
- Apply upstream fix solving crash in OSPF TE parsing (bsc#1220548,
  CVE-2024-27913, gh#FRRouting/frr#15431)
  [+ 0020-ospfd-Solved-crash-in-OSPF-TE-parsing.patch]

OBS-URL: https://build.opensuse.org/request/show/1170057
OBS-URL: https://build.opensuse.org/package/show/network/frr?expand=0&rev=65
This commit is contained in:
Martin Hauke 2024-04-28 13:12:33 +00:00 committed by Git OBS Bridge
parent 6cbbcd79f4
commit 52c44b19ae
3 changed files with 46 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
0020-ospfd-Solved-crash-in-OSPF-TE-parsing.patch Normal file
View File

@ -0,0 +1,37 @@
From 285c19a3c665087720e1fea7d8d944c961c52288 Mon Sep 17 00:00:00 2001
From: Olivier Dugeon <olivier.dugeon@orange.com>
Date: Mon, 26 Feb 2024 10:40:34 +0100
Subject: [PATCH] ospfd: Solved crash in OSPF TE parsing
Upstream: yes
References: bsc#1220548, CVE-2024-27913, gh#FRRouting/frr#15431
Iggy Frankovic discovered an ospfd crash when perfomring fuzzing of OSPF LSA
packets. The crash occurs in ospf_te_parse_te() function when attemping to
create corresponding egde from TE Link parameters. If there is no local
address, an edge is created but without any attributes. During parsing, the
function try to access to this attribute fields which has not been created
causing an ospfd crash.
The patch simply check if the te parser has found a valid local address. If not
found, we stop the parser which avoid the crash.
Signed-off-by: Olivier Dugeon <olivier.dugeon@orange.com>
diff --git a/ospfd/ospf_te.c b/ospfd/ospf_te.c
index 75f4e0c9f0..45eb205759 100644
--- a/ospfd/ospf_te.c
+++ b/ospfd/ospf_te.c
@@ -2276,6 +2276,10 @@ static int ospf_te_parse_te(struct ls_ted *ted, struct ospf_lsa *lsa)
}
/* Get corresponding Edge from Link State Data Base */
+ if (IPV4_NET0(attr.standard.local.s_addr) && !attr.standard.local_id) {
+ ote_debug(" |- Found no TE Link local address/ID. Abort!");
+ return -1;
+ }
edge = get_edge(ted, attr.adv, attr.standard.local);
old = edge->attributes;
--
2.35.3

7
frr.changes
View File

@ -1,3 +1,10 @@
-------------------------------------------------------------------
Wed Apr 24 10:40:57 UTC 2024 - Marius Tomaschewski <mt@suse.com>
- Apply upstream fix solving crash in OSPF TE parsing (bsc#1220548,
CVE-2024-27913, gh#FRRouting/frr#15431)
[+ 0020-ospfd-Solved-crash-in-OSPF-TE-parsing.patch]
------------------------------------------------------------------- -------------------------------------------------------------------
Wed Apr 10 18:59:00 UTC 2024 - Clemens Famulla-Conrad <cfamullaconrad@suse.com> Wed Apr 10 18:59:00 UTC 2024 - Clemens Famulla-Conrad <cfamullaconrad@suse.com>

1
frr.spec
View File

@ -58,6 +58,7 @@ Patch16: 0016-bgpd-Ignore-handling-NLRIs-if-we-received-MP_UNREACH.patch
Patch17: 0017-bgpd-Fix-use-beyond-end-of-stream-of-labeled-unicast.patch Patch17: 0017-bgpd-Fix-use-beyond-end-of-stream-of-labeled-unicast.patch
Patch18: 0018-bgpd-Flowspec-overflow-issue.patch Patch18: 0018-bgpd-Flowspec-overflow-issue.patch
Patch19: 0019-bgpd-fix-error-handling-when-receiving-BGP-Prefix-SID-attribute.patch Patch19: 0019-bgpd-fix-error-handling-when-receiving-BGP-Prefix-SID-attribute.patch
Patch20: 0020-ospfd-Solved-crash-in-OSPF-TE-parsing.patch
BuildRequires: autoconf BuildRequires: autoconf
BuildRequires: automake BuildRequires: automake
BuildRequires: bison >= 2.7 BuildRequires: bison >= 2.7