Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package frr for openSUSE:Factory checked in at 2026-02-16 13:15:06 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/frr (Old) and /work/SRC/openSUSE:Factory/.frr.new.1977 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "frr" Mon Feb 16 13:15:06 2026 rev:41 rq:1333301 version:10.2.1 Changes: -------- --- /work/SRC/openSUSE:Factory/frr/frr.changes 2025-10-04 18:53:54.100417328 +0200 +++ /work/SRC/openSUSE:Factory/.frr.new.1977/frr.changes 2026-02-16 13:19:40.483951272 +0100 @@ -1,0 +2,25 @@ +Fri Feb 13 14:34:24 UTC 2026 - Marius Tomaschewski <[email protected]> + +- Switch to logrotate config correcting log file empty issue + (gh#FRRouting/frr/issues/15818) depending if syslog or file + logging is used in the frr.conf. +- Fix /var/run leftovers in logrotate config and service file, + create /var/log and /var/lib via tmpfiles.d (jsc#PED-14796). +- Adjust rpm requires for service macros and log rotation (lsof). + +------------------------------------------------------------------- +Thu Feb 12 12:53:01 UTC 2026 - Marius Tomaschewski <[email protected]> + +- Apply upstream ospfd NULL Pointer Dereference fixes. + The vulnerability allowed attackers to cause a Denial of Service + (DoS) via crafted OSPF packets + (bsc#1252838,bsc#1252829,bsc#1252833,bsc#1252835,bsc#1252810, + bsc#1252811,bsc#1252761,bsc#1252812,bsc#1252813,CVE-2025-61099, + CVE-2025-61100,CVE-2025-61101,CVE-2025-61102,CVE-2025-61103, + CVE-2025-61104,CVE-2025-61105,CVE-2025-61106,CVE-2025-61107, + https://github.com/FRRouting/frr/pull/19983) + [+ 0003-ospfd-NULL-Pointer-Dereference-fixes.patch] +- Add -Wno-error=declaration-after-statement to avoid C90 errors; + frr requires C11 compiler with atomic support and sets -std=gnu11 + +------------------------------------------------------------------- New: ---- 0003-ospfd-NULL-Pointer-Dereference-fixes.patch ----------(New B)---------- New: https://github.com/FRRouting/frr/pull/19983) [+ 0003-ospfd-NULL-Pointer-Dereference-fixes.patch] - Add -Wno-error=declaration-after-statement to avoid C90 errors; ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ frr.spec ++++++ --- /var/tmp/diff_new_pack.XxQBFc/_old 2026-02-16 13:19:41.331986529 +0100 +++ /var/tmp/diff_new_pack.XxQBFc/_new 2026-02-16 13:19:41.335986695 +0100 @@ -25,6 +25,7 @@ %define frr_user frr %define frr_group frr %define frrvty_group frrvty +%define frr_logs %{_localstatedir}/log/%{name} # see configure: frr_libstatedir=/var/lib/frr %define frr_home %{_localstatedir}/lib/%{name} # see configure: frr_runstatedir=[/var]/run/frr @@ -44,6 +45,7 @@ Patch0: harden_frr.service.patch Patch1: 0001-disable-zmq-test.patch Patch2: 0002-frr-logrotate.patch +Patch3: 0003-ospfd-NULL-Pointer-Dereference-fixes.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: bison >= 2.7 @@ -82,9 +84,18 @@ BuildRequires: pkgconfig(rtrlib) >= 0.5.0 BuildRequires: pkgconfig(sqlite3) %sysusers_requires -Requires(post): %{install_info_prereq} Requires(pre): %{install_info_prereq} +Requires(post): %{install_info_prereq} Requires(preun): %{install_info_prereq} +# /usr/lib/frr/*.sh aka service macros need: +%{?systemd_ordering} +Requires: grep util-linux +Requires(pre): grep util-linux +Requires(post): grep util-linux +Requires(preun): grep util-linux +Requires(postun): grep util-linux +# logrotation needs: +Requires: lsof Recommends: logrotate Conflicts: quagga Provides: zebra = %{version} @@ -205,7 +216,9 @@ %build # GCC LTO objects must be "fat" to avoid assembly errors -export CFLAGS="-ffat-lto-objects" +# Make sure -Werror=declaration-after-statement is not applied; +# frr sets -std=gnu11 as it requires C11 with atomic support. +export CFLAGS="-ffat-lto-objects -Wno-error=declaration-after-statement" autoreconf -fiv %configure \ @@ -293,8 +306,9 @@ # remove stray buildinfo files find %{buildroot}/%{_docdir}/%{name} -type f -name .buildinfo -delete -# systemd init scripts +# systemd service + daemons file install -D -m 0644 tools/frr.service %{buildroot}%{_unitdir}/frr.service +sed -e "s|/var/run/frr|%{frr_statedir}|g" -i %{buildroot}%{_unitdir}/frr.service install -D -m 0644 tools%{_sysconfdir}/frr/daemons %{buildroot}%{_sysconfdir}/frr/daemons # add rpki module to daemon @@ -307,16 +321,23 @@ install -D -m 0644 redhat/frr.pam %{buildroot}%{_sysconfdir}/pam.d/frr %endif %if 0%{?suse_version} > 1500 -install -D -m 0644 redhat/frr.logrotate %{buildroot}%{_distconfdir}/logrotate.d/frr +install -D -m 0644 tools/etc/logrotate.d/frr %{buildroot}%{_distconfdir}/logrotate.d/frr +sed -e "s|/var/log/frr|%{frr_logs}|g" -e "s|/var/run/frr|%{frr_statedir}|g" \ + -i %{buildroot}%{_distconfdir}/logrotate.d/frr %else -install -D -m 0644 redhat/frr.logrotate %{buildroot}%{_sysconfdir}/logrotate.d/frr +install -D -m 0644 tools/etc/logrotate.d/frr %{buildroot}%{_sysconfdir}/logrotate.d/frr +sed -e "s|/var/log/frr|%{frr_logs}|g" -e "s|/var/run/frr|%{frr_statedir}|g" \ + -i %{buildroot}%{_sysconfdir}/logrotate.d/frr %endif -install -d -m 0750 %{buildroot}%{frr_home} -install -d -m 0751 %{buildroot}%{frr_statedir} -install -d -m 0750 %{buildroot}%{_localstatedir}/log/frr install -D -m 0644 %{SOURCE1} %{buildroot}/%{_tmpfilesdir}/%{name}.conf -sed -e "s|@frr_statedir@|%{frr_statedir}|g" -i %{buildroot}/%{_tmpfilesdir}/%{name}.conf +sed -e "s|@frr_user@|%{frr_user}|g" \ + -e "s|@frr_group@|%{frr_group}|g" \ + -e "s|@frrvty_group@|%{frrvty_group}|g" \ + -e "s|@frr_logs@|%{frr_logs}|g" \ + -e "s|@frr_home@|%{frr_home}|g" \ + -e "s|@frr_statedir@|%{frr_statedir}|g" \ + -i %{buildroot}/%{_tmpfilesdir}/%{name}.conf rm -f %{buildroot}%{frr_daemondir}/ssd @@ -326,7 +347,7 @@ !password frr !enable password frr -log file %{_localstatedir}/log/frr/frr.log +log file %{frr_logs}/frr.log __EOF__ cat > %{buildroot}%{_sysconfdir}/frr/vtysh.conf << __EOF__ ! vtysh is using PAM authentication allowing root to use it. @@ -420,9 +441,9 @@ %{_unitdir}/%{name}.service %dir %{_tmpfilesdir} %{_tmpfilesdir}/%{name}.conf -%dir %attr(0750,%{frr_user},%{frr_group}) %{_localstatedir}/log/frr -%dir %attr(0751,%{frr_user},%{frr_group}) %ghost %{frr_statedir} -%dir %attr(0750,%{frr_user},%{frr_group}) %{frr_home} +%dir %attr(0750,%{frr_user},%{frr_group}) %ghost %{frr_logs} +%dir %attr(0750,%{frr_user},%{frr_group}) %ghost %{frr_home} +%dir %attr(0751,%{frr_user},%{frrvty_group}) %ghost %{frr_statedir} %dir %{_prefix}/lib/frr %{_prefix}/lib/frr/fabricd %{_prefix}/lib/frr/vrrpd ++++++ 0002-frr-logrotate.patch ++++++ --- /var/tmp/diff_new_pack.XxQBFc/_old 2026-02-16 13:19:41.371988191 +0100 +++ /var/tmp/diff_new_pack.XxQBFc/_new 2026-02-16 13:19:41.375988358 +0100 @@ -1,177 +1,15 @@ ---- frr/redhat/frr.logrotate -+++ frr/redhat/frr.logrotate 2025/09/29 12:53:35 -@@ -1,4 +1,5 @@ - /var/log/frr/frr.log { -+ su frr frr - notifempty - missingok - postrotate -@@ -7,6 +8,7 @@ - } +--- frr/tools/etc/logrotate.d/frr ++++ frr/tools/etc/logrotate.d/frr 2026-02-13 11:51:34.850818814 +0100 +@@ -1,9 +1,8 @@ + /var/log/frr/*.log { +- size 500k + sharedscripts + missingok +- compress +- rotate 14 ++ notifempty ++ su frr frr + create 0640 frr frr - /var/log/frr/zebra.log { -+ su frr frr - notifempty - missingok - postrotate -@@ -15,6 +17,7 @@ - } - - /var/log/frr/babeld.log { -+ su frr frr - notifempty - missingok - postrotate -@@ -23,6 +26,7 @@ - } - - /var/log/frr/bgpd.log { -+ su frr frr - notifempty - missingok - postrotate -@@ -31,6 +35,7 @@ - } - - /var/log/frr/isisd.log { -+ su frr frr - notifempty - missingok - postrotate -@@ -39,6 +44,7 @@ - } - - /var/log/frr/ospfd.log { -+ su frr frr - notifempty - missingok - postrotate -@@ -47,6 +53,7 @@ - } - - /var/log/frr/ospf6d.log { -+ su frr frr - notifempty - missingok - postrotate -@@ -55,6 +62,7 @@ - } - - /var/log/frr/ripd.log { -+ su frr frr - notifempty - missingok - postrotate -@@ -63,6 +71,7 @@ - } - - /var/log/frr/ripngd.log { -+ su frr frr - notifempty - missingok - postrotate -@@ -71,6 +80,7 @@ - } - - /var/log/frr/ldpd.log { -+ su frr frr - notifempty - missingok - postrotate -@@ -79,6 +89,7 @@ - } - - /var/log/frr/mgmtd.log { -+ su frr frr - notifempty - missingok - postrotate -@@ -87,6 +98,7 @@ - } - - /var/log/frr/nhrpd.log { -+ su frr frr - notifempty - missingok - postrotate -@@ -95,6 +107,7 @@ - } - - /var/log/frr/eigrpd.log { -+ su frr frr - notifempty - missingok - postrotate -@@ -103,6 +116,7 @@ - } - - /var/log/frr/bfdd.log { -+ su frr frr - notifempty - missingok - postrotate -@@ -111,6 +125,7 @@ - } - - /var/log/frr/fabricd.log { -+ su frr frr - notifempty - missingok - postrotate -@@ -119,6 +134,7 @@ - } - - /var/log/frr/pathd.log { -+ su frr frr - notifempty - missingok - postrotate -@@ -127,6 +143,7 @@ - } - - /var/log/frr/pbrd.log { -+ su frr frr - notifempty - missingok - postrotate -@@ -135,6 +152,7 @@ - } - - /var/log/frr/pimd.log { -+ su frr frr - notifempty - missingok - postrotate -@@ -143,6 +161,7 @@ - } - - /var/log/frr/pim6d.log { -+ su frr frr - notifempty - missingok - postrotate -@@ -151,6 +170,7 @@ - } - - /var/log/frr/sharpd.log { -+ su frr frr - notifempty - missingok - postrotate -@@ -159,6 +179,7 @@ - } - - /var/log/frr/staticd.log { -+ su frr frr - notifempty - missingok - postrotate -@@ -167,6 +188,7 @@ - } - - /var/log/frr/vrrpd.log { -+ su frr frr - notifempty - missingok - postrotate + postrotate ++++++ 0003-ospfd-NULL-Pointer-Dereference-fixes.patch ++++++ >From 4924c5b54a65894eb175330ad91a4e109ab4e47d Mon Sep 17 00:00:00 2001 From: s1awwhy <[email protected]> Date: Sun, 24 Aug 2025 21:17:55 +0800 Subject: [PATCH 1/3] ospfd: Add null check for vty_out in check_tlv_size Upstream: yes References: CVE-2025-61099,CVE-2025-61100,CVE-2025-61101,CVE-2025-61102,CVE-2025-61103,CVE-2025-61104,CVE-2025-61105,CVE-2025-61106,CVE-2025-61107,bsc#1252838,bsc#1252829,bsc#1252833,bsc#1252835,bsc#1252810,bsc#1252811,bsc#1252761,bsc#1252812,bsc#1252813 Add security check for vty_out. Specifically, Check NULL for vty. If vty is not available, dump info via zlog. Signed-off-by: s1awwhy <[email protected]> diff --git a/ospfd/ospf_ext.c b/ospfd/ospf_ext.c index df0b3b9081..8ca0df3200 100644 --- a/ospfd/ospf_ext.c +++ b/ospfd/ospf_ext.c @@ -1705,11 +1705,15 @@ static void ospf_ext_lsa_schedule(struct ext_itf *exti, enum lsa_opcode op) * ------------------------------------ */ +/* Check NULL for vty. If vty is not available, dump info via zlog */ #define check_tlv_size(size, msg) \ do { \ if (ntohs(tlvh->length) != size) { \ - vty_out(vty, " Wrong %s TLV size: %d(%d). Abort!\n", \ - msg, ntohs(tlvh->length), size); \ + if (vty != NULL) \ + vty_out(vty, " Wrong %s TLV size: %d(%d). Abort!\n", \ + msg, ntohs(tlvh->length), size); \ + else \ + zlog_debug(" Wrong %s TLV size: %d(%d). Abort!", msg, ntohs(tlvh->length), size); \ return size + TLV_HDR_SIZE; \ } \ } while (0) -- 2.51.0 >From 4950cc9eea2699c74ae1799d2500c41c12e2001d Mon Sep 17 00:00:00 2001 From: s1awwhy <[email protected]> Date: Sun, 24 Aug 2025 21:21:23 +0800 Subject: [PATCH 2/3] ospfd: Fix NULL Pointer Deference when dumping link info Upstream: yes References: CVE-2025-61099,CVE-2025-61100,CVE-2025-61101,CVE-2025-61102,CVE-2025-61103,CVE-2025-61104,CVE-2025-61105,CVE-2025-61106,CVE-2025-61107,bsc#1252838,bsc#1252829,bsc#1252833,bsc#1252835,bsc#1252810,bsc#1252811,bsc#1252761,bsc#1252812,bsc#1252813 When the command debug ospf packet all send/recv detail is enabled in the OSPF configuration, ospfd will dump detailed information of any received or sent OSPF packets, either via VTY or through the zlog. However, the original Opaque LSA handling code failed to check whether the VTY context and show_opaque_info were available, resulting in NULL pointer dereference and crashes in ospfd. The patch fixes the Null Pointer Deference Vulnerability in show_vty_ext_link_rmt_itf_addr, show_vty_ext_link_adj_sid, show_vty_ext_link_lan_adj_sid, show_vty_unknown_tlv, show_vty_link_info, show_vty_ext_pref_pref_sid, show_vtY_pref_info. Specifically, add NULL check for vty. If vty is not available, dump details via zlog. Signed-off-by: s1awwhy <[email protected]> Signed-off-by: Louis Scalbert <[email protected]> diff --git a/ospfd/ospf_ext.c b/ospfd/ospf_ext.c index 8ca0df3200..89eea3f116 100644 --- a/ospfd/ospf_ext.c +++ b/ospfd/ospf_ext.c @@ -1729,9 +1729,15 @@ static uint16_t show_vty_ext_link_rmt_itf_addr(struct vty *vty, check_tlv_size(EXT_SUBTLV_RMT_ITF_ADDR_SIZE, "Remote Itf. Address"); if (!json) - vty_out(vty, - " Remote Interface Address Sub-TLV: Length %u\n Address: %pI4\n", - ntohs(top->header.length), &top->value); + if (vty != NULL) { + vty_out(vty, + " Remote Interface Address Sub-TLV: Length %u\n Address: %pI4\n", + ntohs(top->header.length), &top->value); + } else { + zlog_debug(" Remote Interface Address Sub-TLV: Length %u", + ntohs(top->header.length)); + zlog_debug(" Address: %pI4", &top->value); + } else json_object_string_addf(json, "remoteInterfaceAddress", "%pI4", &top->value); @@ -1752,18 +1758,30 @@ static uint16_t show_vty_ext_link_adj_sid(struct vty *vty, : SID_INDEX_SIZE(EXT_SUBTLV_ADJ_SID_SIZE); check_tlv_size(tlv_size, "Adjacency SID"); - if (!json) - vty_out(vty, - " Adj-SID Sub-TLV: Length %u\n\tFlags: 0x%x\n\tMT-ID:0x%x\n\tWeight: 0x%x\n\t%s: %u\n", - ntohs(top->header.length), top->flags, top->mtid, - top->weight, - CHECK_FLAG(top->flags, EXT_SUBTLV_LINK_ADJ_SID_VFLG) - ? "Label" - : "Index", - CHECK_FLAG(top->flags, EXT_SUBTLV_LINK_ADJ_SID_VFLG) - ? GET_LABEL(ntohl(top->value)) - : ntohl(top->value)); - else { + if (!json) { + /* Add security check for vty_out. If vty is not available, dump info via zlog.*/ + if (vty != NULL) + vty_out(vty, + " Adj-SID Sub-TLV: Length %u\n\tFlags: 0x%x\n\tMT-ID:0x%x\n\tWeight: 0x%x\n\t%s: %u\n", + ntohs(top->header.length), top->flags, top->mtid, top->weight, + CHECK_FLAG(top->flags, EXT_SUBTLV_LINK_ADJ_SID_VFLG) ? "Label" + : "Index", + CHECK_FLAG(top->flags, EXT_SUBTLV_LINK_ADJ_SID_VFLG) + ? GET_LABEL(ntohl(top->value)) + : ntohl(top->value)); + else { + zlog_debug(" Adj-SID Sub-TLV: Length %u", ntohs(top->header.length)); + zlog_debug(" Flags: 0x%x", top->flags); + zlog_debug(" MT-ID:0x%x", top->mtid); + zlog_debug(" Weight: 0x%x", top->weight); + zlog_debug(" %s: %u", + CHECK_FLAG(top->flags, EXT_SUBTLV_LINK_ADJ_SID_VFLG) ? "Label" + : "Index", + CHECK_FLAG(top->flags, EXT_SUBTLV_LINK_ADJ_SID_VFLG) + ? GET_LABEL(ntohl(top->value)) + : ntohl(top->value)); + } + } else { json_object_string_addf(json, "flags", "0x%x", top->flags); json_object_string_addf(json, "mtID", "0x%x", top->mtid); json_object_string_addf(json, "weight", "0x%x", top->weight); @@ -1791,18 +1809,32 @@ static uint16_t show_vty_ext_link_lan_adj_sid(struct vty *vty, : SID_INDEX_SIZE(EXT_SUBTLV_LAN_ADJ_SID_SIZE); check_tlv_size(tlv_size, "LAN-Adjacency SID"); - if (!json) - vty_out(vty, - " LAN-Adj-SID Sub-TLV: Length %u\n\tFlags: 0x%x\n\tMT-ID:0x%x\n\tWeight: 0x%x\n\tNeighbor ID: %pI4\n\t%s: %u\n", - ntohs(top->header.length), top->flags, top->mtid, - top->weight, &top->neighbor_id, - CHECK_FLAG(top->flags, EXT_SUBTLV_LINK_ADJ_SID_VFLG) - ? "Label" - : "Index", - CHECK_FLAG(top->flags, EXT_SUBTLV_LINK_ADJ_SID_VFLG) - ? GET_LABEL(ntohl(top->value)) - : ntohl(top->value)); - else { + if (!json) { + /* Add security check for vty_out. If vty is not available, dump info via zlog. */ + if (vty != NULL) { + vty_out(vty, + " LAN-Adj-SID Sub-TLV: Length %u\n\tFlags: 0x%x\n\tMT-ID:0x%x\n\tWeight: 0x%x\n\tNeighbor ID: %pI4\n\t%s: %u\n", + ntohs(top->header.length), top->flags, top->mtid, top->weight, + &top->neighbor_id, + CHECK_FLAG(top->flags, EXT_SUBTLV_LINK_ADJ_SID_VFLG) ? "Label" + : "Index", + CHECK_FLAG(top->flags, EXT_SUBTLV_LINK_ADJ_SID_VFLG) + ? GET_LABEL(ntohl(top->value)) + : ntohl(top->value)); + } else { + zlog_debug(" LAN-Adj-SID Sub-TLV: Length %u", ntohs(top->header.length)); + zlog_debug(" Flags: 0x%x", top->flags); + zlog_debug(" MT-ID:0x%x", top->mtid); + zlog_debug(" Weight: 0x%x", top->weight); + zlog_debug(" Neighbor ID: %pI4", &top->neighbor_id); + zlog_debug(" %s: %u", + CHECK_FLAG(top->flags, EXT_SUBTLV_LINK_ADJ_SID_VFLG) ? "Label" + : "Index", + CHECK_FLAG(top->flags, EXT_SUBTLV_LINK_ADJ_SID_VFLG) + ? GET_LABEL(ntohl(top->value)) + : ntohl(top->value)); + } + } else { json_object_string_addf(json, "flags", "0x%x", top->flags); json_object_string_addf(json, "mtID", "0x%x", top->mtid); json_object_string_addf(json, "weight", "0x%x", top->weight); @@ -1823,14 +1855,23 @@ static uint16_t show_vty_unknown_tlv(struct vty *vty, struct tlv_header *tlvh, { json_object *obj; + /* Add security check for vty_out. If vty is not available, dump info via zlog. */ if (TLV_SIZE(tlvh) > buf_size) { - vty_out(vty, " TLV size %d exceeds buffer size. Abort!", - TLV_SIZE(tlvh)); + if (vty != NULL) + vty_out(vty, " TLV size %d exceeds buffer size. Abort!", TLV_SIZE(tlvh)); + else + zlog_debug(" TLV size %d exceeds buffer size. Abort!", TLV_SIZE(tlvh)); + return buf_size; } if (!json) - vty_out(vty, " Unknown TLV: [type(0x%x), length(0x%x)]\n", - ntohs(tlvh->type), ntohs(tlvh->length)); + if (vty != NULL) { + vty_out(vty, " Unknown TLV: [type(0x%x), length(0x%x)]\n", + ntohs(tlvh->type), ntohs(tlvh->length)); + } else { + zlog_debug(" Unknown TLV: [type(0x%x), length(0x%x)]", + ntohs(tlvh->type), ntohs(tlvh->length)); + } else { obj = json_object_new_object(); json_object_string_addf(obj, "type", "0x%x", @@ -1855,19 +1896,31 @@ static uint16_t show_vty_link_info(struct vty *vty, struct tlv_header *ext, /* Verify that TLV length is valid against remaining buffer size */ if (length > buf_size) { - vty_out(vty, - " Extended Link TLV size %d exceeds buffer size. Abort!\n", - length); + /* Add security check for vty_out. If vty is not available, dump info via zlog. */ + if (vty != NULL) { + vty_out(vty, " Extended Link TLV size %d exceeds buffer size. Abort!\n", + length); + } else { + zlog_debug(" Extended Link TLV size %d exceeds buffer size. Abort!", + length); + } return buf_size; } if (!json) { - vty_out(vty, - " Extended Link TLV: Length %u\n Link Type: 0x%x\n" - " Link ID: %pI4\n", - ntohs(top->header.length), top->link_type, - &top->link_id); - vty_out(vty, " Link data: %pI4\n", &top->link_data); + /* Add security check for vty_out. If vty is not available, dump info via zlog. */ + if (vty != NULL) { + vty_out(vty, + " Extended Link TLV: Length %u\n Link Type: 0x%x\n" + " Link ID: %pI4\n", + ntohs(top->header.length), top->link_type, &top->link_id); + vty_out(vty, " Link data: %pI4\n", &top->link_data); + } else { + zlog_debug(" Extended Link TLV: Length %u", ntohs(top->header.length)); + zlog_debug(" Link Type: 0x%x", top->link_type); + zlog_debug(" Link ID: %pI4", &top->link_id); + zlog_debug(" Link data: %pI4", &top->link_data); + } } else { json_object_string_addf(json, "linkType", "0x%x", top->link_type); @@ -1959,18 +2012,29 @@ static uint16_t show_vty_ext_pref_pref_sid(struct vty *vty, : SID_INDEX_SIZE(EXT_SUBTLV_PREFIX_SID_SIZE); check_tlv_size(tlv_size, "Prefix SID"); - if (!json) - vty_out(vty, - " Prefix SID Sub-TLV: Length %u\n\tAlgorithm: %u\n\tFlags: 0x%x\n\tMT-ID:0x%x\n\t%s: %u\n", - ntohs(top->header.length), top->algorithm, top->flags, - top->mtid, - CHECK_FLAG(top->flags, EXT_SUBTLV_PREFIX_SID_VFLG) - ? "Label" - : "Index", - CHECK_FLAG(top->flags, EXT_SUBTLV_PREFIX_SID_VFLG) - ? GET_LABEL(ntohl(top->value)) - : ntohl(top->value)); - else { + if (!json) { + if (vty != NULL) { + vty_out(vty, + " Prefix SID Sub-TLV: Length %u\n\tAlgorithm: %u\n\tFlags: 0x%x\n\tMT-ID:0x%x\n\t%s: %u\n", + ntohs(top->header.length), top->algorithm, top->flags, top->mtid, + CHECK_FLAG(top->flags, EXT_SUBTLV_PREFIX_SID_VFLG) ? "Label" + : "Index", + CHECK_FLAG(top->flags, EXT_SUBTLV_PREFIX_SID_VFLG) + ? GET_LABEL(ntohl(top->value)) + : ntohl(top->value)); + } else { + zlog_debug(" Prefix SID Sub-TLV: Length %u", ntohs(top->header.length)); + zlog_debug(" Algorithm: %u", top->algorithm); + zlog_debug(" Flags: 0x%x", top->flags); + zlog_debug(" MT-ID:0x%x", top->mtid); + zlog_debug(" %s: %u", + CHECK_FLAG(top->flags, EXT_SUBTLV_PREFIX_SID_VFLG) ? "Label" + : "Index", + CHECK_FLAG(top->flags, EXT_SUBTLV_PREFIX_SID_VFLG) + ? GET_LABEL(ntohl(top->value)) + : ntohl(top->value)); + } + } else { json_object_int_add(json, "algorithm", top->algorithm); json_object_string_addf(json, "flags", "0x%x", top->flags); json_object_string_addf(json, "mtID", "0x%x", top->mtid); @@ -1995,19 +2059,31 @@ static uint16_t show_vty_pref_info(struct vty *vty, struct tlv_header *ext, /* Verify that TLV length is valid against remaining buffer size */ if (length > buf_size) { - vty_out(vty, - " Extended Link TLV size %d exceeds buffer size. Abort!\n", - length); + if (vty != NULL) { + vty_out(vty, " Extended Link TLV size %d exceeds buffer size. Abort!\n", + length); + } else { + zlog_debug(" Extended Link TLV size %d exceeds buffer size. Abort!", + length); + } return buf_size; } - if (!json) - vty_out(vty, - " Extended Prefix TLV: Length %u\n\tRoute Type: %u\n" - "\tAddress Family: 0x%x\n\tFlags: 0x%x\n\tAddress: %pI4/%u\n", - ntohs(top->header.length), top->route_type, top->af, - top->flags, &top->address, top->pref_length); - else { + if (!json) { + if (vty != NULL) { + vty_out(vty, + " Extended Prefix TLV: Length %u\n\tRoute Type: %u\n" + "\tAddress Family: 0x%x\n\tFlags: 0x%x\n\tAddress: %pI4/%u\n", + ntohs(top->header.length), top->route_type, top->af, top->flags, + &top->address, top->pref_length); + } else { + zlog_debug(" Extended Prefix TLV: Length %u", ntohs(top->header.length)); + zlog_debug(" Route Type: %u", top->route_type); + zlog_debug(" Address Family: 0x%x", top->af); + zlog_debug(" Flags: 0x%x", top->flags); + zlog_debug(" Address: %pI4/%u", &top->address, top->pref_length); + } + } else { json_object_int_add(json, "routeType", top->route_type); json_object_string_addf(json, "addressFamily", "0x%x", top->af); json_object_string_addf(json, "flags", "0x%x", top->flags); -- 2.51.0 >From 4b5712f5d995d1628a21e79c39a5feda4d5ac5c0 Mon Sep 17 00:00:00 2001 From: Louis Scalbert <[email protected]> Date: Tue, 6 Jan 2026 15:32:32 +0100 Subject: [PATCH 3/3] ospfd: skip subsequent tlvs after invalid length Upstream: yes References: CVE-2025-61099,CVE-2025-61100,CVE-2025-61101,CVE-2025-61102,CVE-2025-61103,CVE-2025-61104,CVE-2025-61105,CVE-2025-61106,CVE-2025-61107,bsc#1252838,bsc#1252829,bsc#1252833,bsc#1252835,bsc#1252810,bsc#1252811,bsc#1252761,bsc#1252812,bsc#1252813 Do not attempt to read subsequent TLVs after an TLV invalid length is detected. Signed-off-by: Louis Scalbert <[email protected]> diff --git a/ospfd/ospf_ext.c b/ospfd/ospf_ext.c index 89eea3f116..c1fcd632e0 100644 --- a/ospfd/ospf_ext.c +++ b/ospfd/ospf_ext.c @@ -1710,11 +1710,11 @@ static void ospf_ext_lsa_schedule(struct ext_itf *exti, enum lsa_opcode op) do { \ if (ntohs(tlvh->length) != size) { \ if (vty != NULL) \ - vty_out(vty, " Wrong %s TLV size: %d(%d). Abort!\n", \ + vty_out(vty, " Wrong %s TLV size: %d(expected %d). Skip subsequent TLVs!\n", \ msg, ntohs(tlvh->length), size); \ else \ - zlog_debug(" Wrong %s TLV size: %d(%d). Abort!", msg, ntohs(tlvh->length), size); \ - return size + TLV_HDR_SIZE; \ + zlog_debug(" Wrong %s TLV size: %d(expected %d). Skip subsequent TLVs!", msg, ntohs(tlvh->length), size); \ + return OSPF_MAX_LSA_SIZE + 1; \ } \ } while (0) diff --git a/ospfd/ospf_ri.c b/ospfd/ospf_ri.c index 76e6efeb83..7934b25451 100644 --- a/ospfd/ospf_ri.c +++ b/ospfd/ospf_ri.c @@ -1208,12 +1208,12 @@ static int ospf_router_info_lsa_update(struct ospf_lsa *lsa) do { \ if (ntohs(tlvh->length) > size) { \ if (vty != NULL) \ - vty_out(vty, " Wrong %s TLV size: %d(%d)\n", \ + vty_out(vty, " Wrong %s TLV size: %d(expected %d). Skip subsequent TLVs!\n", \ msg, ntohs(tlvh->length), size); \ else \ - zlog_debug(" Wrong %s TLV size: %d(%d)", \ + zlog_debug(" Wrong %s TLV size: %d(expected %d). Skip subsequent TLVs!", \ msg, ntohs(tlvh->length), size); \ - return size + TLV_HDR_SIZE; \ + return OSPF_MAX_LSA_SIZE + 1; \ } \ } while (0) diff --git a/ospfd/ospf_te.c b/ospfd/ospf_te.c index d57990e1a1..7a68905dc7 100644 --- a/ospfd/ospf_te.c +++ b/ospfd/ospf_te.c @@ -3190,12 +3190,12 @@ static void ospf_te_init_ted(struct ls_ted *ted, struct ospf *ospf) do { \ if (ntohs(tlvh->length) > size) { \ if (vty != NULL) \ - vty_out(vty, " Wrong %s TLV size: %d(%d)\n", \ + vty_out(vty, " Wrong %s TLV size: %d(expected %d). Skip subsequent TLVs!\n", \ msg, ntohs(tlvh->length), size); \ else \ - zlog_debug(" Wrong %s TLV size: %d(%d)", \ + zlog_debug(" Wrong %s TLV size: %d(expected %d). Skip subsequent TLVs!", \ msg, ntohs(tlvh->length), size); \ - return size + TLV_HDR_SIZE; \ + return OSPF_MAX_LSA_SIZE + 1; \ } \ } while (0) -- 2.51.0 ++++++ frr-tmpfiles.d ++++++ --- /var/tmp/diff_new_pack.XxQBFc/_old 2026-02-16 13:19:41.439991020 +0100 +++ /var/tmp/diff_new_pack.XxQBFc/_new 2026-02-16 13:19:41.447991351 +0100 @@ -1,2 +1,4 @@ -d @frr_statedir@ 0751 frr frrvty +d @frr_logs@ 0750 @frr_user@ @frr_group@ +d @frr_home@ 0750 @frr_user@ @frr_group@ +d @frr_statedir@ 0751 @frr_user@ @frrvty_group@
