Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package frr for openSUSE:Factory checked in at 2026-04-23 17:06:11 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/frr (Old) and /work/SRC/openSUSE:Factory/.frr.new.11940 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "frr" Thu Apr 23 17:06:11 2026 rev:44 rq:1348249 version:10.5.1 Changes: -------- --- /work/SRC/openSUSE:Factory/frr/frr.changes 2026-03-27 16:52:47.467679999 +0100 +++ /work/SRC/openSUSE:Factory/.frr.new.11940/frr.changes 2026-04-23 17:10:13.906623687 +0200 @@ -1,0 +2,8 @@ +Thu Apr 16 15:21:14 UTC 2026 - Marius Tomaschewski <[email protected]> + +- Apply security fix for bgpd EVPN and ENCAP/VNC packet parsing. + The vulnerability may have led to improper access controls + (CVE-2026-5107,bsc#1261013,gh#FRRouting/frr#21098). + [+ 0004-bgpd-improve-packet-parsing-for-EVPN-and-ENCAP-VNC.patch] + +------------------------------------------------------------------- New: ---- 0004-bgpd-improve-packet-parsing-for-EVPN-and-ENCAP-VNC.patch ----------(New B)---------- New: (CVE-2026-5107,bsc#1261013,gh#FRRouting/frr#21098). [+ 0004-bgpd-improve-packet-parsing-for-EVPN-and-ENCAP-VNC.patch] ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ frr.spec ++++++ --- /var/tmp/diff_new_pack.DToFDb/_old 2026-04-23 17:10:15.006668946 +0200 +++ /var/tmp/diff_new_pack.DToFDb/_new 2026-04-23 17:10:15.006668946 +0200 @@ -50,6 +50,7 @@ Patch1: 0001-disable-zmq-test.patch Patch2: 0002-frr-logrotate.patch Patch3: 0003-ospfd-NULL-Pointer-Dereference-fixes.patch +Patch4: 0004-bgpd-improve-packet-parsing-for-EVPN-and-ENCAP-VNC.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: bison >= 2.7 ++++++ 0004-bgpd-improve-packet-parsing-for-EVPN-and-ENCAP-VNC.patch ++++++ >From 52c72c5ad8ccb491a9bab096002072667089d2d3 Mon Sep 17 00:00:00 2001 From: Mark Stapp <[email protected]> Date: Wed, 11 Mar 2026 14:52:54 -0400 Subject: [PATCH] bgpd: improve packet parsing for EVPN and ENCAP/VNC Upstream: yes References: CVE-2026-5107,bsc#1261013,gh#FRRouting/frr#21098,gh#FRRouting/frr#21235 Improve packet validation for EVPN NLRIs and for ENCAP/VNC. Signed-off-by: Mark Stapp <[email protected]> (cherry picked from commit 7676cad65114aa23adde583d91d9d29e2debd045) diff --git a/bgpd/bgp_evpn.c b/bgpd/bgp_evpn.c index 0f621097db..4c809d079d 100644 --- a/bgpd/bgp_evpn.c +++ b/bgpd/bgp_evpn.c @@ -4917,6 +4917,14 @@ static int process_type2_route(struct peer *peer, afi_t afi, safi_t safi, goto fail; } + /* Validate ipaddr_len against the NLRI length */ + if ((psize != 33 + (ipaddr_len / 8)) && (psize != 36 + (ipaddr_len / 8))) { + flog_err(EC_BGP_EVPN_ROUTE_INVALID, + "%u:%s - Rx EVPN Type-2 NLRI with invalid IP address length %d", + peer->bgp->vrf_id, peer->host, ipaddr_len); + goto fail; + } + if (ipaddr_len) { ipaddr_len /= 8; /* Convert to bytes. */ p.prefix.macip_addr.ip.ipa_type = (ipaddr_len == IPV4_MAX_BYTELEN) @@ -5014,6 +5022,15 @@ static int process_type3_route(struct peer *peer, afi_t afi, safi_t safi, /* Get the IP. */ ipaddr_len = *pfx++; + + /* Validate */ + if (psize != 13 + (ipaddr_len / 8)) { + flog_err(EC_BGP_EVPN_ROUTE_INVALID, + "%u:%s - Rx EVPN Type-3 NLRI with invalid IP address length %d", + peer->bgp->vrf_id, peer->host, ipaddr_len); + return -1; + } + if (ipaddr_len == IPV4_MAX_BITLEN) { p.prefix.imet_addr.ip.ipa_type = IPADDR_V4; memcpy(&p.prefix.imet_addr.ip.ip.addr, pfx, IPV4_MAX_BYTELEN); diff --git a/bgpd/bgp_evpn_mh.c b/bgpd/bgp_evpn_mh.c index 1ce5ef2646..5905349922 100644 --- a/bgpd/bgp_evpn_mh.c +++ b/bgpd/bgp_evpn_mh.c @@ -752,9 +752,17 @@ int bgp_evpn_type4_route_process(struct peer *peer, afi_t afi, safi_t safi, memcpy(&esi, pfx, ESI_BYTES); pfx += ESI_BYTES; - /* Get the IP. */ ipaddr_len = *pfx++; + + /* Validate */ + if (psize != 19 + (ipaddr_len / 8)) { + flog_err(EC_BGP_EVPN_ROUTE_INVALID, + "%u:%s - Rx EVPN Type-4 NLRI with invalid IP address length %d", + peer->bgp->vrf_id, peer->host, ipaddr_len); + return -1; + } + if (ipaddr_len == IPV4_MAX_BITLEN) { memcpy(&vtep_ip, pfx, IPV4_MAX_BYTELEN); } else { diff --git a/bgpd/rfapi/rfapi_rib.c b/bgpd/rfapi/rfapi_rib.c index 9a3d56b061..11384b51ca 100644 --- a/bgpd/rfapi/rfapi_rib.c +++ b/bgpd/rfapi/rfapi_rib.c @@ -668,11 +668,20 @@ static void rfapiRibBi2Ri(struct bgp_path_info *bpi, struct rfapi_info *ri, break; case BGP_VNC_SUBTLV_TYPE_RFPOPTION: + /* Check for short subtlv: drop */ + if (pEncap->length < 3) + break; + + /* Length of zero not valid */ + if (pEncap->value[1] == 0) + break; + hop = XCALLOC(MTYPE_BGP_TEA_OPTIONS, sizeof(struct bgp_tea_options)); assert(hop); hop->type = pEncap->value[0]; hop->length = pEncap->value[1]; + hop->value = XCALLOC(MTYPE_BGP_TEA_OPTIONS_VALUE, pEncap->length - 2); assert(hop->value); -- 2.51.0
