From c1f3b734832db507dce11ead2b6539bb8c4a8599 Mon Sep 17 00:00:00 2001
From: MSVSphere Packaging Team <packager@msvsphere-os.ru>
Date: Fri, 8 Nov 2024 00:42:34 +0300
Subject: [PATCH] import frr-10.1-7.el10

---
 SOURCES/0007-CVE-2024-44070.patch | 48 +++++++++++++++++++++++++++++++
 SPECS/frr.spec                    |  6 +++-
 2 files changed, 53 insertions(+), 1 deletion(-)
 create mode 100644 SOURCES/0007-CVE-2024-44070.patch

diff --git a/SOURCES/0007-CVE-2024-44070.patch b/SOURCES/0007-CVE-2024-44070.patch
new file mode 100644
index 0000000..89ebf9e
--- /dev/null
+++ b/SOURCES/0007-CVE-2024-44070.patch
@@ -0,0 +1,48 @@
+From 0998b38e4d61179441f90dd7e7fd6a3a8b7bd8c5 Mon Sep 17 00:00:00 2001
+From: Donatas Abraitis <donatas@opensourcerouting.org>
+Date: Wed, 31 Jul 2024 08:35:14 +0300
+Subject: [PATCH] bgpd: Check the actual remaining stream length before taking
+ TLV value
+
+```
+    0 0xb50b9f898028 in __sanitizer_print_stack_trace (/home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/.libs/bgpd+0x368028) (BuildId: 3292703ed7958b20076550c967f879db8dc27ca7)
+    1 0xb50b9f7ed8e4 in fuzzer::PrintStackTrace() (/home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/.libs/bgpd+0x2bd8e4) (BuildId: 3292703ed7958b20076550c967f879db8dc27ca7)
+    2 0xb50b9f7d4d9c in fuzzer::Fuzzer::CrashCallback() (/home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/.libs/bgpd+0x2a4d9c) (BuildId: 3292703ed7958b20076550c967f879db8dc27ca7)
+    3 0xe0d12d7469cc  (linux-vdso.so.1+0x9cc) (BuildId: 1a77697e9d723fe22246cfd7641b140c427b7e11)
+    4 0xe0d12c88f1fc in __pthread_kill_implementation nptl/pthread_kill.c:43:17
+    5 0xe0d12c84a678 in gsignal signal/../sysdeps/posix/raise.c:26:13
+    6 0xe0d12c83712c in abort stdlib/abort.c:79:7
+    7 0xe0d12d214724 in _zlog_assert_failed /home/ubuntu/frr-public/frr_public_private-libfuzzer/lib/zlog.c:789:2
+    8 0xe0d12d1285e4 in stream_get /home/ubuntu/frr-public/frr_public_private-libfuzzer/lib/stream.c:324:3
+    9 0xb50b9f8e47c4 in bgp_attr_encap /home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/bgp_attr.c:2758:3
+    10 0xb50b9f8dcd38 in bgp_attr_parse /home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/bgp_attr.c:3783:10
+    11 0xb50b9faf74b4 in bgp_update_receive /home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/bgp_packet.c:2383:20
+    12 0xb50b9faf1dcc in bgp_process_packet /home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/bgp_packet.c:4075:11
+    13 0xb50b9f8c90d0 in LLVMFuzzerTestOneInput /home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/bgp_main.c:582:3
+```
+
+Reported-by: Iggy Frankovic <iggyfran@amazon.com>
+Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
+---
+ bgpd/bgp_attr.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
+index 2ed49935e52b..ac5d08b6fe6e 100644
+--- a/bgpd/bgp_attr.c
++++ b/bgpd/bgp_attr.c
+@@ -2749,6 +2749,14 @@ static int bgp_attr_encap(struct bgp_attr_parser_args *args)
+ 						  args->total);
+ 		}
+ 
++		if (STREAM_READABLE(BGP_INPUT(peer)) < sublength) {
++			zlog_err("Tunnel Encap attribute sub-tlv length %d exceeds remaining stream length %zu",
++				 sublength, STREAM_READABLE(BGP_INPUT(peer)));
++			return bgp_attr_malformed(args,
++						  BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
++						  args->total);
++		}
++
+ 		/* alloc and copy sub-tlv */
+ 		/* TBD make sure these are freed when attributes are released */
+ 		tlv = XCALLOC(MTYPE_ENCAP_TLV,
diff --git a/SPECS/frr.spec b/SPECS/frr.spec
index f2466b4..766fe63 100644
--- a/SPECS/frr.spec
+++ b/SPECS/frr.spec
@@ -9,7 +9,7 @@
 
 Name:           frr
 Version:        10.1
-Release:        6%{?dist}
+Release:        7%{?dist}
 Summary:        Routing daemon
 License:        GPL-2.0-or-later AND ISC AND LGPL-2.0-or-later AND BSD-2-Clause AND BSD-3-Clause AND (GPL-2.0-or-later  OR ISC) AND MIT
 URL:            http://www.frrouting.org
@@ -27,6 +27,7 @@ Patch0003:      0003-disable-eigrp-crypto.patch
 Patch0004:      0004-fips-mode.patch
 Patch0005:      0005-remove-grpc-test.patch
 Patch0006:      0006-noprefixroute-network-manager.patch
+Patch0007:      0007-CVE-2024-44070.patch
 
 BuildRequires:  autoconf
 BuildRequires:  automake
@@ -277,6 +278,9 @@ rm tests/lib/*grpc*
 %endif
 
 %changelog
+* Tue Nov 05 2024 Michal Ruprich <mruprich@redhat.com> - 10.1-7
+- Resolves: RHEL-54674 - Function bgpd/bgp_attr.c does not check the actual remaining stream length
+
 * Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 10.1-6
 - Bump release for October 2024 mass rebuild:
   Resolves: RHEL-64018