helium-3rd-party/meta-openembedded
1
0
Fork 0
mirror of git://git.openembedded.org/meta-openembedded synced 2026-04-02 02:49:12 +00:00
Code Issues Packages Projects Releases Wiki Activity

frr: patch multiple CVEs

Browse Source 
Details:
https://nvd.nist.gov/vuln/detail/CVE-2025-61099
https://nvd.nist.gov/vuln/detail/CVE-2025-61100
https://nvd.nist.gov/vuln/detail/CVE-2025-61101
https://nvd.nist.gov/vuln/detail/CVE-2025-61102
https://nvd.nist.gov/vuln/detail/CVE-2025-61103
https://nvd.nist.gov/vuln/detail/CVE-2025-61104
https://nvd.nist.gov/vuln/detail/CVE-2025-61105
https://nvd.nist.gov/vuln/detail/CVE-2025-61106
https://nvd.nist.gov/vuln/detail/CVE-2025-61107

The PR[1] mentioned in nvd got closed without merge due to unresolved
code review comments but another PR[2] fixed them and changes were merged.

[1] https://github.com/FRRouting/frr/pull/19480
[2] https://github.com/FRRouting/frr/pull/19983

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
This commit is contained in:
Ankur Tyagi 2026-01-18 13:23:41 +13:00 committed by Anuj Mittal
parent a0d1cca3be
commit 31777981d7
No known key found for this signature in database
GPG Key ID: 4340AEFE69F5085C
5 changed files with 511 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
meta-networking/recipes-protocols/frr/frr/CVE-2025-61099-61100-61101-61102-61103-61104-61105-61106-61107_1.patch Normal file
View File

@ -0,0 +1,37 @@
From c686fcae29ea1ae9ba4ebfa792db79100948eb79 Mon Sep 17 00:00:00 2001
From: s1awwhy <seawwhy@163.com>
Date: Sun, 24 Aug 2025 21:17:55 +0800
Subject: [PATCH] ospfd: Add null check for vty_out in check_tlv_size
Add security check for vty_out. Specifically, Check NULL for vty. If vty is not available, dump info via zlog.
Signed-off-by: s1awwhy <seawwhy@163.com>
CVE: CVE-2025-61099 CVE-2025-61100 CVE-2025-61101 CVE-2025-61102 CVE-2025-61103 CVE-2025-61104 CVE-2025-61105 CVE-2025-61106 CVE-2025-61107
Upstream-Status: Backport [https://github.com/FRRouting/frr/commit/b7d9b7aa47627b31e4b50795284408ab6de98660]
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
---
ospfd/ospf_ext.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/ospfd/ospf_ext.c b/ospfd/ospf_ext.c
index d82c2146c7..456f163ffa 100644
--- a/ospfd/ospf_ext.c
+++ b/ospfd/ospf_ext.c
@@ -1704,11 +1704,15 @@ static void ospf_ext_lsa_schedule(struct ext_itf *exti, enum lsa_opcode op)
* ------------------------------------
*/
+/* Check NULL for vty. If vty is not available, dump info via zlog */
#define check_tlv_size(size, msg) \
do { \
if (ntohs(tlvh->length) != size) { \
- vty_out(vty, " Wrong %s TLV size: %d(%d). Abort!\n", \
- msg, ntohs(tlvh->length), size); \
+ if (vty != NULL) \
+ vty_out(vty, " Wrong %s TLV size: %d(%d). Abort!\n", \
+ msg, ntohs(tlvh->length), size); \
+ else \
+ zlog_debug(" Wrong %s TLV size: %d(%d). Abort!", msg, ntohs(tlvh->length), size); \
return size + TLV_HDR_SIZE; \
} \
} while (0)

273
meta-networking/recipes-protocols/frr/frr/CVE-2025-61099-61100-61101-61102-61103-61104-61105-61106-61107_2.patch Normal file
View File

@ -0,0 +1,273 @@
From e99ada4aca49f34040747c7253e4b2fcd441da8a Mon Sep 17 00:00:00 2001
From: s1awwhy <seawwhy@163.com>
Date: Sun, 24 Aug 2025 21:21:23 +0800
Subject: [PATCH] ospfd: Fix NULL Pointer Deference when dumping link info
When the command debug ospf packet all send/recv detail is enabled in the OSPF
configuration, ospfd will dump detailed information of any received or sent
OSPF packets, either via VTY or through the zlog. However, the original Opaque
LSA handling code failed to check whether the VTY context and show_opaque_info
were available, resulting in NULL pointer dereference and crashes in ospfd.
The patch fixes the Null Pointer Deference Vulnerability in
show_vty_ext_link_rmt_itf_addr, show_vty_ext_link_adj_sid,
show_vty_ext_link_lan_adj_sid, show_vty_unknown_tlv,
show_vty_link_info, show_vty_ext_pref_pref_sid, show_vtY_pref_info.
Specifically, add NULL check for vty. If vty is not available, dump details
via zlog.
Signed-off-by: s1awwhy <seawwhy@163.com>
Signed-off-by: Louis Scalbert <louis.scalbert@6wind.com>
CVE: CVE-2025-61099 CVE-2025-61100 CVE-2025-61101 CVE-2025-61102 CVE-2025-61103 CVE-2025-61104 CVE-2025-61105 CVE-2025-61106 CVE-2025-61107
Upstream-Status: Backport [https://github.com/FRRouting/frr/commit/034e6fe67078810b952630055614ee5710d1196e]
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
---
ospfd/ospf_ext.c | 184 +++++++++++++++++++++++++++++++++--------------
1 file changed, 130 insertions(+), 54 deletions(-)
diff --git a/ospfd/ospf_ext.c b/ospfd/ospf_ext.c
index 456f163ffa..4fa9c82c34 100644
--- a/ospfd/ospf_ext.c
+++ b/ospfd/ospf_ext.c
@@ -1726,10 +1726,15 @@ static uint16_t show_vty_ext_link_rmt_itf_addr(struct vty *vty,
check_tlv_size(EXT_SUBTLV_RMT_ITF_ADDR_SIZE, "Remote Itf. Address");
- vty_out(vty,
- " Remote Interface Address Sub-TLV: Length %u\n Address: %pI4\n",
- ntohs(top->header.length), &top->value);
-
+ if (vty != NULL) {
+ vty_out(vty,
+ " Remote Interface Address Sub-TLV: Length %u\n Address: %pI4\n",
+ ntohs(top->header.length), &top->value);
+ } else {
+ zlog_debug(" Remote Interface Address Sub-TLV: Length %u",
+ ntohs(top->header.length));
+ zlog_debug(" Address: %pI4", &top->value);
+ }
return TLV_SIZE(tlvh);
}
@@ -1745,15 +1750,28 @@ static uint16_t show_vty_ext_link_adj_sid(struct vty *vty,
: SID_INDEX_SIZE(EXT_SUBTLV_ADJ_SID_SIZE);
check_tlv_size(tlv_size, "Adjacency SID");
- vty_out(vty,
- " Adj-SID Sub-TLV: Length %u\n\tFlags: 0x%x\n\tMT-ID:0x%x\n\tWeight: 0x%x\n\t%s: %u\n",
- ntohs(top->header.length), top->flags, top->mtid, top->weight,
- CHECK_FLAG(top->flags, EXT_SUBTLV_LINK_ADJ_SID_VFLG) ? "Label"
- : "Index",
- CHECK_FLAG(top->flags, EXT_SUBTLV_LINK_ADJ_SID_VFLG)
- ? GET_LABEL(ntohl(top->value))
- : ntohl(top->value));
-
+ /* Add security check for vty_out. If vty is not available, dump info via zlog.*/
+ if (vty != NULL) {
+ vty_out(vty,
+ " Adj-SID Sub-TLV: Length %u\n\tFlags: 0x%x\n\tMT-ID:0x%x\n\tWeight: 0x%x\n\t%s: %u\n",
+ ntohs(top->header.length), top->flags, top->mtid, top->weight,
+ CHECK_FLAG(top->flags, EXT_SUBTLV_LINK_ADJ_SID_VFLG) ? "Label"
+ : "Index",
+ CHECK_FLAG(top->flags, EXT_SUBTLV_LINK_ADJ_SID_VFLG)
+ ? GET_LABEL(ntohl(top->value))
+ : ntohl(top->value));
+ } else {
+ zlog_debug(" Adj-SID Sub-TLV: Length %u", ntohs(top->header.length));
+ zlog_debug(" Flags: 0x%x", top->flags);
+ zlog_debug(" MT-ID:0x%x", top->mtid);
+ zlog_debug(" Weight: 0x%x", top->weight);
+ zlog_debug(" %s: %u",
+ CHECK_FLAG(top->flags, EXT_SUBTLV_LINK_ADJ_SID_VFLG) ? "Label"
+ : "Index",
+ CHECK_FLAG(top->flags, EXT_SUBTLV_LINK_ADJ_SID_VFLG)
+ ? GET_LABEL(ntohl(top->value))
+ : ntohl(top->value));
+ }
return TLV_SIZE(tlvh);
}
@@ -1770,31 +1788,53 @@ static uint16_t show_vty_ext_link_lan_adj_sid(struct vty *vty,
: SID_INDEX_SIZE(EXT_SUBTLV_LAN_ADJ_SID_SIZE);
check_tlv_size(tlv_size, "LAN-Adjacency SID");
- vty_out(vty,
- " LAN-Adj-SID Sub-TLV: Length %u\n\tFlags: 0x%x\n\tMT-ID:0x%x\n\tWeight: 0x%x\n\tNeighbor ID: %pI4\n\t%s: %u\n",
- ntohs(top->header.length), top->flags, top->mtid, top->weight,
- &top->neighbor_id,
- CHECK_FLAG(top->flags, EXT_SUBTLV_LINK_ADJ_SID_VFLG) ? "Label"
- : "Index",
- CHECK_FLAG(top->flags, EXT_SUBTLV_LINK_ADJ_SID_VFLG)
- ? GET_LABEL(ntohl(top->value))
- : ntohl(top->value));
-
+ /* Add security check for vty_out. If vty is not available, dump info via zlog. */
+ if (vty != NULL) {
+ vty_out(vty,
+ " LAN-Adj-SID Sub-TLV: Length %u\n\tFlags: 0x%x\n\tMT-ID:0x%x\n\tWeight: 0x%x\n\tNeighbor ID: %pI4\n\t%s: %u\n",
+ ntohs(top->header.length), top->flags, top->mtid, top->weight,
+ &top->neighbor_id,
+ CHECK_FLAG(top->flags, EXT_SUBTLV_LINK_ADJ_SID_VFLG) ? "Label"
+ : "Index",
+ CHECK_FLAG(top->flags, EXT_SUBTLV_LINK_ADJ_SID_VFLG)
+ ? GET_LABEL(ntohl(top->value))
+ : ntohl(top->value));
+ } else {
+ zlog_debug(" LAN-Adj-SID Sub-TLV: Length %u", ntohs(top->header.length));
+ zlog_debug(" Flags: 0x%x", top->flags);
+ zlog_debug(" MT-ID:0x%x", top->mtid);
+ zlog_debug(" Weight: 0x%x", top->weight);
+ zlog_debug(" Neighbor ID: %pI4", &top->neighbor_id);
+ zlog_debug(" %s: %u",
+ CHECK_FLAG(top->flags, EXT_SUBTLV_LINK_ADJ_SID_VFLG) ? "Label"
+ : "Index",
+ CHECK_FLAG(top->flags, EXT_SUBTLV_LINK_ADJ_SID_VFLG)
+ ? GET_LABEL(ntohl(top->value))
+ : ntohl(top->value));
+ }
return TLV_SIZE(tlvh);
}
static uint16_t show_vty_unknown_tlv(struct vty *vty, struct tlv_header *tlvh,
size_t buf_size)
{
+ /* Add security check for vty_out. If vty is not available, dump info via zlog. */
if (TLV_SIZE(tlvh) > buf_size) {
- vty_out(vty, " TLV size %d exceeds buffer size. Abort!",
- TLV_SIZE(tlvh));
+ if (vty != NULL)
+ vty_out(vty, " TLV size %d exceeds buffer size. Abort!", TLV_SIZE(tlvh));
+ else
+ zlog_debug(" TLV size %d exceeds buffer size. Abort!", TLV_SIZE(tlvh));
+
return buf_size;
}
- vty_out(vty, " Unknown TLV: [type(0x%x), length(0x%x)]\n",
- ntohs(tlvh->type), ntohs(tlvh->length));
-
+ if (vty != NULL) {
+ vty_out(vty, " Unknown TLV: [type(0x%x), length(0x%x)]\n",
+ ntohs(tlvh->type), ntohs(tlvh->length));
+ } else {
+ zlog_debug(" Unknown TLV: [type(0x%x), length(0x%x)]",
+ ntohs(tlvh->type), ntohs(tlvh->length));
+ }
return TLV_SIZE(tlvh);
}
@@ -1809,18 +1849,30 @@ static uint16_t show_vty_link_info(struct vty *vty, struct tlv_header *ext,
/* Verify that TLV length is valid against remaining buffer size */
if (length > buf_size) {
- vty_out(vty,
- " Extended Link TLV size %d exceeds buffer size. Abort!\n",
- length);
+ /* Add security check for vty_out. If vty is not available, dump info via zlog. */
+ if (vty != NULL) {
+ vty_out(vty, " Extended Link TLV size %d exceeds buffer size. Abort!\n",
+ length);
+ } else {
+ zlog_debug(" Extended Link TLV size %d exceeds buffer size. Abort!",
+ length);
+ }
return buf_size;
}
- vty_out(vty,
- " Extended Link TLV: Length %u\n Link Type: 0x%x\n"
- " Link ID: %pI4\n",
- ntohs(top->header.length), top->link_type,
- &top->link_id);
- vty_out(vty, " Link data: %pI4\n", &top->link_data);
+ /* Add security check for vty_out. If vty is not available, dump info via zlog. */
+ if (vty != NULL) {
+ vty_out(vty,
+ " Extended Link TLV: Length %u\n Link Type: 0x%x\n"
+ " Link ID: %pI4\n",
+ ntohs(top->header.length), top->link_type, &top->link_id);
+ vty_out(vty, " Link data: %pI4\n", &top->link_data);
+ } else {
+ zlog_debug(" Extended Link TLV: Length %u", ntohs(top->header.length));
+ zlog_debug(" Link Type: 0x%x", top->link_type);
+ zlog_debug(" Link ID: %pI4", &top->link_id);
+ zlog_debug(" Link data: %pI4", &top->link_data);
+ }
/* Skip Extended TLV and parse sub-TLVs */
length -= EXT_TLV_LINK_SIZE;
@@ -1886,15 +1938,27 @@ static uint16_t show_vty_ext_pref_pref_sid(struct vty *vty,
: SID_INDEX_SIZE(EXT_SUBTLV_PREFIX_SID_SIZE);
check_tlv_size(tlv_size, "Prefix SID");
- vty_out(vty,
- " Prefix SID Sub-TLV: Length %u\n\tAlgorithm: %u\n\tFlags: 0x%x\n\tMT-ID:0x%x\n\t%s: %u\n",
- ntohs(top->header.length), top->algorithm, top->flags,
- top->mtid,
- CHECK_FLAG(top->flags, EXT_SUBTLV_PREFIX_SID_VFLG) ? "Label"
- : "Index",
- CHECK_FLAG(top->flags, EXT_SUBTLV_PREFIX_SID_VFLG)
- ? GET_LABEL(ntohl(top->value))
- : ntohl(top->value));
+ if (vty != NULL) {
+ vty_out(vty,
+ " Prefix SID Sub-TLV: Length %u\n\tAlgorithm: %u\n\tFlags: 0x%x\n\tMT-ID:0x%x\n\t%s: %u\n",
+ ntohs(top->header.length), top->algorithm, top->flags, top->mtid,
+ CHECK_FLAG(top->flags, EXT_SUBTLV_PREFIX_SID_VFLG) ? "Label"
+ : "Index",
+ CHECK_FLAG(top->flags, EXT_SUBTLV_PREFIX_SID_VFLG)
+ ? GET_LABEL(ntohl(top->value))
+ : ntohl(top->value));
+ } else {
+ zlog_debug(" Prefix SID Sub-TLV: Length %u", ntohs(top->header.length));
+ zlog_debug(" Algorithm: %u", top->algorithm);
+ zlog_debug(" Flags: 0x%x", top->flags);
+ zlog_debug(" MT-ID:0x%x", top->mtid);
+ zlog_debug(" %s: %u",
+ CHECK_FLAG(top->flags, EXT_SUBTLV_PREFIX_SID_VFLG) ? "Label"
+ : "Index",
+ CHECK_FLAG(top->flags, EXT_SUBTLV_PREFIX_SID_VFLG)
+ ? GET_LABEL(ntohl(top->value))
+ : ntohl(top->value));
+ }
return TLV_SIZE(tlvh);
}
@@ -1910,17 +1974,29 @@ static uint16_t show_vty_pref_info(struct vty *vty, struct tlv_header *ext,
/* Verify that TLV length is valid against remaining buffer size */
if (length > buf_size) {
- vty_out(vty,
- " Extended Link TLV size %d exceeds buffer size. Abort!\n",
- length);
+ if (vty != NULL) {
+ vty_out(vty, " Extended Link TLV size %d exceeds buffer size. Abort!\n",
+ length);
+ } else {
+ zlog_debug(" Extended Link TLV size %d exceeds buffer size. Abort!",
+ length);
+ }
return buf_size;
}
- vty_out(vty,
- " Extended Prefix TLV: Length %u\n\tRoute Type: %u\n"
- "\tAddress Family: 0x%x\n\tFlags: 0x%x\n\tAddress: %pI4/%u\n",
- ntohs(top->header.length), top->route_type, top->af, top->flags,
- &top->address, top->pref_length);
+ if (vty != NULL) {
+ vty_out(vty,
+ " Extended Prefix TLV: Length %u\n\tRoute Type: %u\n"
+ "\tAddress Family: 0x%x\n\tFlags: 0x%x\n\tAddress: %pI4/%u\n",
+ ntohs(top->header.length), top->route_type, top->af, top->flags,
+ &top->address, top->pref_length);
+ } else {
+ zlog_debug(" Extended Prefix TLV: Length %u", ntohs(top->header.length));
+ zlog_debug(" Route Type: %u", top->route_type);
+ zlog_debug(" Address Family: 0x%x", top->af);
+ zlog_debug(" Flags: 0x%x", top->flags);
+ zlog_debug(" Address: %pI4/%u", &top->address, top->pref_length);
+ }
/* Skip Extended Prefix TLV and parse sub-TLVs */
length -= EXT_TLV_PREFIX_SIZE;

78
meta-networking/recipes-protocols/frr/frr/CVE-2025-61099-61100-61101-61102-61103-61104-61105-61106-61107_3.patch Normal file
View File

@ -0,0 +1,78 @@
From 3b643cde27e33b98037e97a76c0f80447d2a9110 Mon Sep 17 00:00:00 2001
From: Louis Scalbert <louis.scalbert@6wind.com>
Date: Tue, 6 Jan 2026 15:32:32 +0100
Subject: [PATCH] ospfd: skip subsequent tlvs after invalid length
Do not attempt to read subsequent TLVs after an TLV invalid length is
detected.
Signed-off-by: Louis Scalbert <louis.scalbert@6wind.com>
CVE: CVE-2025-61099 CVE-2025-61100 CVE-2025-61101 CVE-2025-61102 CVE-2025-61103 CVE-2025-61104 CVE-2025-61105 CVE-2025-61106 CVE-2025-61107
Upstream-Status: Backport [https://github.com/FRRouting/frr/commit/33dfc7e7be1ac8b66abbf47c30a709215fbc1926]
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
---
ospfd/ospf_ext.c | 6 +++---
ospfd/ospf_ri.c | 6 +++---
ospfd/ospf_te.c | 6 +++---
3 files changed, 9 insertions(+), 9 deletions(-)
diff --git a/ospfd/ospf_ext.c b/ospfd/ospf_ext.c
index 4fa9c82c34..1aa4f579e4 100644
--- a/ospfd/ospf_ext.c
+++ b/ospfd/ospf_ext.c
@@ -1709,11 +1709,11 @@ static void ospf_ext_lsa_schedule(struct ext_itf *exti, enum lsa_opcode op)
do { \
if (ntohs(tlvh->length) != size) { \
if (vty != NULL) \
- vty_out(vty, " Wrong %s TLV size: %d(%d). Abort!\n", \
+ vty_out(vty, " Wrong %s TLV size: %d(expected %d). Skip subsequent TLVs!\n", \
msg, ntohs(tlvh->length), size); \
else \
- zlog_debug(" Wrong %s TLV size: %d(%d). Abort!", msg, ntohs(tlvh->length), size); \
- return size + TLV_HDR_SIZE; \
+ zlog_debug(" Wrong %s TLV size: %d(expected %d). Skip subsequent TLVs!", msg, ntohs(tlvh->length), size); \
+ return OSPF_MAX_LSA_SIZE + 1; \
} \
} while (0)
diff --git a/ospfd/ospf_ri.c b/ospfd/ospf_ri.c
index 80e7f59312..ec9c55645e 100644
--- a/ospfd/ospf_ri.c
+++ b/ospfd/ospf_ri.c
@@ -1206,12 +1206,12 @@ static int ospf_router_info_lsa_update(struct ospf_lsa *lsa)
do { \
if (ntohs(tlvh->length) > size) { \
if (vty != NULL) \
- vty_out(vty, " Wrong %s TLV size: %d(%d)\n", \
+ vty_out(vty, " Wrong %s TLV size: %d(expected %d). Skip subsequent TLVs!\n", \
msg, ntohs(tlvh->length), size); \
else \
- zlog_debug(" Wrong %s TLV size: %d(%d)", \
+ zlog_debug(" Wrong %s TLV size: %d(expected %d). Skip subsequent TLVs!", \
msg, ntohs(tlvh->length), size); \
- return size + TLV_HDR_SIZE; \
+ return OSPF_MAX_LSA_SIZE + 1; \
} \
} while (0)
diff --git a/ospfd/ospf_te.c b/ospfd/ospf_te.c
index 844b28d264..d354015914 100644
--- a/ospfd/ospf_te.c
+++ b/ospfd/ospf_te.c
@@ -3189,12 +3189,12 @@ static void ospf_te_init_ted(struct ls_ted *ted, struct ospf *ospf)
do { \
if (ntohs(tlvh->length) > size) { \
if (vty != NULL) \
- vty_out(vty, " Wrong %s TLV size: %d(%d)\n", \
+ vty_out(vty, " Wrong %s TLV size: %d(expected %d). Skip subsequent TLVs!\n", \
msg, ntohs(tlvh->length), size); \
else \
- zlog_debug(" Wrong %s TLV size: %d(%d)", \
+ zlog_debug(" Wrong %s TLV size: %d(expected %d). Skip subsequent TLVs!", \
msg, ntohs(tlvh->length), size); \
- return size + TLV_HDR_SIZE; \
+ return OSPF_MAX_LSA_SIZE + 1; \
} \
} while (0)

119
meta-networking/recipes-protocols/frr/frr/CVE-2025-61099-61100-61101-61102-61103-61104-61105-61106-61107_4.patch Normal file
View File

@ -0,0 +1,119 @@
From 50de73f57e84007fd01517b414d0987c84d132bb Mon Sep 17 00:00:00 2001
From: Louis Scalbert <louis.scalbert@6wind.com>
Date: Tue, 6 Jan 2026 15:39:37 +0100
Subject: [PATCH] ospfd: reformat check_tlv_size macro
to make frr-bot happy
Signed-off-by: Louis Scalbert <louis.scalbert@6wind.com>
CVE: CVE-2025-61099 CVE-2025-61100 CVE-2025-61101 CVE-2025-61102 CVE-2025-61103 CVE-2025-61104 CVE-2025-61105 CVE-2025-61106 CVE-2025-61107
Upstream-Status: Backport [https://github.com/FRRouting/frr/commit/4e59658233746215a16358603ab0d98b589ba16b]
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
---
ospfd/ospf_ext.c | 22 ++++++++++++----------
ospfd/ospf_ri.c | 23 ++++++++++++-----------
ospfd/ospf_te.c | 23 ++++++++++++-----------
3 files changed, 36 insertions(+), 32 deletions(-)
diff --git a/ospfd/ospf_ext.c b/ospfd/ospf_ext.c
index 1aa4f579e4..0ab5cc527d 100644
--- a/ospfd/ospf_ext.c
+++ b/ospfd/ospf_ext.c
@@ -1705,16 +1705,18 @@ static void ospf_ext_lsa_schedule(struct ext_itf *exti, enum lsa_opcode op)
*/
/* Check NULL for vty. If vty is not available, dump info via zlog */
-#define check_tlv_size(size, msg) \
- do { \
- if (ntohs(tlvh->length) != size) { \
- if (vty != NULL) \
- vty_out(vty, " Wrong %s TLV size: %d(expected %d). Skip subsequent TLVs!\n", \
- msg, ntohs(tlvh->length), size); \
- else \
- zlog_debug(" Wrong %s TLV size: %d(expected %d). Skip subsequent TLVs!", msg, ntohs(tlvh->length), size); \
- return OSPF_MAX_LSA_SIZE + 1; \
- } \
+#define check_tlv_size(size, msg) \
+ do { \
+ if (ntohs(tlvh->length) != size) { \
+ if (vty != NULL) \
+ vty_out(vty, \
+ " Wrong %s TLV size: %d(expected %d). Skip subsequent TLVs!\n", \
+ msg, ntohs(tlvh->length), size); \
+ else \
+ zlog_debug(" Wrong %s TLV size: %d(expected %d). Skip subsequent TLVs!", \
+ msg, ntohs(tlvh->length), size); \
+ return OSPF_MAX_LSA_SIZE + 1; \
+ } \
} while (0)
/* Cisco experimental SubTLV */
diff --git a/ospfd/ospf_ri.c b/ospfd/ospf_ri.c
index ec9c55645e..c9c3c251f5 100644
--- a/ospfd/ospf_ri.c
+++ b/ospfd/ospf_ri.c
@@ -1202,17 +1202,18 @@ static int ospf_router_info_lsa_update(struct ospf_lsa *lsa)
* Following are vty session control functions.
*------------------------------------------------------------------------*/
-#define check_tlv_size(size, msg) \
- do { \
- if (ntohs(tlvh->length) > size) { \
- if (vty != NULL) \
- vty_out(vty, " Wrong %s TLV size: %d(expected %d). Skip subsequent TLVs!\n", \
- msg, ntohs(tlvh->length), size); \
- else \
- zlog_debug(" Wrong %s TLV size: %d(expected %d). Skip subsequent TLVs!", \
- msg, ntohs(tlvh->length), size); \
- return OSPF_MAX_LSA_SIZE + 1; \
- } \
+#define check_tlv_size(size, msg) \
+ do { \
+ if (ntohs(tlvh->length) > size) { \
+ if (vty != NULL) \
+ vty_out(vty, \
+ " Wrong %s TLV size: %d(expected %d). Skip subsequent TLVs!\n", \
+ msg, ntohs(tlvh->length), size); \
+ else \
+ zlog_debug(" Wrong %s TLV size: %d(expected %d). Skip subsequent TLVs!", \
+ msg, ntohs(tlvh->length), size); \
+ return OSPF_MAX_LSA_SIZE + 1; \
+ } \
} while (0)
static uint16_t show_vty_router_cap(struct vty *vty, struct tlv_header *tlvh)
diff --git a/ospfd/ospf_te.c b/ospfd/ospf_te.c
index d354015914..1bddf97bde 100644
--- a/ospfd/ospf_te.c
+++ b/ospfd/ospf_te.c
@@ -3185,17 +3185,18 @@ static void ospf_te_init_ted(struct ls_ted *ted, struct ospf *ospf)
/*------------------------------------------------------------------------*
* Following are vty session control functions.
*------------------------------------------------------------------------*/
-#define check_tlv_size(size, msg) \
- do { \
- if (ntohs(tlvh->length) > size) { \
- if (vty != NULL) \
- vty_out(vty, " Wrong %s TLV size: %d(expected %d). Skip subsequent TLVs!\n", \
- msg, ntohs(tlvh->length), size); \
- else \
- zlog_debug(" Wrong %s TLV size: %d(expected %d). Skip subsequent TLVs!", \
- msg, ntohs(tlvh->length), size); \
- return OSPF_MAX_LSA_SIZE + 1; \
- } \
+#define check_tlv_size(size, msg) \
+ do { \
+ if (ntohs(tlvh->length) > size) { \
+ if (vty != NULL) \
+ vty_out(vty, \
+ " Wrong %s TLV size: %d(expected %d). Skip subsequent TLVs!\n", \
+ msg, ntohs(tlvh->length), size); \
+ else \
+ zlog_debug(" Wrong %s TLV size: %d(expected %d). Skip subsequent TLVs!", \
+ msg, ntohs(tlvh->length), size); \
+ return OSPF_MAX_LSA_SIZE + 1; \
+ } \
} while (0)
static uint16_t show_vty_router_addr(struct vty *vty, struct tlv_header *tlvh)

4
meta-networking/recipes-protocols/frr/frr_9.1.3.bb
View File

@ -14,6 +14,10 @@ SRC_URI = "git://github.com/FRRouting/frr.git;protocol=https;branch=stable/9.1 \
file://frr.pam \
file://0001-zebra-Mimic-GNU-basename-API-for-non-glibc-library-e.patch \
file://CVE-2024-55553.patch \
file://CVE-2025-61099-61100-61101-61102-61103-61104-61105-61106-61107_1.patch \
file://CVE-2025-61099-61100-61101-61102-61103-61104-61105-61106-61107_2.patch \
file://CVE-2025-61099-61100-61101-61102-61103-61104-61105-61106-61107_3.patch \
file://CVE-2025-61099-61100-61101-61102-61103-61104-61105-61106-61107_4.patch \
"
SRCREV = "ad1766d17be022587fe05ebe1a7bf10e1b7dce19"