[AutoPR- Security] Patch frr for CVE-2026-28532 [MEDIUM] (microsoft#16989)

Author: azurelinux-security

SPECS/frr/CVE-2026-28532.patch

@@ -0,0 +1,310 @@
+From 263944816e5ea06c9c5dcc35002b819197fbfa60 Mon Sep 17 00:00:00 2001
+From: Jafar Al-Gharaibeh <jafar@atcorp.com>
+Date: Wed, 4 Mar 2026 12:38:46 -0600
+Subject: [PATCH] ospfd: harden TE/SR TLV iteration against malformed lengths
+
+Use 32-bit counters and per-iteration TLV size bounds checks
+in OSPF TE/SR TLV parsers so malformed opaque LSAs cannot wrap
+loop accounting and advance pointers beyond the LSA buffer.
+
+- Change loop accumulators from 16-bit to 32-bit (uint32_t) to
+  prevent wraparound
+- Rework TLV iteration so pointer advancement is controlled in-loop
+- Add per-iteration guard before advancing:
+  - `tlv_size <= (len - sum)` (or `length - sum`)
+- On malformed size, parser now logs and exits/breaks the loop
+  safely instead of stepping past buffer limits
+
+Signed-off-by: Jafar Al-Gharaibeh <jafar@atcorp.com>
+(cherry picked from commit d3e8aedb87671f38db59b0df908e25e1d4af027d)
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/FRRouting/frr/commit/c06b61a8586df163fc565667d7bff8e05e0df99d.patch
+---
+ ospfd/ospf_sr.c | 50 ++++++++++++++++++++++++++++++--------
+ ospfd/ospf_te.c | 64 +++++++++++++++++++++++++++++++++++++++----------
+ 2 files changed, 91 insertions(+), 23 deletions(-)
+
+diff --git a/ospfd/ospf_sr.c b/ospfd/ospf_sr.c
+index 078971e..5a9e2c7 100644
+--- a/ospfd/ospf_sr.c
++++ b/ospfd/ospf_sr.c
+@@ -985,7 +985,8 @@ static struct sr_link *get_ext_link_sid(struct tlv_header *tlvh, size_t size)
+ 	struct ext_subtlv_rmt_itf_addr *rmt_itf;
+ 
+ 	struct tlv_header *sub_tlvh;
+-	uint16_t length = 0, sum = 0, i = 0;
++	uint32_t length = 0, sum = 0;
++	uint16_t i = 0;
+ 
+ 	/* Check TLV size */
+ 	if ((ntohs(tlvh->length) > size)
+@@ -1000,7 +1001,15 @@ static struct sr_link *get_ext_link_sid(struct tlv_header *tlvh, size_t size)
+ 	length = ntohs(tlvh->length) - EXT_TLV_LINK_SIZE;
+ 	sub_tlvh = (struct tlv_header *)((char *)(tlvh) + TLV_HDR_SIZE
+ 					 + EXT_TLV_LINK_SIZE);
+-	for (; sum < length && sub_tlvh; sub_tlvh = TLV_HDR_NEXT(sub_tlvh)) {
++	for (; sum < length && sub_tlvh;) {
++		uint32_t tlv_size = TLV_SIZE(sub_tlvh);
++
++		if (tlv_size > length - sum) {
++			zlog_warn("Malformed Extended Link sub-TLV size %u (remaining %u)",
++				  tlv_size, length - sum);
++			break;
++		}
++
+ 		switch (ntohs(sub_tlvh->type)) {
+ 		case EXT_SUBTLV_ADJ_SID:
+ 			adj_sid = (struct ext_subtlv_adj_sid *)sub_tlvh;
+@@ -1041,7 +1050,9 @@ static struct sr_link *get_ext_link_sid(struct tlv_header *tlvh, size_t size)
+ 		default:
+ 			break;
+ 		}
+-		sum += TLV_SIZE(sub_tlvh);
++		sum += tlv_size;
++		if (sum < length)
++			sub_tlvh = TLV_HDR_NEXT(sub_tlvh);
+ 	}
+ 
+ 	IPV4_ADDR_COPY(&srl->itf_addr, &link->link_data);
+@@ -1062,7 +1073,7 @@ static struct sr_prefix *get_ext_prefix_sid(struct tlv_header *tlvh,
+ 	struct ext_subtlv_prefix_sid *psid;
+ 
+ 	struct tlv_header *sub_tlvh;
+-	uint16_t length = 0, sum = 0;
++	uint32_t length = 0, sum = 0;
+ 
+ 	/* Check TLV size */
+ 	if ((ntohs(tlvh->length) > size)
+@@ -1077,7 +1088,15 @@ static struct sr_prefix *get_ext_prefix_sid(struct tlv_header *tlvh,
+ 	length = ntohs(tlvh->length) - EXT_TLV_PREFIX_SIZE;
+ 	sub_tlvh = (struct tlv_header *)((char *)(tlvh) + TLV_HDR_SIZE
+ 					 + EXT_TLV_PREFIX_SIZE);
+-	for (; sum < length && sub_tlvh; sub_tlvh = TLV_HDR_NEXT(sub_tlvh)) {
++	for (; sum < length && sub_tlvh;) {
++		uint32_t tlv_size = TLV_SIZE(sub_tlvh);
++
++		if (tlv_size > length - sum) {
++			zlog_warn("Malformed Extended Prefix sub-TLV size %u (remaining %u)",
++				  tlv_size, length - sum);
++			break;
++		}
++
+ 		switch (ntohs(sub_tlvh->type)) {
+ 		case EXT_SUBTLV_PREFIX_SID:
+ 			psid = (struct ext_subtlv_prefix_sid *)sub_tlvh;
+@@ -1102,7 +1121,9 @@ static struct sr_prefix *get_ext_prefix_sid(struct tlv_header *tlvh,
+ 		default:
+ 			break;
+ 		}
+-		sum += TLV_SIZE(sub_tlvh);
++		sum += tlv_size;
++		if (sum < length)
++			sub_tlvh = TLV_HDR_NEXT(sub_tlvh);
+ 	}
+ 
+ 	osr_debug("  |-  Found SID %u for prefix %pFX", srp->sid,
+@@ -1370,7 +1391,7 @@ void ospf_sr_ri_lsa_update(struct ospf_lsa *lsa)
+ 	struct ri_sr_tlv_sid_label_range *ri_srlb = NULL;
+ 	struct ri_sr_tlv_sr_algorithm *algo = NULL;
+ 	struct sr_block srgb;
+-	uint16_t length = 0, sum = 0;
++	uint32_t length = 0, sum = 0;
+ 	uint8_t msd = 0;
+ 
+ 	osr_debug("SR (%s): Process Router Information LSA 4.0.0.%u from %pI4",
+@@ -1398,8 +1419,15 @@ void ospf_sr_ri_lsa_update(struct ospf_lsa *lsa)
+ 	srgb.range_size = 0;
+ 	srgb.lower_bound = 0;
+ 
+-	for (tlvh = TLV_HDR_TOP(lsah); (sum < length) && (tlvh != NULL);
+-	     tlvh = TLV_HDR_NEXT(tlvh)) {
++	for (tlvh = TLV_HDR_TOP(lsah); (sum < length) && (tlvh != NULL);) {
++		uint32_t tlv_size = TLV_SIZE(tlvh);
++
++		if (tlv_size > length - sum) {
++			zlog_warn("Malformed RI TLV size %u (remaining %u)", tlv_size,
++				  length - sum);
++			break;
++		}
++
+ 		switch (ntohs(tlvh->type)) {
+ 		case RI_SR_TLV_SR_ALGORITHM:
+ 			algo = (struct ri_sr_tlv_sr_algorithm *)tlvh;
+@@ -1416,7 +1444,9 @@ void ospf_sr_ri_lsa_update(struct ospf_lsa *lsa)
+ 		default:
+ 			break;
+ 		}
+-		sum += TLV_SIZE(tlvh);
++		sum += tlv_size;
++		if (sum < length)
++			tlvh = TLV_HDR_NEXT(tlvh);
+ 	}
+ 
+ 	/* Check if Segment Routing Capabilities has been found */
+diff --git a/ospfd/ospf_te.c b/ospfd/ospf_te.c
+index 6fdf98f..6b0355a 100644
+--- a/ospfd/ospf_te.c
++++ b/ospfd/ospf_te.c
+@@ -2122,7 +2122,7 @@ static int ospf_te_parse_te(struct ls_ted *ted, struct ospf_lsa *lsa)
+ 	struct ls_attributes *old, attr = {};
+ 	struct tlv_header *tlvh;
+ 	void *value;
+-	uint16_t len, sum;
++	uint32_t len, sum;
+ 	uint8_t lsa_id;
+ 
+ 	/* Initialize Attribute */
+@@ -2152,11 +2152,19 @@ static int ospf_te_parse_te(struct ls_ted *ted, struct ospf_lsa *lsa)
+ 
+ 	sum = sizeof(struct tlv_header);
+ 	/* Browse sub-TLV and fulfill Link State Attributes */
+-	for (tlvh = TLV_DATA(tlvh); sum < len; tlvh = TLV_HDR_NEXT(tlvh)) {
++	tlvh = TLV_DATA(tlvh);
++	while (sum < len) {
++		uint32_t tlv_size = TLV_SIZE(tlvh);
+ 		uint32_t val32, tab32[2];
+ 		float valf, tabf[8];
+ 		struct in_addr addr;
+ 
++		if (tlv_size > len - sum) {
++			zlog_warn("Malformed TE sub-TLV size %u (remaining %u)", tlv_size,
++				  len - sum);
++			break;
++		}
++
+ 		value = TLV_DATA(tlvh);
+ 		switch (ntohs(tlvh->type)) {
+ 		case TE_LINK_SUBTLV_LCLIF_IPADDR:
+@@ -2251,7 +2259,9 @@ static int ospf_te_parse_te(struct ls_ted *ted, struct ospf_lsa *lsa)
+ 		default:
+ 			break;
+ 		}
+-		sum += TLV_SIZE(tlvh);
++		sum += tlv_size;
++		if (sum < len)
++			tlvh = TLV_HDR_NEXT(tlvh);
+ 	}
+ 
+ 	/* Get corresponding Edge from Link State Data Base */
+@@ -2351,7 +2361,7 @@ static int ospf_te_delete_te(struct ls_ted *ted, struct ospf_lsa *lsa)
+ 	struct tlv_header *tlvh;
+ 	struct in_addr addr;
+ 	struct ls_edge_key key = {.family = AF_UNSPEC};
+-	uint16_t len, sum;
++	uint32_t len, sum;
+ 	uint8_t lsa_id;
+ 
+ 	/* Initialize TLV browsing */
+@@ -2363,14 +2373,25 @@ static int ospf_te_delete_te(struct ls_ted *ted, struct ospf_lsa *lsa)
+ 	sum = sizeof(struct tlv_header);
+ 
+ 	/* Browse sub-TLV to find Link ID */
+-	for (tlvh = TLV_DATA(tlvh); sum < len; tlvh = TLV_HDR_NEXT(tlvh)) {
++	tlvh = TLV_DATA(tlvh);
++	while (sum < len) {
++		uint32_t tlv_size = TLV_SIZE(tlvh);
++
++		if (tlv_size > len - sum) {
++			zlog_warn("Malformed TE sub-TLV size %u (remaining %u)", tlv_size,
++				  len - sum);
++			break;
++		}
++
+ 		if (ntohs(tlvh->type) == TE_LINK_SUBTLV_LCLIF_IPADDR) {
+ 			memcpy(&addr, TLV_DATA(tlvh), TE_LINK_SUBTLV_DEF_SIZE);
+ 			key.family = AF_INET;
+ 			IPV4_ADDR_COPY(&key.k.addr, &addr);
+ 			break;
+ 		}
+-		sum += TLV_SIZE(tlvh);
++		sum += tlv_size;
++		if (sum < len)
++			tlvh = TLV_HDR_NEXT(tlvh);
+ 	}
+ 	if (key.family == AF_UNSPEC)
+ 		return 0;
+@@ -2445,7 +2466,7 @@ static int ospf_te_parse_ri(struct ls_ted *ted, struct ospf_lsa *lsa)
+ 	struct ls_node *node;
+ 	struct lsa_header *lsah = lsa->data;
+ 	struct tlv_header *tlvh;
+-	uint16_t len = 0, sum = 0;
++	uint32_t len = 0, sum = 0;
+ 
+ 	/* Get vertex / Node from LSA Advertised Router ID */
+ 	vertex = get_vertex(ted, lsa);
+@@ -2456,13 +2477,18 @@ static int ospf_te_parse_ri(struct ls_ted *ted, struct ospf_lsa *lsa)
+ 
+ 	/* Initialize TLV browsing */
+ 	len = lsa->size - OSPF_LSA_HEADER_SIZE;
+-	for (tlvh = TLV_HDR_TOP(lsah); sum < len && tlvh;
+-	     tlvh = TLV_HDR_NEXT(tlvh)) {
++	for (tlvh = TLV_HDR_TOP(lsah); sum < len && tlvh;) {
++		uint32_t tlv_size = TLV_SIZE(tlvh);
+ 		struct ri_sr_tlv_sr_algorithm *algo;
+ 		struct ri_sr_tlv_sid_label_range *range;
+ 		struct ri_sr_tlv_node_msd *msd;
+ 		uint32_t size, lower;
+ 
++		if (tlv_size > len - sum) {
++			zlog_warn("Malformed RI TLV size %u (remaining %u)", tlv_size, len - sum);
++			break;
++		}
++
+ 		switch (ntohs(tlvh->type)) {
+ 		case RI_SR_TLV_SR_ALGORITHM:
+ 			if (TLV_BODY_SIZE(tlvh) < 1 ||
+@@ -2547,7 +2573,9 @@ static int ospf_te_parse_ri(struct ls_ted *ted, struct ospf_lsa *lsa)
+ 		default:
+ 			break;
+ 		}
+-		sum += TLV_SIZE(tlvh);
++		sum += tlv_size;
++		if (sum < len)
++			tlvh = TLV_HDR_NEXT(tlvh);
+ 	}
+ 
+ 	/* Vertex has been created or updated: export it */
+@@ -2759,7 +2787,8 @@ static int ospf_te_parse_ext_link(struct ls_ted *ted, struct ospf_lsa *lsa)
+ 	struct ext_tlv_link *ext;
+ 	struct ls_edge *edge;
+ 	struct ls_attributes *atr;
+-	uint16_t len = 0, sum = 0, i;
++	uint32_t len = 0, sum = 0;
++	uint16_t i;
+ 	uint32_t label;
+ 
+ 	/* Get corresponding Edge from Link State Data Base */
+@@ -2793,11 +2822,18 @@ static int ospf_te_parse_ext_link(struct ls_ted *ted, struct ospf_lsa *lsa)
+ 	len -= EXT_TLV_LINK_SIZE;
+ 	tlvh = (struct tlv_header *)((char *)(ext) + TLV_HDR_SIZE
+ 				     + EXT_TLV_LINK_SIZE);
+-	for (; sum < len; tlvh = TLV_HDR_NEXT(tlvh)) {
++	for (; sum < len;) {
++		uint32_t tlv_size = TLV_SIZE(tlvh);
+ 		struct ext_subtlv_adj_sid *adj;
+ 		struct ext_subtlv_lan_adj_sid *ladj;
+ 		struct ext_subtlv_rmt_itf_addr *rmt;
+ 
++		if (tlv_size > len - sum) {
++			zlog_warn("Malformed Extended Link sub-TLV size %u (remaining %u)",
++				  tlv_size, len - sum);
++			break;
++		}
++
+ 		switch (ntohs(tlvh->type)) {
+ 		case EXT_SUBTLV_ADJ_SID:
+ 			if (TLV_BODY_SIZE(tlvh) != EXT_SUBTLV_ADJ_SID_SIZE)
+@@ -2876,7 +2912,9 @@ static int ospf_te_parse_ext_link(struct ls_ted *ted, struct ospf_lsa *lsa)
+ 		default:
+ 			break;
+ 		}
+-		sum += TLV_SIZE(tlvh);
++		sum += tlv_size;
++		if (sum < len)
++			tlvh = TLV_HDR_NEXT(tlvh);
+ 	}
+ 
+ 	/* Export Link State Edge if needed */
+-- 
+2.45.4
+

SPECS/frr/frr.spec

@@ -3,7 +3,7 @@
 Summary:        Routing daemon
 Name:           frr
 Version:        10.5.0
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        GPL-2.0-or-later
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -21,6 +21,7 @@ Patch5:         0001-Fix-frr-c90-complaint-error.patch
 # CVE-2025-61103, CVE-2025-61104, CVE-2025-61105, CVE-2025-61106 and CVE-2025-61107.
 Patch6:         CVE-2025-61099.patch
 Patch7:         CVE-2026-5107.patch
+Patch8:         CVE-2026-28532.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  bison
@@ -200,6 +201,9 @@ rm tests/lib/*grpc*
 %{_sysusersdir}/%{name}.conf
 
 %changelog
+* Fri May 01 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 10.5.0-3
+- Patch for CVE-2026-28532
+
 * Tue Mar 31 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 10.5.0-2
 - Patch for CVE-2026-5107