[AutoPR- Security] Patch frr for CVE-2026-5107 [LOW] (#16380)

azurelinux-security · web-flow · commit 9de16cdfeecd · 2026-04-01T20:52:42.000+05:30
diff --git a/SPECS/frr/CVE-2026-5107.patch b/SPECS/frr/CVE-2026-5107.patch
@@ -0,0 +1,103 @@
+From f708d9a5e33c8bcb17c266e8917c90dd2f84b0f9 Mon Sep 17 00:00:00 2001
+From: Mark Stapp <mjs@cisco.com>
+Date: Wed, 11 Mar 2026 14:52:54 -0400
+Subject: [PATCH] bgpd: improve packet parsing for EVPN and ENCAP/VNC
+
+Improve packet validation for EVPN NLRIs and for ENCAP/VNC.
+
+Signed-off-by: Mark Stapp <mjs@cisco.com>
+(cherry picked from commit 7676cad65114aa23adde583d91d9d29e2debd045)
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/FRRouting/frr/commit/52c72c5ad8ccb491a9bab096002072667089d2d3.patch
+---
+ bgpd/bgp_evpn.c        | 17 +++++++++++++++++
+ bgpd/bgp_evpn_mh.c     | 10 +++++++++-
+ bgpd/rfapi/rfapi_rib.c |  9 +++++++++
+ 3 files changed, 35 insertions(+), 1 deletion(-)
+
+diff --git a/bgpd/bgp_evpn.c b/bgpd/bgp_evpn.c
+index e33a30b..d061908 100644
+--- a/bgpd/bgp_evpn.c
++++ b/bgpd/bgp_evpn.c
+@@ -4917,6 +4917,14 @@ static int process_type2_route(struct peer *peer, afi_t afi, safi_t safi,
+ 		goto fail;
+ 	}
+ 
++	/* Validate ipaddr_len against the NLRI length */
++	if ((psize != 33 + (ipaddr_len / 8)) && (psize != 36 + (ipaddr_len / 8))) {
++		flog_err(EC_BGP_EVPN_ROUTE_INVALID,
++			 "%u:%s - Rx EVPN Type-2 NLRI with invalid IP address length %d",
++			 peer->bgp->vrf_id, peer->host, ipaddr_len);
++		goto fail;
++	}
++
+ 	if (ipaddr_len) {
+ 		ipaddr_len /= 8; /* Convert to bytes. */
+ 		p.prefix.macip_addr.ip.ipa_type = (ipaddr_len == IPV4_MAX_BYTELEN)
+@@ -5014,6 +5022,15 @@ static int process_type3_route(struct peer *peer, afi_t afi, safi_t safi,
+ 
+ 	/* Get the IP. */
+ 	ipaddr_len = *pfx++;
++
++	/* Validate */
++	if (psize != 13 + (ipaddr_len / 8)) {
++		flog_err(EC_BGP_EVPN_ROUTE_INVALID,
++			 "%u:%s - Rx EVPN Type-3 NLRI with invalid IP address length %d",
++			 peer->bgp->vrf_id, peer->host, ipaddr_len);
++		return -1;
++	}
++
+ 	if (ipaddr_len == IPV4_MAX_BITLEN) {
+ 		p.prefix.imet_addr.ip.ipa_type = IPADDR_V4;
+ 		memcpy(&p.prefix.imet_addr.ip.ip.addr, pfx, IPV4_MAX_BYTELEN);
+diff --git a/bgpd/bgp_evpn_mh.c b/bgpd/bgp_evpn_mh.c
+index 1ce5ef2..5905349 100644
+--- a/bgpd/bgp_evpn_mh.c
++++ b/bgpd/bgp_evpn_mh.c
+@@ -752,9 +752,17 @@ int bgp_evpn_type4_route_process(struct peer *peer, afi_t afi, safi_t safi,
+ 	memcpy(&esi, pfx, ESI_BYTES);
+ 	pfx += ESI_BYTES;
+ 
+-
+ 	/* Get the IP. */
+ 	ipaddr_len = *pfx++;
++
++	/* Validate */
++	if (psize != 19 + (ipaddr_len / 8)) {
++		flog_err(EC_BGP_EVPN_ROUTE_INVALID,
++			 "%u:%s - Rx EVPN Type-4 NLRI with invalid IP address length %d",
++			 peer->bgp->vrf_id, peer->host, ipaddr_len);
++		return -1;
++	}
++
+ 	if (ipaddr_len == IPV4_MAX_BITLEN) {
+ 		memcpy(&vtep_ip, pfx, IPV4_MAX_BYTELEN);
+ 	} else {
+diff --git a/bgpd/rfapi/rfapi_rib.c b/bgpd/rfapi/rfapi_rib.c
+index 9a3d56b..11384b5 100644
+--- a/bgpd/rfapi/rfapi_rib.c
++++ b/bgpd/rfapi/rfapi_rib.c
+@@ -668,11 +668,20 @@ static void rfapiRibBi2Ri(struct bgp_path_info *bpi, struct rfapi_info *ri,
+ 			break;
+ 
+ 		case BGP_VNC_SUBTLV_TYPE_RFPOPTION:
++			/* Check for short subtlv: drop */
++			if (pEncap->length < 3)
++				break;
++
++			/* Length of zero not valid */
++			if (pEncap->value[1] == 0)
++				break;
++
+ 			hop = XCALLOC(MTYPE_BGP_TEA_OPTIONS,
+ 				      sizeof(struct bgp_tea_options));
+ 			assert(hop);
+ 			hop->type = pEncap->value[0];
+ 			hop->length = pEncap->value[1];
++
+ 			hop->value = XCALLOC(MTYPE_BGP_TEA_OPTIONS_VALUE,
+ 					     pEncap->length - 2);
+ 			assert(hop->value);
+-- 
+2.45.4
+
diff --git a/SPECS/frr/frr.spec b/SPECS/frr/frr.spec
@@ -3,7 +3,7 @@
 Summary:        Routing daemon
 Name:           frr
 Version:        10.5.0
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        GPL-2.0-or-later
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -20,6 +20,7 @@ Patch5:         0001-Fix-frr-c90-complaint-error.patch
 # Following CVE-2025-61099 fixes CVE-2025-61100, CVE-2025-61101, CVE-2025-61102,
 # CVE-2025-61103, CVE-2025-61104, CVE-2025-61105, CVE-2025-61106 and CVE-2025-61107.
 Patch6:         CVE-2025-61099.patch
+Patch7:         CVE-2026-5107.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  bison
@@ -199,6 +200,9 @@ rm tests/lib/*grpc*
 %{_sysusersdir}/%{name}.conf
 
 %changelog
+* Tue Mar 31 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 10.5.0-2
+- Patch for CVE-2026-5107
+
 * Tue Feb 17 2026 Sudipta Pandit <sudpandit@microsoft.com> - 10.5.0-1
 - Upgrade to version 10.5.0
 - Remove CVE-2024-44070.patch (fixed upstream in 10.5.0)
