[AutoPR- Security] Patch frr for CVE-2026-5107 [LOW] (#16439)

azurelinux-security · web-flow · commit 021cddf1ba6c · 2026-04-09T10:54:23.000+05:30
diff --git a/SPECS/frr/CVE-2026-5107.patch b/SPECS/frr/CVE-2026-5107.patch
@@ -0,0 +1,103 @@
+From dfc8716b0a8de82545502fedc7dd2e59e8a64293 Mon Sep 17 00:00:00 2001
+From: Mark Stapp <mjs@cisco.com>
+Date: Wed, 11 Mar 2026 14:52:54 -0400
+Subject: [PATCH] bgpd: improve packet parsing for EVPN and ENCAP/VNC
+
+Improve packet validation for EVPN NLRIs and for ENCAP/VNC.
+
+Signed-off-by: Mark Stapp <mjs@cisco.com>
+(cherry picked from commit 7676cad65114aa23adde583d91d9d29e2debd045)
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/FRRouting/frr/commit/52c72c5ad8ccb491a9bab096002072667089d2d3.patch
+---
+ bgpd/bgp_evpn.c        | 17 +++++++++++++++++
+ bgpd/bgp_evpn_mh.c     | 10 +++++++++-
+ bgpd/rfapi/rfapi_rib.c |  9 +++++++++
+ 3 files changed, 35 insertions(+), 1 deletion(-)
+
+diff --git a/bgpd/bgp_evpn.c b/bgpd/bgp_evpn.c
+index 2b2cfa0..e45bd46 100644
+--- a/bgpd/bgp_evpn.c
++++ b/bgpd/bgp_evpn.c
+@@ -4505,6 +4505,14 @@ static int process_type2_route(struct peer *peer, afi_t afi, safi_t safi,
+ 		goto fail;
+ 	}
+ 
++	/* Validate ipaddr_len against the NLRI length */
++	if ((psize != 33 + (ipaddr_len / 8)) && (psize != 36 + (ipaddr_len / 8))) {
++		flog_err(EC_BGP_EVPN_ROUTE_INVALID,
++			 "%u:%s - Rx EVPN Type-2 NLRI with invalid IP address length %d",
++			 peer->bgp->vrf_id, peer->host, ipaddr_len);
++		goto fail;
++	}
++
+ 	if (ipaddr_len) {
+ 		ipaddr_len /= 8; /* Convert to bytes. */
+ 		p.prefix.macip_addr.ip.ipa_type = (ipaddr_len == IPV4_MAX_BYTELEN)
+@@ -4603,6 +4611,15 @@ static int process_type3_route(struct peer *peer, afi_t afi, safi_t safi,
+ 
+ 	/* Get the IP. */
+ 	ipaddr_len = *pfx++;
++
++	/* Validate */
++	if (psize != 13 + (ipaddr_len / 8)) {
++		flog_err(EC_BGP_EVPN_ROUTE_INVALID,
++			 "%u:%s - Rx EVPN Type-3 NLRI with invalid IP address length %d",
++			 peer->bgp->vrf_id, peer->host, ipaddr_len);
++		return -1;
++	}
++
+ 	if (ipaddr_len == IPV4_MAX_BITLEN) {
+ 		p.prefix.imet_addr.ip.ipa_type = IPADDR_V4;
+ 		memcpy(&p.prefix.imet_addr.ip.ip.addr, pfx, IPV4_MAX_BYTELEN);
+diff --git a/bgpd/bgp_evpn_mh.c b/bgpd/bgp_evpn_mh.c
+index 5523659..548e9de 100644
+--- a/bgpd/bgp_evpn_mh.c
++++ b/bgpd/bgp_evpn_mh.c
+@@ -733,9 +733,17 @@ int bgp_evpn_type4_route_process(struct peer *peer, afi_t afi, safi_t safi,
+ 	memcpy(&esi, pfx, ESI_BYTES);
+ 	pfx += ESI_BYTES;
+ 
+-
+ 	/* Get the IP. */
+ 	ipaddr_len = *pfx++;
++
++	/* Validate */
++	if (psize != 19 + (ipaddr_len / 8)) {
++		flog_err(EC_BGP_EVPN_ROUTE_INVALID,
++			 "%u:%s - Rx EVPN Type-4 NLRI with invalid IP address length %d",
++			 peer->bgp->vrf_id, peer->host, ipaddr_len);
++		return -1;
++	}
++
+ 	if (ipaddr_len == IPV4_MAX_BITLEN) {
+ 		memcpy(&vtep_ip, pfx, IPV4_MAX_BYTELEN);
+ 	} else {
+diff --git a/bgpd/rfapi/rfapi_rib.c b/bgpd/rfapi/rfapi_rib.c
+index a9c0c02..71fcab0 100644
+--- a/bgpd/rfapi/rfapi_rib.c
++++ b/bgpd/rfapi/rfapi_rib.c
+@@ -648,11 +648,20 @@ static void rfapiRibBi2Ri(struct bgp_path_info *bpi, struct rfapi_info *ri,
+ 			break;
+ 
+ 		case BGP_VNC_SUBTLV_TYPE_RFPOPTION:
++			/* Check for short subtlv: drop */
++			if (pEncap->length < 3)
++				break;
++
++			/* Length of zero not valid */
++			if (pEncap->value[1] == 0)
++				break;
++
+ 			hop = XCALLOC(MTYPE_BGP_TEA_OPTIONS,
+ 				      sizeof(struct bgp_tea_options));
+ 			assert(hop);
+ 			hop->type = pEncap->value[0];
+ 			hop->length = pEncap->value[1];
++
+ 			hop->value = XCALLOC(MTYPE_BGP_TEA_OPTIONS_VALUE,
+ 					     pEncap->length - 2);
+ 			assert(hop->value);
+-- 
+2.45.4
+
diff --git a/SPECS/frr/frr.spec b/SPECS/frr/frr.spec
@@ -3,7 +3,7 @@
 Summary:        Routing daemon
 Name:           frr
 Version:        8.5.5
-Release:        5%{?dist}
+Release:        6%{?dist}
 License:        GPL-2.0-or-later
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -22,6 +22,7 @@ Patch7:         0001-Fix-frr-c90-complaint-error.patch
 # Following CVE fixes CVE-2025-61100, CVE-2025-61101, CVE-2025-61102, CVE-2025-61103,
 # CVE-2025-61104, CVE-2025-61105, CVE-2025-61106 and CVE-2025-61107.
 Patch8:         CVE-2025-61099.patch
+Patch9:         CVE-2026-5107.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  bison
@@ -203,6 +204,9 @@ rm tests/lib/*grpc*
 %{_sysusersdir}/%{name}.conf
 
 %changelog
+* Thu Apr 02 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 8.5.5-6
+- Patch for CVE-2026-5107
+
 * Wed Jan 21 2026 Archana Shettigar <v-shettigara@microsoft.com> - 8.5.5-5
 - Patch CVE-2025-61099, CVE-2025-61100, CVE-2025-61101, CVE-2025-61102,
   CVE-2025-61103, CVE-2025-61104, CVE-2025-61105, CVE-2025-61106 and CVE-2025-61107
