Bug 1222521 (CVE-2024-31949) - VUL-0: CVE-2024-31949: frr,quagga: infinite loop
Summary: VUL-0: CVE-2024-31949: frr,quagga: infinite loop
Status: IN_PROGRESS
Alias: CVE-2024-31949
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Major
Target Milestone: ---
Assignee: Marius Tomaschewski
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/400633/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-31949:7.5:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2024-04-09 09:08 UTC by SMASH SMASH
Modified: 2024-06-05 14:49 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description SMASH SMASH 2024-04-09 09:08:32 UTC 
In FRRouting (FRR) through 9.1, an infinite loop can occur when receiving a MP/GR capability as a dynamic capability because malformed data results in a pointer not advancing.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-31949
https://www.cve.org/CVERecord?id=CVE-2024-31949
https://github.com/FRRouting/frr/pull/15640
https://github.com/FRRouting/frr/pull/15640/commits/30a332dad86fafd2b0b6c61d23de59ed969a219b
https://bugzilla.redhat.com/show_bug.cgi?id=2273992
Comment 1 Thomas Leroy 2024-04-09 09:09:23 UTC 
quagga is not affected, but frr is:

- SUSE:SLE-15-SP3:Update/frr
- SUSE:SLE-15-SP5:Update/frr
- openSUSe:Factory/frr
Comment 2 Clemens Famulla-Conrad 2024-04-11 09:44:22 UTC 
We are running:
  SUSE:SLE-15-SP3:Update/frr => 7.4
  SUSE:SLE-15-SP5:Update/frr => 8.4
  openSUSe:Factory/frr => 8.4

And from my point of view this CVE doesn't apply there.

Explanation:
the issue occur, because of an `continue` in a while loop over a pointer, before incrementing that.
This is not happen in 7.4[1] or 8.4[2], as the pointer increase takes places before any `continue` call. I think it was introduced with [3].

[1] https://github.com/FRRouting/frr/blob/stable/7.4/bgpd/bgp_packet.c#L2191
[2] https://github.com/FRRouting/frr/blob/stable/8.4/bgpd/bgp_packet.c#L2723
[3] https://github.com/FRRouting/frr/commit/bf11a9eb252d7802871d3315e768068fb146a292
Comment 3 Thomas Leroy 2024-04-12 07:50:34 UTC 
(In reply to Clemens Famulla-Conrad from comment #2)
> We are running:
>   SUSE:SLE-15-SP3:Update/frr => 7.4
>   SUSE:SLE-15-SP5:Update/frr => 8.4
>   openSUSe:Factory/frr => 8.4
> 
> And from my point of view this CVE doesn't apply there.
> 
> Explanation:
> the issue occur, because of an `continue` in a while loop over a pointer,
> before incrementing that.
> This is not happen in 7.4[1] or 8.4[2], as the pointer increase takes places
> before any `continue` call. I think it was introduced with [3].

Correct, I think you're right. Thanks for noticing it. Let me adjust the tracking.
Do you plan to update openSUSE:Factory to a 9.x version? Otherwise I will close this bug
Comment 4 Clemens Famulla-Conrad 2024-04-12 08:26:14 UTC 
Valid question, but I cannot answer it. I would like to leave this question for Marius as he is more into this topic. I will ping him, once he is back from vacation.