u-boot-toradex.git/net, branch master U-Boot bootloader for Apalis and Colibri modules net: cdp: reject CDP TLVs with a length below the 4-byte header 2026-06-23T11:13:16+00:00 Piyush Paliwal piyushthepal@gmail.com 2026-06-12T07:47:30+00:00 91d5e0ee3e857c76bb05f0c69c21f3d4a150a2e6 cdp_receive() reads a 16-bit TLV length (tlen) from the packet and only checks that it does not exceed the remaining buffer (tlen > len). It then unconditionally does "tlen -= 4" to skip the TLV header. As tlen is a u16, a crafted TLV with a length of 0..3 underflows tlen to ~65532-65535. For a CDP_APPLIANCE_VLAN_TLV the underflowed length then drives the inner "while (tlen > 0)" loop, which walks ~64KB past the receive buffer reading *ss each step -> out-of-bounds read (crash / info-influence). A length of 0 additionally fails to advance pkt/len, hanging the parse loop. Reject any TLV whose declared length is smaller than its own 4-byte header. This is the same class of bug as the recent bootp/dhcpv6/sntp/nfs fixes (unchecked length field), in a sibling LAN parser that was missed. Verified with a standalone AddressSanitizer harness using the verbatim cdp_receive()/cdp_compute_csum() routines: a 16-byte CDP frame with an appliance-VLAN TLV of length 3 triggers a heap-buffer-overflow READ that the check eliminates. Fixes: f575ae1f7d39 ("net: Move CDP out of net.c") Cc: stable@vger.kernel.org Signed-off-by: Piyush Paliwal <piyushthepal@gmail.com> Reviewed-by: Jerome Forissier <jerome.forissier@arm.com> 
cdp_receive() reads a 16-bit TLV length (tlen) from the packet and only
checks that it does not exceed the remaining buffer (tlen > len). It then
unconditionally does "tlen -= 4" to skip the TLV header. As tlen is a
u16, a crafted TLV with a length of 0..3 underflows tlen to ~65532-65535.

For a CDP_APPLIANCE_VLAN_TLV the underflowed length then drives the inner
"while (tlen > 0)" loop, which walks ~64KB past the receive buffer reading
*ss each step -> out-of-bounds read (crash / info-influence). A length of
0 additionally fails to advance pkt/len, hanging the parse loop.

Reject any TLV whose declared length is smaller than its own 4-byte
header. This is the same class of bug as the recent bootp/dhcpv6/sntp/nfs
fixes (unchecked length field), in a sibling LAN parser that was missed.

Verified with a standalone AddressSanitizer harness using the verbatim
cdp_receive()/cdp_compute_csum() routines: a 16-byte CDP frame with an
appliance-VLAN TLV of length 3 triggers a heap-buffer-overflow READ that
the check eliminates.

Fixes: f575ae1f7d39 ("net: Move CDP out of net.c")
Cc: stable@vger.kernel.org
Signed-off-by: Piyush Paliwal <piyushthepal@gmail.com>
Reviewed-by: Jerome Forissier <jerome.forissier@arm.com>
net: lwip: introduce net_lwip_eth_stop() function 2026-06-23T11:13:16+00:00 David Lechner dlechner@baylibre.com 2026-06-11T23:36:10+00:00 9f7906a58cf194fc43484f5be4b65e368fa59040 Add a introduce net_lwip_eth_stop() function and use that to stop the network interface after each command that uses the network. This makes the behavior the same as the legacy net code and avoids potential issues with the network interface being left in an active state after a command finishes. The start/stop is reference-counted since there is at least one command (dhcp) that calls another command (tftp) to avoid starting and stopping the network interface multiple times in a single command. Signed-off-by: David Lechner <dlechner@baylibre.com> Reviewed-by: Jerome Forissier <jerome.forissier@arm.com> 
Add a introduce net_lwip_eth_stop() function and use that to stop the
network interface after each command that uses the network.

This makes the behavior the same as the legacy net code and avoids
potential issues with the network interface being left in an active
state after a command finishes.

The start/stop is reference-counted since there is at least one command
(dhcp) that calls another command (tftp) to avoid starting and stopping
the network interface multiple times in a single command.

Signed-off-by: David Lechner <dlechner@baylibre.com>
Reviewed-by: Jerome Forissier <jerome.forissier@arm.com>
net: lwip: wget: return errno codes from wget_do_request() 2026-06-23T11:13:16+00:00 David Lechner dlechner@baylibre.com 2026-06-11T23:36:09+00:00 91911aa0c76e641e673999111fc0aec1fe75b6d2 Change the return values of the lwip implementation of wget_do_request() to be errno codes instead of command return codes. wget_do_request() is not a command, so it does not make sense to return command return codes from it. Also, the legacy network implementation of wget_do_request() already returns errno codes so it is logical for the lwip implementation to do the same. This fixes a bug in try_load_from_uri_path() in efi_manager.c where it checks that the return value of wget_do_request() is < 0. Before this change, CMD_RET_FAILURE would not be considered an error since it has a value of 1. The value of ENODEV is used in places where there could actually be a number of different causes of failure and it isn't possible to discriminate (i.e. failing function returns NULL for all errors). Since all callers of wget_do_request() don't propagate the error code, it doesn't matter so much that this is not ideal, at least at this point in time. Fixes: 3c656c928bd7 ("net: lwip: add wget command") Reviewed-by: Jerome Forissier <jerome.forissier@arm.com> Signed-off-by: David Lechner <dlechner@baylibre.com> 
Change the return values of the lwip implementation of wget_do_request()
to be errno codes instead of command return codes.

wget_do_request() is not a command, so it does not make sense to return
command return codes from it. Also, the legacy network implementation of
wget_do_request() already returns errno codes so it is logical for the
lwip implementation to do the same.

This fixes a bug in try_load_from_uri_path() in efi_manager.c where it
checks that the return value of wget_do_request() is < 0. Before this
change, CMD_RET_FAILURE would not be considered an error since it has a
value of 1.

The value of ENODEV is used in places where there could actually be a
number of different causes of failure and it isn't possible to
discriminate (i.e. failing function returns NULL for all errors). Since
all callers of wget_do_request() don't propagate the error code, it
doesn't matter so much that this is not ideal, at least at this point in
time.

Fixes: 3c656c928bd7 ("net: lwip: add wget command")
Reviewed-by: Jerome Forissier <jerome.forissier@arm.com>
Signed-off-by: David Lechner <dlechner@baylibre.com>
net: lwip: wget: fix error handling in wget_do_request() 2026-06-23T11:13:16+00:00 David Lechner dlechner@baylibre.com 2026-06-11T23:36:08+00:00 747720eb73642fcab9693833f8943f3f37bdb881 Split wget_do_request() into two functions to make error handling less error-prone. After a successful call to net_lwip_new_netif(), net_lwip_remove_netif() must always be called to prevent leaks. This was missed in the CACERT section of the code where we returned on error without cleaning up. Instead of adding more calls to net_lwip_remove_netif(), refactor the code into two functions. The outer function handles managing the netif lifecycle. The inner function no longer has to worry about cleaning up before returning on error. To keep things simple, the `path` local variable is removed during the refactoring. Instead, ctx.path is used directly everywhere. Fixes: 3c656c928bd7 ("net: lwip: add wget command") Reviewed-by: Jerome Forissier <jerome.forissier@arm.com> Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> Signed-off-by: David Lechner <dlechner@baylibre.com> 
Split wget_do_request() into two functions to make error handling less
error-prone.

After a successful call to net_lwip_new_netif(), net_lwip_remove_netif()
must always be called to prevent leaks. This was missed in the CACERT
section of the code where we returned on error without cleaning up.

Instead of adding more calls to net_lwip_remove_netif(), refactor the
code into two functions. The outer function handles managing the netif
lifecycle. The inner function no longer has to worry about cleaning up
before returning on error.

To keep things simple, the `path` local variable is removed during the
refactoring. Instead, ctx.path is used directly everywhere.

Fixes: 3c656c928bd7 ("net: lwip: add wget command")
Reviewed-by: Jerome Forissier <jerome.forissier@arm.com>
Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Signed-off-by: David Lechner <dlechner@baylibre.com>
net: clear IP defragmentation state after returning a complete packet 2026-06-23T11:13:16+00:00 Mateusz Furdyna mateusz.furdyna@nokia.com 2026-06-10T14:25:33+00:00 b1aec609bb5e0d08c25c888c91935287ab4ee5fa During the IP defragmentation process, after the reassembly is finished with the last packet arriving with MF=0, the reassembly state wrt. static counters is not cleared. In case this last arriving packet with MF=0 gets duplicated, payload bytes are mistakenly treated as hole data. A malicious actor who can deliver fragmented IP traffic to a U-Boot instance with CONFIG_IP_DEFRAG=y can corrupt memory via out-of-bound writes and redirect control flow into attacker-supplied payload bytes that already sit in `pkt_buff[]`. Publicly available AI models are able to generate a reproducer based on the provided information. Fix: once the assembled packet has been handed back to the caller, mark the reassembly state empty so that any further fragment (duplicate, replay, or a brand-new datagram that happens to reuse the `ip_id`) goes through the normal re-init path and rebuilds a clean hole list instead of dereferencing payload bytes as struct hole. Fixes: 5cfaa4e54d0e ("net: defragment IP packets") Reported-by: Mariusz Madej <mariusz.madej@nokia.com> Reviewed-by: Simon Glass <sjg@chromium.org> Acked-by: Alessandro Rubini <rubini@gnudd.com> Signed-off-by: Mateusz Furdyna <mateusz.furdyna@nokia.com> 
During the IP defragmentation process, after the reassembly is finished
with the last packet arriving with MF=0, the reassembly state wrt.
static counters is not cleared. In case this last arriving packet with
MF=0 gets duplicated, payload bytes are mistakenly treated as hole data.

A malicious actor who can deliver fragmented IP traffic to a U-Boot
instance with CONFIG_IP_DEFRAG=y can corrupt memory via out-of-bound
writes and redirect control flow into attacker-supplied payload bytes
that already sit in `pkt_buff[]`.

Publicly available AI models are able to generate a reproducer based
on the provided information.

Fix: once the assembled packet has been handed back to the caller, mark
the reassembly state empty so that any further fragment (duplicate,
replay, or a brand-new datagram that happens to reuse the `ip_id`) goes
through the normal re-init path and rebuilds a clean hole list instead
of dereferencing payload bytes as struct hole.

Fixes: 5cfaa4e54d0e ("net: defragment IP packets")
Reported-by: Mariusz Madej <mariusz.madej@nokia.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Acked-by: Alessandro Rubini <rubini@gnudd.com>
Signed-off-by: Mateusz Furdyna <mateusz.furdyna@nokia.com>
net: bootp: Prevent out-of-bounds read in dhcp_message_type 2026-06-03T15:22:24+00:00 Francois Berder fberder@outlook.fr 2026-05-15T16:56:51+00:00 f447887238822af40582483112cab524926e9258 dhcp_message_type() scans DHCP options looking for a 0xff end-of-options marker with no check that the scan pointer stays within the received packet. A server can send a crafted OFFER with no 0xff terminator and large option length fields, advancing the pointer past bp_vend[312] into adjacent heap memory. This is the same class of bug as CVE-2024-42040, which fixed the related bootp_process_vendor() call site. Fix it by adding an end parameter to dhcp_message_type() and checking that popt is lower than end. Signed-off-by: Francois Berder <fberder@outlook.fr> Reviewed-by: Jerome Forissier <jerome.forissier@arm.com> 
dhcp_message_type() scans DHCP options looking for a 0xff
end-of-options marker with no check that the scan pointer stays
within the received packet. A server can send a crafted OFFER with
no 0xff terminator and large option length fields, advancing the
pointer past bp_vend[312] into adjacent heap memory.

This is the same class of bug as CVE-2024-42040, which fixed the
related bootp_process_vendor() call site. Fix it by adding an end
parameter to dhcp_message_type() and checking that popt is lower
than end.

Signed-off-by: Francois Berder <fberder@outlook.fr>
Reviewed-by: Jerome Forissier <jerome.forissier@arm.com>
net: dhcpv6: Prevent out-of-bounds reads while parsing options 2026-06-03T15:22:24+00:00 Francois Berder fberder@outlook.fr 2026-05-15T16:53:32+00:00 2b612de8952d448ab6345c5af6e28fecea1a2f1e dhcp6_parse_options() verifies that an option's declared data fits within the packet, but does not check that option_len is large enough for the fixed-size read each case performs. A malicious DHCP server can send an ADVERTISE with a zero-length IA_NA, STATUS_CODE, SOL_MAX_RT, or BOOTFILE_PARAM option, causing the parser to read 2-4 bytes past the option's declared data. Check option_len value before each dereference of option_ptr. Signed-off-by: Francois Berder <fberder@outlook.fr> 
dhcp6_parse_options() verifies that an option's declared data fits
within the packet, but does not check that option_len is large
enough for the fixed-size read each case performs. A malicious
DHCP server can send an ADVERTISE with a zero-length IA_NA,
STATUS_CODE, SOL_MAX_RT, or BOOTFILE_PARAM option, causing the
parser to read 2-4 bytes past the option's declared data.

Check option_len value before each dereference of option_ptr.

Signed-off-by: Francois Berder <fberder@outlook.fr>
net: dhcpv6: Prevent buffer overflow during BOOTFILE_URL parsing 2026-06-03T15:22:24+00:00 Francois Berder fberder@outlook.fr 2026-05-11T19:55:31+00:00 4ba29d709419a567832276f80592d28f42e965b2 The net_boot_file_name is a 1024 byte buffer. However, based on DHCPv6 RFC, bootfile-url length is specified by option_len, a 16-bit unsigned integer (valid range: 0-65535). Hence, one needs to make sure that option_len is less than the size of net_boot_file_name array before copying bootfile-url to net_boot_file_name. Signed-off-by: Francois Berder <fberder@outlook.fr> Reviewed-by: Jerome Forissier <jerome.forissier@arm.com> 
The net_boot_file_name is a 1024 byte buffer.
However, based on DHCPv6 RFC, bootfile-url length is
specified by option_len, a 16-bit unsigned integer
(valid range: 0-65535).
Hence, one needs to make sure that option_len is less
than the size of net_boot_file_name array before copying
bootfile-url to net_boot_file_name.

Signed-off-by: Francois Berder <fberder@outlook.fr>
Reviewed-by: Jerome Forissier <jerome.forissier@arm.com>
net: sntp: Check packet length in sntp_handler 2026-06-03T15:22:24+00:00 Francois Berder fberder@outlook.fr 2026-05-11T13:37:58+00:00 a38bf2121a398538730cd42a0cf3db8f80119c62 Currently, the sntp_handler uses data in the UDP packet regardless of the actual packet size. A OOB read can occur if the packet is too small. Fix it by checking the packet length before extracting seconds from a SNTP packet. Signed-off-by: Francois Berder <fberder@outlook.fr> Reviewed-by: Jerome Forissier <jerome.forissier@arm.com> 
Currently, the sntp_handler uses data in the UDP packet
regardless of the actual packet size. A OOB read can occur
if the packet is too small.
Fix it by checking the packet length before extracting
seconds from a SNTP packet.

Signed-off-by: Francois Berder <fberder@outlook.fr>
Reviewed-by: Jerome Forissier <jerome.forissier@arm.com>
net: lwip/wget: don't print progress bar when silent 2026-05-06T09:07:22+00:00 Heinrich Schuchardt heinrich.schuchardt@canonical.com 2026-04-28T18:14:34+00:00 94625af0119dd7d6fc809ccf4d6e277fe2a4b242 When the EFI sub-system request to silence output, do not output a progress bar. Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com> Reviewed-by: Jerome Forissier <jerome.forissier@arm.com> 
When the EFI sub-system request to silence output, do not output a progress
bar.

Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Reviewed-by: Jerome Forissier <jerome.forissier@arm.com>