Unnamed repository; edit this file 'description' to name the repository. http://cgit.235523.xyz/u-boot.git/atom/net?h=master 2026-06-03T15:22:24Z 2026-06-03T15:22:24Z Francois Berder fberder@outlook.fr 2026-05-15T16:56:51Z urn:sha1:f447887238822af40582483112cab524926e9258 dhcp_message_type() scans DHCP options looking for a 0xff end-of-options marker with no check that the scan pointer stays within the received packet. A server can send a crafted OFFER with no 0xff terminator and large option length fields, advancing the pointer past bp_vend[312] into adjacent heap memory. This is the same class of bug as CVE-2024-42040, which fixed the related bootp_process_vendor() call site. Fix it by adding an end parameter to dhcp_message_type() and checking that popt is lower than end. Signed-off-by: Francois Berder <fberder@outlook.fr> Reviewed-by: Jerome Forissier <jerome.forissier@arm.com> 2026-06-03T15:22:24Z Francois Berder fberder@outlook.fr 2026-05-15T16:53:32Z urn:sha1:2b612de8952d448ab6345c5af6e28fecea1a2f1e dhcp6_parse_options() verifies that an option's declared data fits within the packet, but does not check that option_len is large enough for the fixed-size read each case performs. A malicious DHCP server can send an ADVERTISE with a zero-length IA_NA, STATUS_CODE, SOL_MAX_RT, or BOOTFILE_PARAM option, causing the parser to read 2-4 bytes past the option's declared data. Check option_len value before each dereference of option_ptr. Signed-off-by: Francois Berder <fberder@outlook.fr> 2026-06-03T15:22:24Z Francois Berder fberder@outlook.fr 2026-05-11T19:55:31Z urn:sha1:4ba29d709419a567832276f80592d28f42e965b2 The net_boot_file_name is a 1024 byte buffer. However, based on DHCPv6 RFC, bootfile-url length is specified by option_len, a 16-bit unsigned integer (valid range: 0-65535). Hence, one needs to make sure that option_len is less than the size of net_boot_file_name array before copying bootfile-url to net_boot_file_name. Signed-off-by: Francois Berder <fberder@outlook.fr> Reviewed-by: Jerome Forissier <jerome.forissier@arm.com> 2026-06-03T15:22:24Z Francois Berder fberder@outlook.fr 2026-05-11T13:37:58Z urn:sha1:a38bf2121a398538730cd42a0cf3db8f80119c62 Currently, the sntp_handler uses data in the UDP packet regardless of the actual packet size. A OOB read can occur if the packet is too small. Fix it by checking the packet length before extracting seconds from a SNTP packet. Signed-off-by: Francois Berder <fberder@outlook.fr> Reviewed-by: Jerome Forissier <jerome.forissier@arm.com> 2026-05-06T09:07:22Z Heinrich Schuchardt heinrich.schuchardt@canonical.com 2026-04-28T18:14:34Z urn:sha1:94625af0119dd7d6fc809ccf4d6e277fe2a4b242 When the EFI sub-system request to silence output, do not output a progress bar. Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com> Reviewed-by: Jerome Forissier <jerome.forissier@arm.com> 2026-05-06T09:07:22Z Heinrich Schuchardt heinrich.schuchardt@canonical.com 2026-04-28T18:14:33Z urn:sha1:e093a4ecbe0a74083b1baf16ef7c67fcddc437db If wget_info->silent is set, we should not print anything. If wget_info->silent we print the received content size. Printing the value of the Content-Length header is redundant For chunked transfer no Content-Length header is sent. The content length is returned as HTTPC_CONTENT_LEN_INVALID by the LwIP library. In this case we were incorrectly printing '4 GiB'. Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com> Reviewed-by: Jerome Forissier <jerome.forissier@arm.com> 2026-05-06T09:07:22Z Heinrich Schuchardt heinrich.schuchardt@canonical.com 2026-04-28T18:14:32Z urn:sha1:4877a07ed3cf75fd6fe1acef0b3140a7b76eb680 With NET_LWIP wget produces this output with an overlong line and missing white space: => wget $kernel_addr_r http://example.com/ ################################################# 4 GiB540 bytes transferred in 2 ms (263.7 KiB/s) Bytes transferred = 540 (21c hex) Removing the condition on inserting a line feed yields: => wget $kernel_addr_r http://example.com/ ################################################# 4 GiB 540 bytes transferred in 2 ms (263.7 KiB/s) Bytes transferred = 540 (21c hex) Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com> Reviewed-by: Jerome Forissier <jerome.forissier@arm.com> 2026-05-06T09:07:22Z Sebastian Josue Alba Vives sebasjosue84@gmail.com 2026-04-09T16:44:40Z urn:sha1:d6694018eaddefac6aae974f9cec72fd6e58f1bc nfs_readlink_reply() validates rlen only against the incoming packet length (inherited from CVE-2019-14195), but not against the destination buffer nfs_path_buff[2048]. A malicious NFS server can send a valid READLINK reply where pathlen + rlen exceeds sizeof(nfs_path_buff), overflowing the BSS buffer into adjacent memory. The recent fix in fd6e3d34097f addressed the same overflow class in net/lwip/nfs.c but left the legacy path in net/nfs-common.c unpatched. Add bounds checks before both memcpy calls in nfs_readlink_reply(): - relative path branch: reject if pathlen + rlen >= sizeof(nfs_path_buff) - absolute path branch: reject if rlen >= sizeof(nfs_path_buff) Fixes: cf3a4f1e86 ("net: nfs: Fix CVE-2019-14195") Cc: stable@vger.kernel.org Signed-off-by: Sebastian Alba Vives <sebasjosue84@gmail.com> Reviewed-by: Jerome Forissier <jerome.forissier@arm.com> 2026-04-27T17:26:40Z Quentin Schulz quentin.schulz@cherry.de 2026-04-20T11:36:10Z urn:sha1:95d66d2eb02a4677c63d04c84ca21750a04c49f1 Since the move to make NET a menuconfig and NO_NET a synonym of NET=n, when NET is enabled, NET_LEGACY || NET_LWIP is necessarily true, so let's simplify the various checks across the codebase. SPL_NET_LWIP doesn't exist but SPL_NET_LEGACY is an alias for SPL_NET so the proper symbol is still defined in SPL whenever needed. Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de> Reviewed-by: Simon Glass <sjg@chromium.org> Reviewed-by: Peter Robinson <pbrobinson@gmail.com> Reviewed-by: Tom Rini <trini@konsulko.com> 2026-04-27T17:26:40Z Quentin Schulz quentin.schulz@cherry.de 2026-04-20T11:36:09Z urn:sha1:bd275172a84bf32a3f392b852801dee08a94956a This will allow a bunch of simplifications across the code base. Disabling NET is the equivalent of today's NO_NET choice. This means that if NET is enabled, either the legacy or lwIP stack is necessarily selected, which allows us to simplify if NET_LEGACY || NET_LWIP into if NET in a later commit. Config fragments - or defconfigs including other defconfigs - setting the network stack (NET_LEGACY or NET_LWIP) must also set NET (or unset NO_NET) if the config they apply to - or the included defconfigs - unsets NET (or selects NO_NET) as otherwise the NET_LEGACY and NET_LWIP symbols are unreachable. This is the case for the two defconfig modified in this commit. NO_NET is now a convenience symbol which hides NET entirely to avoid modifying many defconfigs. If one selected NO_NET to disable the networking stack in the past, this will still work for now. Technically, we should be using the "transitional" Kconfig attribute but that is only available since Kconfig from Linux kernel v6.18 and we're on 6.1 right now. Note that this moves CONFIG_SYS_RX_ETH_BUFFER from under the Network menu back into the main menu as it seems like it needs to be defined even when there's no need for NET support at all and menuconfig option doesn't work the same way as a menu. Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de> Reviewed-by: Simon Glass <sjg@chromium.org> Acked-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Reviewed-by: Peter Robinson <pbrobinson@gmail.com> Reviewed-by: Tom Rini <trini@konsulko.com>