<feed xmlns='http://www.w3.org/2005/Atom'>
<title>u-boot.git/net, branch next</title>
<subtitle>Unnamed repository; edit this file 'description' to name the repository.</subtitle>
<id>http://cgit.235523.xyz/u-boot.git/atom/net?h=next</id>
<link rel='self' href='http://cgit.235523.xyz/u-boot.git/atom/net?h=next'/>
<link rel='alternate' type='text/html' href='http://cgit.235523.xyz/u-boot.git/'/>
<updated>2026-06-25T20:15:33Z</updated>
<entry>
<title>Kconfig: net: restyle</title>
<updated>2026-06-25T20:15:33Z</updated>
<author>
<name>Johan Jonker</name>
<email>jbx6244@gmail.com</email>
</author>
<published>2026-06-10T14:38:48Z</published>
<link rel='alternate' type='text/html' href='http://cgit.235523.xyz/u-boot.git/commit/?id=f934012cd97a6bd3eb75088b7c9e3738b9d57472'/>
<id>urn:sha1:f934012cd97a6bd3eb75088b7c9e3738b9d57472</id>
<content type='text'>
Restyle all Kconfigs for "net":
Menu entries   : no space left
Menu attributes: 1 TAB
Help text      : 1 TAB + 2 spaces
Replace '---help---' by 'help'

Signed-off-by: Johan Jonker &lt;jbx6244@gmail.com&gt;
</content>
</entry>
<entry>
<title>Merge tag 'v2026.07-rc4' into next</title>
<updated>2026-06-08T21:28:18Z</updated>
<author>
<name>Tom Rini</name>
<email>trini@konsulko.com</email>
</author>
<published>2026-06-08T21:28:18Z</published>
<link rel='alternate' type='text/html' href='http://cgit.235523.xyz/u-boot.git/commit/?id=e91911169bc737ee4a79963a1cba8db2aab7c1c0'/>
<id>urn:sha1:e91911169bc737ee4a79963a1cba8db2aab7c1c0</id>
<content type='text'>
Prepare v2026.07-rc4
</content>
</entry>
<entry>
<title>net: bootp: Prevent out-of-bounds read in dhcp_message_type</title>
<updated>2026-06-03T15:22:24Z</updated>
<author>
<name>Francois Berder</name>
<email>fberder@outlook.fr</email>
</author>
<published>2026-05-15T16:56:51Z</published>
<link rel='alternate' type='text/html' href='http://cgit.235523.xyz/u-boot.git/commit/?id=f447887238822af40582483112cab524926e9258'/>
<id>urn:sha1:f447887238822af40582483112cab524926e9258</id>
<content type='text'>
dhcp_message_type() scans DHCP options looking for a 0xff
end-of-options marker with no check that the scan pointer stays
within the received packet. A server can send a crafted OFFER with
no 0xff terminator and large option length fields, advancing the
pointer past bp_vend[312] into adjacent heap memory.

This is the same class of bug as CVE-2024-42040, which fixed the
related bootp_process_vendor() call site. Fix it by adding an end
parameter to dhcp_message_type() and checking that popt is lower
than end.

Signed-off-by: Francois Berder &lt;fberder@outlook.fr&gt;
Reviewed-by: Jerome Forissier &lt;jerome.forissier@arm.com&gt;
</content>
</entry>
<entry>
<title>net: dhcpv6: Prevent out-of-bounds reads while parsing options</title>
<updated>2026-06-03T15:22:24Z</updated>
<author>
<name>Francois Berder</name>
<email>fberder@outlook.fr</email>
</author>
<published>2026-05-15T16:53:32Z</published>
<link rel='alternate' type='text/html' href='http://cgit.235523.xyz/u-boot.git/commit/?id=2b612de8952d448ab6345c5af6e28fecea1a2f1e'/>
<id>urn:sha1:2b612de8952d448ab6345c5af6e28fecea1a2f1e</id>
<content type='text'>
dhcp6_parse_options() verifies that an option's declared data fits
within the packet, but does not check that option_len is large
enough for the fixed-size read each case performs. A malicious
DHCP server can send an ADVERTISE with a zero-length IA_NA,
STATUS_CODE, SOL_MAX_RT, or BOOTFILE_PARAM option, causing the
parser to read 2-4 bytes past the option's declared data.

Check option_len value before each dereference of option_ptr.

Signed-off-by: Francois Berder &lt;fberder@outlook.fr&gt;
</content>
</entry>
<entry>
<title>net: dhcpv6: Prevent buffer overflow during BOOTFILE_URL parsing</title>
<updated>2026-06-03T15:22:24Z</updated>
<author>
<name>Francois Berder</name>
<email>fberder@outlook.fr</email>
</author>
<published>2026-05-11T19:55:31Z</published>
<link rel='alternate' type='text/html' href='http://cgit.235523.xyz/u-boot.git/commit/?id=4ba29d709419a567832276f80592d28f42e965b2'/>
<id>urn:sha1:4ba29d709419a567832276f80592d28f42e965b2</id>
<content type='text'>
The net_boot_file_name is a 1024 byte buffer.
However, based on DHCPv6 RFC, bootfile-url length is
specified by option_len, a 16-bit unsigned integer
(valid range: 0-65535).
Hence, one needs to make sure that option_len is less
than the size of net_boot_file_name array before copying
bootfile-url to net_boot_file_name.

Signed-off-by: Francois Berder &lt;fberder@outlook.fr&gt;
Reviewed-by: Jerome Forissier &lt;jerome.forissier@arm.com&gt;
</content>
</entry>
<entry>
<title>net: sntp: Check packet length in sntp_handler</title>
<updated>2026-06-03T15:22:24Z</updated>
<author>
<name>Francois Berder</name>
<email>fberder@outlook.fr</email>
</author>
<published>2026-05-11T13:37:58Z</published>
<link rel='alternate' type='text/html' href='http://cgit.235523.xyz/u-boot.git/commit/?id=a38bf2121a398538730cd42a0cf3db8f80119c62'/>
<id>urn:sha1:a38bf2121a398538730cd42a0cf3db8f80119c62</id>
<content type='text'>
Currently, the sntp_handler uses data in the UDP packet
regardless of the actual packet size. A OOB read can occur
if the packet is too small.
Fix it by checking the packet length before extracting
seconds from a SNTP packet.

Signed-off-by: Francois Berder &lt;fberder@outlook.fr&gt;
Reviewed-by: Jerome Forissier &lt;jerome.forissier@arm.com&gt;
</content>
</entry>
<entry>
<title>net: SYS_RX_ETH_BUFFER defaults to 8 when CONFIG_FSL_ENETC=y</title>
<updated>2026-06-03T14:55:55Z</updated>
<author>
<name>Quentin Schulz</name>
<email>quentin.schulz@cherry.de</email>
</author>
<published>2026-05-07T10:37:12Z</published>
<link rel='alternate' type='text/html' href='http://cgit.235523.xyz/u-boot.git/commit/?id=d17251269095d058c7bf463f6cfb4922ad357147'/>
<id>urn:sha1:d17251269095d058c7bf463f6cfb4922ad357147</id>
<content type='text'>
drivers/net/fsl_enetc.h specifies ENETC_BD_CNT "buffer descriptors count
must be a multiple of 8". This constant is set to
CONFIG_SYS_RX_ETH_BUFFER which defaults to 4.

All defconfigs enabling CONFIG_FSL_ENETC fortunately have it set to 8,
according to
./tools/qconfig.py -l -f CONFIG_FSL_ENETC '~CONFIG_SYS_RX_ETH_BUFFER=8'.

Let's make sure the default is sane by having it set to 8 when this
driver is enabled. Note that originally[1] it was said EEPRO100 and 405
EMAC should be 8 or higher. 405 (PPC405?) support seems to have been
dropped in commit b5e7c84f72ee ("ppc4xx: remove ASH405 board"), 11 years
ago. Maybe there's something we can do for EEPRO100 though?

Start all lines with a tab instead of spaces.

Specify limitation for FSL_ENETC in the help text.

[1] commit 53cf9435ccf9 ("- CFG_RX_ETH_BUFFER added.")
Reviewed-by: Simon Glass &lt;sjg@chromium.org&gt;
Signed-off-by: Quentin Schulz &lt;quentin.schulz@cherry.de&gt;
</content>
</entry>
<entry>
<title>net: guard SYS_RX_ETH_BUFFER with NET</title>
<updated>2026-06-03T14:55:55Z</updated>
<author>
<name>Quentin Schulz</name>
<email>quentin.schulz@cherry.de</email>
</author>
<published>2026-05-07T10:37:11Z</published>
<link rel='alternate' type='text/html' href='http://cgit.235523.xyz/u-boot.git/commit/?id=77cc22b8095cee92e5bd63b57b13fa7cf8ac8190'/>
<id>urn:sha1:77cc22b8095cee92e5bd63b57b13fa7cf8ac8190</id>
<content type='text'>
SYS_RX_ETH_BUFFER represents the number of Ethernet receive packet
buffers. It therefore doesn't make sense it's reachable if NET isn't
enabled.

Direct users of SYS_RX_ETH_BUFFER are:
- drivers/net/rtl8169.c, only compiled if CONFIG_RTL8169=y, depends on
  CONFIG_NETDEVICES=y, depends on CONFIG_NET=y,
- drivers/net/fsl_enetc.h, via ENETC_BD_CNT, included in
    drivers/net/{fsl_enetc.c,fsl_enetc_mdio.c,mscc_eswitch/felix_switch.c}
  First two only compiled if CONFIG_FSL_ENETC=y, latter with
  CONFIG_MSCC_FELIX_SWITCH=y. Both symbols depends on
  CONFIG_NETDEVICES=y, depends on CONFIG_NET=y.
- include/net-common.h via PKTBUFSRX,

Indirect users via PKTBUFSRX:
- arch/sandbox/include/asm/eth.h
  - according to ./tools/qconfig.py -l -f CONFIG_SANDBOX CONFIG_NO_NET,
    all sandbox defconfigs have network enabled so ignore this for now,
- drivers/dma/ti/k3-udma.c
  - sets UDMA_RX_DESC_NUM to that if defined, else 4. PKTBUFSRX is
    CONFIG_SYS_RX_ETH_BUFFER which defaults to 4. According to
    ./tools/qconfig.py -l -f CONFIG_TI_K3_NAVSS_UDMA '~CONFIG_SYS_RX_ETH_BUFFER=4'
    no defconfig enabling this DMA driver sets CONFIG_SYS_RX_ETH_BUFFER
    to anything but the default of 4, so regardless of NET being built
    UDMA_RX_DESC_NUM will always be 4 with current defconfigs.
- drivers/net/{airoha_eth.c,bcm6348-eth.c,bcm6368-eth.c,cortina_ni.c,
	dc2114x.c,eepro100.c,essedma.c,ethoc.c,ftgmac100.c,ftmac100.c,
	hifemac.c,mcffec.c,mpc8xx_fec.c,pic32_eth.c,sandbox.c,sni_ave.c,
	sni_netsec.c,ti/am65-cpsw-nuss.c,ti/cpsw.c,ti/icssg_prueth.c,
	tsec.c} all depends on CONFIG_NETDEVICES=y, depends on
  CONFIG_NET=y,
- net/lwip/net-lwip.c, only compiled if CONFIG_NET_LWIP=y, depends on
  CONFIG_NET=y,
- net/{net.c,tcp.c}, only compiled if CONFIG_NET_LEGACY=y, depends on
  CONFIG_NET=y,
- net/net-common.c, only compiled if CONFIG_NET=y,
- test/cmd/wget.c, only compiled if CONFIG_NET_LEGACY=y, depends on
  CONFIG_NET=y,
- test/image/spl_load_net.c, only compiled if CONFIG_SPL_UT_LOAD_NET=y,
  depends on CONFIG_SPL_ETH=y, depends on CONFIG_SPL_NET=y, depends on
  CONFIG_NET_LEGACY=y, depends on CONFIG_NET=y,

Indirect users via net_rx_packets[PKTBUFSRX]. This array is only
externally defined in net/net-common.c which is only compiled if
CONFIG_NET=y.

Users of net_rx_packets are:
- drivers/net/{airoha_eth.c,bcm6348-eth.c,bcm6368-eth.c,cortina_ni.c,
	dc2114x.c,dm9000x.c,essedma.c,ethoc.c,fsl_enetc.c,ftgmac100.c,
	ftmac100.c,hifemac.c,ks8851_mll.c,macb.c,mcffec.c,mpc8xx_fec.c,
        mscc_eswitch/jr2_switch.c,mscc_eswitch/luton_switch.c,
        mscc_eswitch/ocelot_switch.c,mscc_eswitch/serval_switch.c,
        mscc_eswitch/servalt_switch.c,pic32_eth.c,sandbox-raw.c,
	sandbox.c,smc911x.c,sni_ave.c,sni_netsec.c,ti/am65-cpsw-nuss.c,
	ti/cpsw.c,ti/icssg_prueth.c,tsec.c,xilinx_axi_mrmac.c} all
	depends on CONFIG_NETDEVICES=y, depends on CONFIG_NET=y,
- drivers/usb/gadget/ether.c only built if CONFIG_$(PHASE_)USB_ETHER=y,
  depends on CONFIG_NET=y/CONFIG_SPL_NET=y,
- net/lwip/net-lwip.c only compiled if CONFIG_NET_LWIP=y, depends on
  CONFIG_NET=y,
- net/net.c, only compiled if CONFIG_NET_LEGACY=y, depends on
  CONFIG_NET=y,
- net/net-common.c, only compiled if CONFIG_NET=y,

Reviewed-by: Simon Glass &lt;sjg@chromium.org&gt;
Signed-off-by: Quentin Schulz &lt;quentin.schulz@cherry.de&gt;
</content>
</entry>
<entry>
<title>net: lwip/wget: don't print progress bar when silent</title>
<updated>2026-05-06T09:07:22Z</updated>
<author>
<name>Heinrich Schuchardt</name>
<email>heinrich.schuchardt@canonical.com</email>
</author>
<published>2026-04-28T18:14:34Z</published>
<link rel='alternate' type='text/html' href='http://cgit.235523.xyz/u-boot.git/commit/?id=94625af0119dd7d6fc809ccf4d6e277fe2a4b242'/>
<id>urn:sha1:94625af0119dd7d6fc809ccf4d6e277fe2a4b242</id>
<content type='text'>
When the EFI sub-system request to silence output, do not output a progress
bar.

Signed-off-by: Heinrich Schuchardt &lt;heinrich.schuchardt@canonical.com&gt;
Reviewed-by: Jerome Forissier &lt;jerome.forissier@arm.com&gt;
</content>
</entry>
<entry>
<title>net: lwip/wget: don't print content size twice</title>
<updated>2026-05-06T09:07:22Z</updated>
<author>
<name>Heinrich Schuchardt</name>
<email>heinrich.schuchardt@canonical.com</email>
</author>
<published>2026-04-28T18:14:33Z</published>
<link rel='alternate' type='text/html' href='http://cgit.235523.xyz/u-boot.git/commit/?id=e093a4ecbe0a74083b1baf16ef7c67fcddc437db'/>
<id>urn:sha1:e093a4ecbe0a74083b1baf16ef7c67fcddc437db</id>
<content type='text'>
If wget_info-&gt;silent is set, we should not print anything.

If wget_info-&gt;silent we print the received content size.
Printing the value of the Content-Length header is redundant

For chunked transfer no Content-Length header is sent.
The content length is returned as HTTPC_CONTENT_LEN_INVALID by the LwIP
library. In this case we were incorrectly printing '4 GiB'.

Signed-off-by: Heinrich Schuchardt &lt;heinrich.schuchardt@canonical.com&gt;
Reviewed-by: Jerome Forissier &lt;jerome.forissier@arm.com&gt;
</content>
</entry>
</feed>
