u-boot.git/net, branch v2019.04 Unnamed repository; edit this file 'description' to name the repository. lmb: handle more than one DRAM BANK 2019-02-02T13:19:17+00:00 Simon Goldschmidt simon.k.r.goldschmidt@gmail.com 2019-01-26T21:13:04+00:00 9cc2323feebdde500f50f7abb855045dbde765cb This fixes the automatic lmb initialization and reservation for boards with more than one DRAM bank. This fixes the CVE-2018-18439 and -18440 fixes that only allowed to load files into the firs DRAM bank from fs and via tftp. Found-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: Simon Goldschmidt <simon.k.r.goldschmidt@gmail.com> Tested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Reviewed-by: Simon Glass <sjg@chromium.org> 
This fixes the automatic lmb initialization and reservation for boards
with more than one DRAM bank.

This fixes the CVE-2018-18439 and -18440 fixes that only allowed to load
files into the firs DRAM bank from fs and via tftp.

Found-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: Simon Goldschmidt <simon.k.r.goldschmidt@gmail.com>
Tested-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: Simon Glass <sjg@chromium.org>
lib: lmb: rename lmb_get_unreserved_size to lmb_get_free_size 2019-01-26T13:13:57+00:00 Simon Goldschmidt simon.k.r.goldschmidt@gmail.com 2019-01-21T19:29:55+00:00 65304aade8041c03859d0f7b210f2e2a4d46bec0 As a follow-up, change the name of the newly introduced function 'lmb_get_unreserved_size' to 'lmb_get_free_size', which is more appropriate. Signed-off-by: Simon Goldschmidt <simon.k.r.goldschmidt@gmail.com> [trini: Fix test/lib/lmb.c] Signed-off-by: Tom Rini <trini@konsulko.com> 
As a follow-up, change the name of the newly introduced function
'lmb_get_unreserved_size' to 'lmb_get_free_size', which is more
appropriate.

Signed-off-by: Simon Goldschmidt <simon.k.r.goldschmidt@gmail.com>
[trini: Fix test/lib/lmb.c]
Signed-off-by: Tom Rini <trini@konsulko.com>
net: remove CONFIG_MCAST_TFTP 2019-01-24T17:35:30+00:00 Chris Packham judge.packham@gmail.com 2018-11-26T08:00:29+00:00 67bb984249442378ebb6a0eb68b6b0dd67dfbe72 No mainline board enables CONFIG_MCAST_TFTP and there have been compilation issues with the code for some time. Additionally, it has a potential buffer underrun issue (reported as a side note in CVE-2018-18439). Remove the multicast TFTP code but keep the driver API for the future addition of IPv6. Cc: Simon Goldschmidt <simon.k.r.goldschmidt@gmail.com> Signed-off-by: Chris Packham <judge.packham@gmail.com> Acked-by: Joe Hershberger <joe.hershberger@ni.com> 
No mainline board enables CONFIG_MCAST_TFTP and there have been
compilation issues with the code for some time. Additionally, it has a
potential buffer underrun issue (reported as a side note in
CVE-2018-18439).

Remove the multicast TFTP code but keep the driver API for the future
addition of IPv6.

Cc: Simon Goldschmidt <simon.k.r.goldschmidt@gmail.com>
Signed-off-by: Chris Packham <judge.packham@gmail.com>
Acked-by: Joe Hershberger <joe.hershberger@ni.com>
net: move ether_crc to tsec driver 2019-01-24T17:35:29+00:00 Chris Packham judge.packham@gmail.com 2018-11-26T08:00:28+00:00 1a4af5c562fdb9f5a884a53f136f2b2075ffd1d8 ether_crc was added to the core net code in commit 53a5c424bf86 ("multicast tftp: RFC2090") so that other drivers could use it. However the only current user of it is tsec.c so move it there. Signed-off-by: Chris Packham <judge.packham@gmail.com> Acked-by: Joe Hershberger <joe.hershberger@ni.com> 
ether_crc was added to the core net code in commit 53a5c424bf86
("multicast tftp: RFC2090") so that other drivers could use it. However
the only current user of it is tsec.c so move it there.

Signed-off-by: Chris Packham <judge.packham@gmail.com>
Acked-by: Joe Hershberger <joe.hershberger@ni.com>
net: explicitly assign errno to return code in case of network failure 2019-01-24T17:35:28+00:00 Thomas RIENOESSL thomas.rienoessl@bachmann.info 2018-11-21T14:56:07+00:00 a735e6e9d639114d67e4440f9e051a89d2094118 When dealing with two ethernet ports and having "netretry" set to "once", it could occur that the connection (e.g. an ARP request) failed, hence the status of the netloop was "NETLOOP_FAIL". Due to the setting of "netretry", the network logic would then switch to the other network interface, assigning "ret" with the return value of "net_start_again()". If this call succeeded we would return 0 (i.e. success) to the caller when in reality the network action failed. Signed-off-by: Thomas RIENOESSL <thomas.rienoessl@bachmann.info> Reviewed-by: Christian Gmeiner <christian.gmeiner@gmail.com> Acked-by: Joe Hershberger <joe.hershberger@ni.com> 
When dealing with two ethernet ports and having "netretry" set
to "once", it could occur that the connection (e.g. an ARP
request) failed, hence the status of the netloop was
"NETLOOP_FAIL". Due to the setting of "netretry", the network
logic would then switch to the other network interface,
assigning "ret" with the return value of "net_start_again()".
If this call succeeded we would return 0 (i.e. success) to
the caller when in reality the network action failed.

Signed-off-by: Thomas RIENOESSL <thomas.rienoessl@bachmann.info>
Reviewed-by: Christian Gmeiner <christian.gmeiner@gmail.com>
Acked-by: Joe Hershberger <joe.hershberger@ni.com>
tftp: prevent overwriting reserved memory 2019-01-17T04:15:53+00:00 Simon Goldschmidt simon.k.r.goldschmidt@gmail.com 2019-01-14T21:38:22+00:00 a156c47e39ad7d007c88919103ee0ee131c6203b This fixes CVE-2018-18439 ("insufficient boundary checks in network image boot") by using lmb to check for a valid range to store received blocks. Signed-off-by: Simon Goldschmidt <simon.k.r.goldschmidt@gmail.com> Acked-by: Joe Hershberger <joe.hershberger@ni.com> [trini: Always build lib/lmb.o on LMB and lib/fdtdec.o on OF_LIBFDT] Signed-off-by: Tom Rini <trini@konsulko.com> 
This fixes CVE-2018-18439 ("insufficient boundary checks in network
image boot") by using lmb to check for a valid range to store
received blocks.

Signed-off-by: Simon Goldschmidt <simon.k.r.goldschmidt@gmail.com>
Acked-by: Joe Hershberger <joe.hershberger@ni.com>
[trini: Always build lib/lmb.o on LMB and lib/fdtdec.o on OF_LIBFDT]
Signed-off-by: Tom Rini <trini@konsulko.com>
net: Consolidate UDP header functions 2018-10-10T17:29:02+00:00 Duncan Hare DH@Synoia.com 2018-06-24T22:40:41+00:00 5d457ecbef5eba8eaeed513c65c55453de4f3975 Make it possible to add TCP versions of the same, while reusing IP portions. This patch should not change any behavior. Signed-off-by: Duncan Hare <DH@Synoia.com> Acked-by: Joe Hershberger <joe.hershberger@ni.com> 
Make it possible to add TCP versions of the same, while reusing
IP portions. This patch should not change any behavior.

Signed-off-by: Duncan Hare <DH@Synoia.com>
Acked-by: Joe Hershberger <joe.hershberger@ni.com>
net: Don't overwrite waiting packets with asynchronous replies 2018-10-10T17:29:01+00:00 Joe Hershberger joe.hershberger@ni.com 2018-09-26T21:49:02+00:00 ac3f26cc15ad7e3e9efc2b0b0e18c6e84d93af77 Peter originally sent a fix, but it breaks a number of other things. This addresses the original reported issue in a different way. That report was: > U-Boot has 1 common buffer to send Ethernet frames, pointed to by > net_tx_packet. When sending to an IP address without knowing the MAC > address, U-Boot makes an ARP request (using the arp_tx_packet buffer) > to find out the MAC address of the IP addressr. When a matching ARP > reply is received, U-Boot continues sending the frame stored in the > net_tx_packet buffer. > > However, in the mean time, if U-Boot needs to send out any network > packets (e.g. replying ping packets or ARP requests for its own IP > address etc.), it will use the net_tx_packet buffer to prepare the > new packet. Thus this buffer is no longer the original packet meant > to be transmitted after the ARP reply. The original packet will be > lost. This instead uses the ARP tx buffer to send async replies in the case where we are actively waiting for an ARP reply. Signed-off-by: Joe Hershberger <joe.hershberger@ni.com> Reported-by: Tran Tien Dat <peter.trantiendat@gmail.com> Reviewed-by: Simon Glass <sjg@chromium.org> Reviewed-by: Bin Meng <bmeng.cn@gmail.com> Tested-by: Bin Meng <bmeng.cn@gmail.com> 
Peter originally sent a fix, but it breaks a number of other things.
This addresses the original reported issue in a different way.

That report was:

> U-Boot has 1 common buffer to send Ethernet frames, pointed to by
> net_tx_packet.  When sending to an IP address without knowing the MAC
> address, U-Boot makes an ARP request (using the arp_tx_packet buffer)
> to find out the MAC address of the IP addressr. When a matching ARP
> reply is received, U-Boot continues sending the frame stored in the
> net_tx_packet buffer.
>
> However, in the mean time, if U-Boot needs to send out any network
> packets (e.g. replying ping packets or ARP requests for its own IP
> address etc.), it will use the net_tx_packet buffer to prepare the
> new packet. Thus this buffer is no longer the original packet meant
> to be transmitted after the ARP reply. The original packet will be
> lost.

This instead uses the ARP tx buffer to send async replies in the case
where we are actively waiting for an ARP reply.

Signed-off-by: Joe Hershberger <joe.hershberger@ni.com>

Reported-by: Tran Tien Dat <peter.trantiendat@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
Tested-by: Bin Meng <bmeng.cn@gmail.com>
net: Add an accessor to know if waiting for ARP 2018-10-10T17:28:58+00:00 Joe Hershberger joe.hershberger@ni.com 2018-09-26T21:48:58+00:00 3f02c98bd1000fc26ee2700fd5a75112cdeaca6c This single-sources the state of the ARP. Signed-off-by: Joe Hershberger <joe.hershberger@ni.com> Reviewed-by: Simon Glass <sjg@chromium.org> Reviewed-by: Bin Meng <bmeng.cn@gmail.com> 
This single-sources the state of the ARP.

Signed-off-by: Joe Hershberger <joe.hershberger@ni.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
net: eth-uclass: Fix for DM USB ethernet support 2018-08-21T14:21:37+00:00 Jean-Jacques Hiblot jjhiblot@ti.com 2018-08-09T14:17:41+00:00 c3211708cf721163733f03330bdb579d8c0f689b When a USB ethernet device is halted, the device driver is removed. When this happens the uclass private memory is freed and uclass_priv is set to NULL. This causes a data abort when uclass_priv->state is then set to ETH_STATE_PASSIVE. Fix it by checking if uclass_priv is NULL before setting uclass_priv->state Signed-off-by: Jean-Jacques Hiblot <jjhiblot@ti.com> Acked-by: Joe Hershberger <joe.hershberger@ni.com> 
When a USB ethernet device is halted, the device driver is removed. When
this happens the uclass private memory is freed and uclass_priv is set to
NULL. This causes a data abort when uclass_priv->state is then set to
ETH_STATE_PASSIVE.

Fix it by checking if uclass_priv is NULL before setting uclass_priv->state

Signed-off-by: Jean-Jacques Hiblot <jjhiblot@ti.com>
Acked-by: Joe Hershberger <joe.hershberger@ni.com>