diff options
| author | Mateusz Furdyna <[email protected]> | 2026-06-10 16:25:33 +0200 |
|---|---|---|
| committer | Jerome Forissier <[email protected]> | 2026-06-23 13:13:16 +0200 |
| commit | b1aec609bb5e0d08c25c888c91935287ab4ee5fa (patch) | |
| tree | e7fa4f32fd9af2461d7c6e5d4a3f3ec4ec021ab1 /doc/develop/driver-model | |
| parent | 5aa2066aca2ad95c5ed204c50dfd69379c9a8d32 (diff) | |
net: clear IP defragmentation state after returning a complete packet
During the IP defragmentation process, after the reassembly is finished
with the last packet arriving with MF=0, the reassembly state wrt.
static counters is not cleared. In case this last arriving packet with
MF=0 gets duplicated, payload bytes are mistakenly treated as hole data.
A malicious actor who can deliver fragmented IP traffic to a U-Boot
instance with CONFIG_IP_DEFRAG=y can corrupt memory via out-of-bound
writes and redirect control flow into attacker-supplied payload bytes
that already sit in `pkt_buff[]`.
Publicly available AI models are able to generate a reproducer based
on the provided information.
Fix: once the assembled packet has been handed back to the caller, mark
the reassembly state empty so that any further fragment (duplicate,
replay, or a brand-new datagram that happens to reuse the `ip_id`) goes
through the normal re-init path and rebuilds a clean hole list instead
of dereferencing payload bytes as struct hole.
Fixes: 5cfaa4e54d0e ("net: defragment IP packets")
Reported-by: Mariusz Madej <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
Acked-by: Alessandro Rubini <[email protected]>
Signed-off-by: Mateusz Furdyna <[email protected]>
Diffstat (limited to 'doc/develop/driver-model')
0 files changed, 0 insertions, 0 deletions