7 files changed, 95 insertions, 21 deletions

diff --git a/net/Kconfig b/net/Kconfig
index e45ceb25106..e712a0dd2ac 100644
--- a/net/Kconfig
+++ b/net/Kconfig
@@ -2,8 +2,45 @@
 # Network configuration
 #
 
+config NO_NET
+	bool "Disable networking"
+	help
+	  Transitional variable. Equivalent to setting NET=n.
+
+menuconfig NET
+	bool "Networking"
+	depends on !NO_NET
+	default y
+
 if NET
 
+choice
+	prompt "Networking stack"
+	default NET_LEGACY
+
+config NET_LEGACY
+	bool "Legacy U-Boot networking stack"
+	select NETDEVICES
+	help
+	  Include networking support with U-Boot's internal implementation of
+	  the TCP/IP protocol stack.
+
+config NET_LWIP
+	bool "Use lwIP for networking stack"
+	select NETDEVICES
+	help
+	  Include networking support based on the lwIP (lightweight IP)
+	  TCP/IP stack (https://nongnu.org/lwip). This is a replacement for
+	  the default U-Boot network stack and applications located in net/
+	  and enabled via CONFIG_NET_LEGACY as well as other pieces of code that
+	  depend on CONFIG_NET_LEGACY (such as cmd/net.c enabled via CONFIG_CMD_NET).
+	  Therefore the two symbols CONFIG_NET_LEGACY and CONFIG_NET_LWIP are mutually
+	  exclusive.
+
+endchoice
+
+if NET_LEGACY
+
 config ARP_TIMEOUT
 	int "Milliseconds before trying ARP again"
 	default 5000
@@ -195,12 +232,10 @@ config IPV6
 	  ip6addr, serverip6. If a u-boot command is capable to parse an IPv6
 	  address and find it, it will force using IPv6 in the network stack.
 
-endif   # if NET
+endif   # if NET_LEGACY
 
 source "net/lwip/Kconfig"
 
-if NET || NET_LWIP
-
 config BOOTDEV_ETH
 	bool "Enable bootdev for ethernet"
 	depends on BOOTSTD
@@ -228,7 +263,7 @@ config DNS
 
 config WGET
 	bool "Enable wget"
-	select PROT_TCP if NET
+	select PROT_TCP if NET_LEGACY
 	select PROT_TCP_LWIP if NET_LWIP
 	help
 	  Selecting this will enable wget, an interface to send HTTP requests
@@ -244,7 +279,7 @@ config TFTP_BLOCKSIZE
 	  almost-MTU block sizes.
 	  You can also activate CONFIG_IP_DEFRAG to set a larger block.
 
-endif   # if NET || NET_LWIP
+endif   # if NET
 
 config SYS_RX_ETH_BUFFER
         int "Number of receive packet buffers"
diff --git a/net/Makefile b/net/Makefile
index 3a32bc8b0e7..ceac6de6377 100644
--- a/net/Makefile
+++ b/net/Makefile
@@ -5,9 +5,9 @@
 
 #ccflags-y += -DDEBUG
 
-ifeq ($(CONFIG_NET),y)
+ifeq ($(CONFIG_NET_LEGACY),y)
 
-obj-$(CONFIG_NET)      += arp.o
+obj-$(CONFIG_NET_LEGACY)      += arp.o
 obj-$(CONFIG_CMD_BOOTP) += bootp.o
 obj-$(CONFIG_CMD_CDP)  += cdp.o
 obj-$(CONFIG_DNS)  += dns.o
@@ -37,7 +37,7 @@ CFLAGS_eth_common.o += -Wno-format-extra-args
 
 endif
 
-ifeq ($(filter y,$(CONFIG_NET) $(CONFIG_NET_LWIP)),y)
+ifeq ($(CONFIG_NET),y)
 obj-$(CONFIG_DM_DSA)   += dsa-uclass.o
 obj-$(CONFIG_$(PHASE_)DM_ETH) += eth-uclass.o
 obj-$(CONFIG_$(PHASE_)BOOTDEV_ETH) += eth_bootdev.o
diff --git a/net/bootp.c b/net/bootp.c
index 8976936b184..f0dc329d6e4 100644
--- a/net/bootp.c
+++ b/net/bootp.c
@@ -997,13 +997,13 @@ static void dhcp_packet_process_options(struct bootp_hdr *bp)
 	}
 }
 
-static int dhcp_message_type(unsigned char *popt)
+static int dhcp_message_type(unsigned char *popt, unsigned char *end)
 {
 	if (net_read_u32((u32 *)popt) != htonl(BOOTP_VENDOR_MAGIC))
 		return -1;
 
 	popt += 4;
-	while (*popt != 0xff) {
+	while (popt < end && *popt != 0xff) {
 		if (*popt == 53)	/* DHCP Message Type */
 			return *(popt + 2);
 		if (*popt == 0)	{
@@ -1120,7 +1120,7 @@ static void dhcp_handler(uchar *pkt, unsigned dest, struct in_addr sip,
 			    strlen(CONFIG_SYS_BOOTFILE_PREFIX)) == 0) {
 #endif	/* CONFIG_SYS_BOOTFILE_PREFIX */
 			if (CONFIG_IS_ENABLED(UNIT_TEST) &&
-			    dhcp_message_type((u8 *)bp->bp_vend) == -1) {
+			    dhcp_message_type((u8 *)bp->bp_vend, (u8 *)pkt + len) == -1) {
 				debug("got BOOTP response; transitioning to BOUND\n");
 				goto dhcp_got_bootp;
 			}
@@ -1149,7 +1149,7 @@ static void dhcp_handler(uchar *pkt, unsigned dest, struct in_addr sip,
 	case REQUESTING:
 		debug("DHCP State: REQUESTING\n");
 
-		if (dhcp_message_type((u8 *)bp->bp_vend) == DHCP_ACK) {
+		if (dhcp_message_type((u8 *)bp->bp_vend, (u8 *)pkt + len) == DHCP_ACK) {
 dhcp_got_bootp:
 			dhcp_packet_process_options(bp);
 			/* Store net params from reply */
diff --git a/net/dhcpv6.c b/net/dhcpv6.c
index 5bf935cb6a3..640f089a2e1 100644
--- a/net/dhcpv6.c
+++ b/net/dhcpv6.c
@@ -339,6 +339,11 @@ static void dhcp6_parse_options(uchar *rx_pkt, unsigned int len)
 			break;
 		case DHCP6_OPTION_IA_TA:
 		case DHCP6_OPTION_IA_NA:
+			if (option_len < sizeof(u32)) {
+				debug("Invalid IA_NA/IA_TA option length\n");
+				break;
+			}
+
 			/* check the IA_ID */
 			if (*((u32 *)option_ptr) !=  htonl(sm_params.ia_id)) {
 				debug("IA_ID mismatch 0x%08x 0x%08x\n",
@@ -347,6 +352,10 @@ static void dhcp6_parse_options(uchar *rx_pkt, unsigned int len)
 			}
 
 			if (ntohs(option_hdr->option_id) == DHCP6_OPTION_IA_NA) {
+				if (option_len < 3 * sizeof(u32)) {
+					debug("Invalid IA_NA option length\n");
+					break;
+				}
 				/* skip past IA_ID/T1/T2 */
 				option_ptr += 3 * sizeof(u32);
 			} else if (ntohs(option_hdr->option_id) == DHCP6_OPTION_IA_TA) {
@@ -358,12 +367,20 @@ static void dhcp6_parse_options(uchar *rx_pkt, unsigned int len)
 			break;
 		case DHCP6_OPTION_STATUS_CODE:
 			debug("DHCP6_OPTION_STATUS_CODE FOUND\n");
+			if (option_len < sizeof(u16)) {
+				debug("Invalid status code option length\n");
+				break;
+			}
 			sm_params.rx_status.status_code = ntohs(*((u16 *)option_ptr));
 			debug("DHCP6 top-level status code %d\n", sm_params.rx_status.status_code);
 			debug("DHCP6 status message: %.*s\n", len, option_ptr + 2);
 			break;
 		case DHCP6_OPTION_SOL_MAX_RT:
 			debug("DHCP6_OPTION_SOL_MAX_RT FOUND\n");
+			if (option_len != sizeof(u32)) {
+				debug("Invalid SOL_MAX_RT option length\n");
+				break;
+			}
 			sol_max_rt_sec = ntohl(*((u32 *)option_ptr));
 
 			/* A DHCP client MUST ignore any SOL_MAX_RT option values that are less
@@ -377,6 +394,11 @@ static void dhcp6_parse_options(uchar *rx_pkt, unsigned int len)
 			break;
 		case DHCP6_OPTION_OPT_BOOTFILE_URL:
 			debug("DHCP6_OPTION_OPT_BOOTFILE_URL FOUND\n");
+			if (option_len >= sizeof(net_boot_file_name)) {
+				debug("Option length for BOOTFILE_URL is greater or equal than %zu. Skipping\n",
+				      sizeof(net_boot_file_name));
+				break;
+			}
 			copy_filename(net_boot_file_name, option_ptr, option_len + 1);
 			debug("net_boot_file_name: %s\n", net_boot_file_name);
 
@@ -389,6 +411,12 @@ static void dhcp6_parse_options(uchar *rx_pkt, unsigned int len)
 		case DHCP6_OPTION_OPT_BOOTFILE_PARAM:
 			if (IS_ENABLED(CONFIG_DHCP6_PXE_DHCP_OPTION)) {
 				debug("DHCP6_OPTION_OPT_BOOTFILE_PARAM FOUND\n");
+
+				if (option_len < sizeof(u16)) {
+					debug("Invalid BOOTFILE_PARAM option length\n");
+					break;
+				}
+
 				/* if CONFIG_DHCP6_PXE_DHCP_OPTION is set the PXE config file path
 				 * is contained in the first OPT_BOOTFILE_PARAM argument
 				 */
@@ -414,6 +442,10 @@ static void dhcp6_parse_options(uchar *rx_pkt, unsigned int len)
 			break;
 		case DHCP6_OPTION_PREFERENCE:
 			debug("DHCP6_OPTION_PREFERENCE FOUND\n");
+			if (option_len != 1) {
+				debug("Invalid preference option length\n");
+				break;
+			}
 			sm_params.rx_status.preference = *option_ptr;
 			break;
 		default:
diff --git a/net/lwip/wget.c b/net/lwip/wget.c
index 008f3b395e7..502c0faebb2 100644
--- a/net/lwip/wget.c
+++ b/net/lwip/wget.c
@@ -20,7 +20,6 @@
 #define SERVER_NAME_SIZE 254
 #define HTTP_PORT_DEFAULT 80
 #define HTTPS_PORT_DEFAULT 443
-#define PROGRESS_PRINT_STEP_BYTES (100 * 1024)
 
 enum done_state {
 	NOT_DONE = 0,
@@ -178,6 +177,9 @@ static int store_block(struct wget_ctx *ctx, void *src, u16_t len)
 	ctx->daddr += len;
 	ctx->size += len;
 
+	if (wget_info->silent)
+		return 0;
+
 	pos = clamp(ctx->size, 0UL, ctx->content_len);
 
 	while (ctx->hash_count < pos * 50 / ctx->content_len) {
@@ -240,20 +242,18 @@ static void httpc_result_cb(void *arg, httpc_result_t httpc_result,
 	}
 
 	/* Print hash marks for the last packet received */
-	while (ctx->hash_count < 49) {
-		putc('#');
-		ctx->hash_count++;
+	if (!wget_info->silent) {
+		while (ctx->hash_count < 49) {
+			putc('#');
+			ctx->hash_count++;
+		}
 	}
-	puts("  ");
-	print_size(ctx->content_len, "");
 
 	elapsed = get_timer(ctx->start_time);
 	if (!elapsed)
 		elapsed = 1;
 	if (!wget_info->silent) {
-		if (rx_content_len > PROGRESS_PRINT_STEP_BYTES)
-			printf("\n");
-		printf("%u bytes transferred in %lu ms (", rx_content_len,
+		printf("\n%u bytes transferred in %lu ms (", rx_content_len,
 		       elapsed);
 		print_size(rx_content_len / elapsed * 1000, "/s)\n");
 		printf("Bytes transferred = %lu (%lx hex)\n", ctx->size,
diff --git a/net/nfs-common.c b/net/nfs-common.c
index 4fbde67a760..72d8fd823e3 100644
--- a/net/nfs-common.c
+++ b/net/nfs-common.c
@@ -674,11 +674,15 @@ static int nfs_readlink_reply(uchar *pkt, unsigned int len)
 
 		strcat(nfs_path, "/");
 		pathlen = strlen(nfs_path);
+		if (pathlen + rlen >= sizeof(nfs_path_buff))
+			return -NFS_RPC_DROP;
 		memcpy(nfs_path + pathlen,
 		       (uchar *)&rpc_pkt.u.reply.data[2 + nfsv3_data_offset],
 		       rlen);
 		nfs_path[pathlen + rlen] = 0;
 	} else {
+		if (rlen >= sizeof(nfs_path_buff))
+			return -NFS_RPC_DROP;
 		memcpy(nfs_path,
 		       (uchar *)&rpc_pkt.u.reply.data[2 + nfsv3_data_offset],
 		       rlen);
diff --git a/net/sntp.c b/net/sntp.c
index 77cee0046bd..4b3dc675bab 100644
--- a/net/sntp.c
+++ b/net/sntp.c
@@ -64,6 +64,9 @@ static void sntp_handler(uchar *pkt, unsigned dest, struct in_addr sip,
 	if (dest != sntp_our_port)
 		return;
 
+	if (len < SNTP_PACKET_LEN)
+		return;
+
 	/*
 	 * As the RTC's used in U-Boot support second resolution only
 	 * we simply ignore the sub-second field.