| Age | Commit message (Collapse) | Author |
|---|
|
The net_loop() currently conflates return value with file size
at the end of successful transfer, in NETLOOP_SUCCESS state.
The return type of net_loop() is int, which makes this practice
workable for file sizes below 2 GiB, but anything above that will
lead to overflow and bogus negative return value from net_loop().
The return file size is only used by a few sites in the code base,
which can be easily fixed. Change the net_loop() return value to
always be only a return code, in case of error the returned value
is the error code, in case of successful transfer the value is 0
or 1 instead of 0 or net_boot_file_size . This surely always fits
into a signed integer.
By keeping the return code 0 or 1 in case of successful transfer,
no conditionals which depended on the old behavior are broken, but
all the sites had to be inspected and updated accordingly.
Fix the few sites which depend on the file size by making them
directly use the net_boot_file_size variable value. This variable
is accessible to all of those sites already, because they all
include net-common.h .
Signed-off-by: Yuya Hamamachi <[email protected]>
Signed-off-by: Marek Vasut <[email protected]>
|
|
Make some variables available to be used by either the legacy network
code or lwIP by moving them into the net-common files. This also allowed
removing a small number of duplicated variables from the lwIP code.
Signed-off-by: Andrew Goodbody <[email protected]>
Reviewed-by: Jerome Forissier <[email protected]>
|
|
Move the net_state variable into common code so that it can be used by
either the legacy network code or lwIP. This is needed for porting
across the NFS support code for use with lwIP.
Signed-off-by: Andrew Goodbody <[email protected]>
Reviewed-by: Jerome Forissier <[email protected]>
|
|
The code is guarded by a condition none of the defconfigs meet (that is
CONFIG_SYS_FAULT_ECHO_LINK_DOWN and CONFIG_LED_STATUS_RED both enabled),
so we can remove the unreachable code sections.
When doing that, there's no caller for miiphy_link anymore, so it can be
removed.
This in turns makes CONFIG_SYS_FAULT_ECHO_LINK_DOWN and
CONFIG_SYS_FAULT_MII_ADDR unused so they are removed as well.
Signed-off-by: Quentin Schulz <[email protected]>
Reviewed-by: Tom Rini <[email protected]>
|
|
Introduce the DNS Kconfig symbol so that various network commands may
use host names without the dns command (CMD_DNS) being selected.
Signed-off-by: Jerome Forissier <[email protected]>
CC: E Shattow <[email protected]>
|
|
The header of LiMon imported files reference a License file which
does not exist in U-Boot. Some files were forgotten when adding the
SPDX-License-Identifier.
The LiMon files were originally licensed under GPLv2 as can be seen in
commit [2ea91039].
Based on this commit, add the correct SPDX license identifier.
While at it drop the reference to the non-existing License file from all
LiMon files and update the SPDX-License-Identifier to SPDX version 3.
Signed-off-by: Max Merchel <[email protected]>
|
|
In some cases in the generic code, we were already using switch/case
fallthrough annotations comments, though in a way which might not be
understood by most compilers.
Replace two non-standard /* no break */ comments with our fallthrough;
statement-like macro, to make this visible to the compiler.
Also use this macro in place of an /* Fall through */ comment, to be
more consistent.
Signed-off-by: Andre Przywara <[email protected]>
Reviewed-by: Tom Rini <[email protected]>
|
|
fix include ordering to follow
https://docs.u-boot.org/en/latest/develop/codingstyle.html#include-files
Signed-off-by: Mikhail Kshevetskiy <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
Changes:
* Fix initial send sequence always zero issue
* Use state machine close to RFC 9293. This should make TCP
transfers more reliable (now we can upload a huge array
of data from the board to external server)
* Improve TCP framework a lot. This should make tcp client
code much more simple.
* rewrite wget with new tcp stack
* rewrite fastboot_tcp with new tcp stack
It's quite hard to fix the initial send sequence (ISS) issue
with the separate patch. A naive attempt to fix an issue
inside the tcp_set_tcp_header() function will break tcp packet
retransmit logic in wget and other clients.
Example:
Wget stores tcp_seq_num value before tcp_set_tcp_header() will
be called and (on failure) retransmit the packet with the stored
tcp_seq_num value. Thus:
* the same ISS must allways be used (current case)
* or tcp clients needs to generate a proper ISS when
required.
A proper ISS fix will require a big redesing comparable with
a this one.
Signed-off-by: Mikhail Kshevetskiy <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
Changes:
* Avoid use net_server_ip in tcp code, use tcp_stream data instead
* Ignore packets from other connections if connection already created.
This prevents us from connection break caused by other tcp stream.
Signed-off-by: Mikhail Kshevetskiy <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
no functional changes
Signed-off-by: Mikhail Kshevetskiy <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
The function string_to_ip is already in net_utils, which is
compiled unconditionally, but ip_to_string is currently only
accessible if the legacy network stack is selected. This
commit puts ip_to_string in net_utils.c and removes it from the
legacy network code.
Signed-off-by: Adriano Cordova <[email protected]>
Reviewed-by: Heinrich Schuchardt <[email protected]>
|
|
Make net.h a wrapper which includes net-common.h and either
net-legacy.h or net-lwip.h based on NET_LWIP. The function
copy_filename() can be useful when NET_LWIP is enabled, therefore
move it out of net/net.c which is built only when networking choice
is NET and create a new file net/net-common.c.
Signed-off-by: Jerome Forissier <[email protected]>
Acked-by: Ilias Apalodimas <[email protected]>
|
|
Simon Glass <[email protected]> says:
When the SPL build-phase was first created it was designed to solve a
particular problem (the need to init SDRAM so that U-Boot proper could
be loaded). It has since expanded to become an important part of U-Boot,
with three phases now present: TPL, VPL and SPL
Due to this history, the term 'SPL' is used to mean both a particular
phase (the one before U-Boot proper) and all the non-proper phases.
This has become confusing.
For a similar reason CONFIG_SPL_BUILD is set to 'y' for all 'SPL'
phases, not just SPL. So code which can only be compiled for actual SPL,
for example, must use something like this:
#if defined(CONFIG_SPL_BUILD) && !defined(CONFIG_TPL_BUILD)
In Makefiles we have similar issues. SPL_ has been used as a variable
which expands to either SPL_ or nothing, to chose between options like
CONFIG_BLK and CONFIG_SPL_BLK. When TPL appeared, a new SPL_TPL variable
was created which expanded to 'SPL_', 'TPL_' or nothing. Later it was
updated to support 'VPL_' as well.
This series starts a change in terminology and usage to resolve the
above issues:
- The word 'xPL' is used instead of 'SPL' to mean a non-proper build
- A new CONFIG_XPL_BUILD define indicates that the current build is an
'xPL' build
- The existing CONFIG_SPL_BUILD is changed to mean SPL; it is not now
defined for TPL and VPL phases
- The existing SPL_ Makefile variable is renamed to SPL_
- The existing SPL_TPL Makefile variable is renamed to PHASE_
It should be noted that xpl_phase() can generally be used instead of
the above CONFIGs without a code-space or run-time penalty.
This series does not attempt to convert all of U-Boot to use this new
terminology but it makes a start. In particular, renaming spl.h and
common/spl seems like a bridge too far at this point.
The series is fully bisectable. It has also been checked to ensure there
are no code-size changes on any commit.
|
|
Complete this rename for all directories outside arch/ board/ drivers/
and include/
Use the new symbol to refer to any 'SPL' build, including TPL and VPL
Signed-off-by: Simon Glass <[email protected]>
|
|
Implement support for LED activity. If the feature is enabled,
make the defined ACTIVITY LED to signal traffic.
Also turn the ACTIVITY LED OFF if a CTRL-C is detected in the main
net loop function.
Signed-off-by: Christian Marangi <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
net_auto_load() cannot call tftp_start() if CONFIG_CMD_TFTPBOOT is
disabled.
Signed-off-by: Jerome Forissier <[email protected]>
|
|
Drop all duplicate newlines. No functional change.
Signed-off-by: Marek Vasut <[email protected]>
|
|
As part of bringing the master branch back in to next, we need to allow
for all of these changes to exist here.
Reported-by: Jonas Karlman <[email protected]>
Signed-off-by: Tom Rini <[email protected]>
|
|
When bringing in the series 'arm: dts: am62-beagleplay: Fix Beagleplay
Ethernet"' I failed to notice that b4 noticed it was based on next and
so took that as the base commit and merged that part of next to master.
This reverts commit c8ffd1356d42223cbb8c86280a083cc3c93e6426, reversing
changes made to 2ee6f3a5f7550de3599faef9704e166e5dcace35.
Reported-by: Jonas Karlman <[email protected]>
Signed-off-by: Tom Rini <[email protected]>
|
|
Remove <common.h> from all "net/" files and when needed add
missing include files directly.
Signed-off-by: Tom Rini <[email protected]>
|
|
Add an option to trace all packets send/received. This can be helpful when
debugging protocol issues, as the packets can then be imported into
wireshark [1] and analyzed further.
[1] https://www.wireshark.org/docs/wsug_html_chunked/ChIOImportSection.html
Signed-off-by: Sean Anderson <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
When fastboot is enabled in U-Boot proper and SPL_NET is enabled, we will
try to (unsuccessfully) reference it in SPL. Fix these linker errors by
conditioning on SPL_UDP/TCP_FUNCTION_FASTBOOT.
Signed-off-by: Sean Anderson <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
Reviewed-by: Tom Rini <[email protected]>
|
|
In the case of NETLOOP_SUCCESS, the decimal value of the u32 variable
"net_boot_file_size" is printed using "%d", resulting in negative values
being reported for large file sizes. Fix this by using "%u" to print the
decimal value corresponding to the bytes transferred.
Fixes: 1411157d8578 ("net: cosmetic: Fixup var names related to boot file")
Signed-off-by: Siddharth Vadapalli <[email protected]>
Reviewed-by: Tom Rini <[email protected]>
|
|
In IPv6, the default gateway and prefix length are determined by receiving
a router advertisement as defined in -
https://www.rfc-editor.org/rfc/rfc4861.
Add support for sending router solicitation (RS) and processing router
advertisements (RA).
If the RA has prefix info option and following conditions are met, then
gatewayip6 and net_prefix_length of ip6addr env variables are initialized.
These are later consumed by IPv6 code for non-local destination IP.
- "Router Lifetime" != 0
- Prefix is NOT link-local prefix (0xfe80::/10)
- L flag is 1
- "Valid Lifetime" != 0
Timing Parameters:
- MAX_RTR_SOLICITATION_DELAY (0-1s)
- RTR_SOLICITATION_INTERVAL (4s) (min retransmit delay)
- MAX_RTR_SOLICITATIONS (3 RS transmissions)
The functionality is enabled by CONFIG_IPV6_ROUTER_DISCOVERY and invoked
automatically from net_init_loop().
Signed-off-by: Ehsan Mohandesi <[email protected]>
Tested-by: Viacheslav Mitrofanov <[email protected]>Reviewed-by:
Tested-by: Viacheslav Mitrofanov <[email protected]>
Reviewed-by: Viacheslav Mitrofanov <[email protected]>
Tested-by: Sergei Antonov <[email protected]>
Reviewed-by: Sergei Antonov <[email protected]>
|
|
Known limitations are
1. fastboot reboot doesn't work (answering OK but not rebooting)
2. flashing isn't supported (TCP transport only limitation)
The command syntax is
fastboot tcp
Signed-off-by: Dmitrii Merkurev <[email protected]>
Cc: Ying-Chun Liu (PaulLiu) <[email protected]>
Cc: Simon Glass <[email protected]>
Сс: Joe Hershberger <[email protected]>
Сс: Ramon Fried <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
Adds DHCPv6 protocol to u-boot.
Allows for address assignement with DHCPv6 4-message exchange
(SOLICIT->ADVERTISE->REQUEST->REPLY). Includes DHCPv6 options
required by RFC 8415. Also adds DHCPv6 options required
for PXE boot.
Possible enhancements:
- Duplicate address detection on DHCPv6 assigned address
- IPv6 address assignement through SLAAC
- Sending/parsing other DHCPv6 options (NTP, DNS, etc...)
Signed-off-by: Sean Edmond <[email protected]>
Reviewed-by: Ramon Fried <[email protected]>
|
|
For bootstd tests it is seldom useful to have ethernet enabled. Add a way
to disable it, so that ethernet operations like tftpboot do nothing.
Signed-off-by: Simon Glass <[email protected]>
|
|
IPv6 protocol handler is not terminated with a break statment.
It can lead to running unexpected code.
Signed-off-by: Viacheslav Mitrofanov <[email protected]>
Reviewed-by: Daniel Schwierzeck <[email protected]>
|
|
Implement ping6 command to ping hosts using IPv6. It works the same way as
an ordinary ping command. There is no ICMP request so it is not possible
to ping our host. This patch adds options in Kconfig and Makefile to
build ping6 command.
Series-changes: 3
- Added structures and functions descriptions
- Added to ping6_receive() return value instead of void
Series-changes: 4
- Fixed structures and functions description style
Signed-off-by: Viacheslav Mitrofanov <[email protected]>
Reviewed-by: Ramon Fried <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
The command tftpboot uses IPv4 by default. Add the possibility to use IPv6
instead. If an address in the command is an IPv6 address it will use IPv6
to boot or if there is a suffix -ipv6 in the end of the command it also
force using IPv6. All other tftpboot features and parameters are left
the same.
Signed-off-by: Viacheslav Mitrofanov <[email protected]>
Reviewed-by: Ramon Fried <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
Add net_ip6_handler (an IPv6 packet handler) into net_loop. Add
neighbor discovery mechanism into network init process. That is the
main step to run IPv6 in u-boot. Now u-boot is capable to use NDP and
handle IPv6 packets.
Signed-off-by: Viacheslav Mitrofanov <[email protected]>
Reviewed-by: Ramon Fried <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
This commit adds a simple wget command that can download files
from http server.
The command syntax is
wget ${loadaddr} <path of the file from server>
Signed-off-by: Duncan Hare <[email protected]>
Signed-off-by: Ying-Chun Liu (PaulLiu) <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
Cc: Christian Gmeiner <[email protected]>
Cc: Joe Hershberger <[email protected]>
Cc: Michal Simek <[email protected]>
Cc: Ramon Fried <[email protected]>
Reviewed-by: Ramon Fried <[email protected]>
|
|
Currently file transfers are done using tftp or NFS both
over udp. This requires a request to be sent from client
(u-boot) to the boot server.
The current standard is TCP with selective acknowledgment.
Signed-off-by: Duncan Hare <[email protected]>
Signed-off-by: Duncan Hare <[email protected]>
Signed-off-by: Ying-Chun Liu (PaulLiu) <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
Cc: Christian Gmeiner <[email protected]>
Cc: Joe Hershberger <[email protected]>
Cc: Michal Simek <[email protected]>
Cc: Ramon Fried <[email protected]>
Reviewed-by: Ramon Fried <[email protected]>
|
|
With a suitable sequence of malicious packets, it's currently possible
to get a hole descriptor to contain arbitrary attacker-controlled
contents, and then with one more packet to use that as an arbitrary
write vector.
While one could possibly change the algorithm so we instead loop over
all holes, and in each hole puts as much of the current fragment as
belongs there (taking care to carefully update the hole list as
appropriate), it's not worth the complexity: In real, non-malicious
scenarios, one never gets overlapping fragments, and certainly not
fragments that would be supersets of one another.
So instead opt for this simple protection: Simply don't allow the
eventual memcpy() to write beyond the last_byte of the current hole.
Signed-off-by: Rasmus Villemoes <[email protected]>
|
|
For some reason, the ip_len field in a reassembled IP datagram is set
to just the size of the payload, but it should be set to the value it
would have had if the datagram had never been fragmented in the first
place, i.e. size of payload plus size of IP header.
That latter value is currently returned correctly via the "len"
variable. And before entering net_defragment(), len does have the
value ntohs(ip->ip_len), so if we're not dealing with a
fragment (so net_defragment leaves *len alone), that relationship of
course also holds after the net_defragment() call.
The only use I can find of ip->ip_len after the net_defragment call is
the ntohs(ip->udp_len) > ntohs(ip->ip_len) sanity check - none of the
functions that are passed the "ip" pointer themselves inspect ->ip_len
but instead use the passed len.
But that sanity check is a bit odd, since the RHS really should be
"ntohs(ip->ip_len) - 20", i.e. the IP payload size.
Now that we've fixed things so that len == ntohs(ip->ip_len) in all
cases, change that sanity check to use len-20 as the RHS.
Signed-off-by: Rasmus Villemoes <[email protected]>
|
|
I hit a strange problem with v2022.10: Sometimes my tftp transfer
would seemingly just hang. It only happened for some files. Moreover,
changing tftpblocksize from 65464 to 65460 or 65000 made it work again
for all the files I tried. So I started suspecting it had something to
do with the file sizes and in particular the way the tftp blocks get
fragmented and reassembled.
v2022.01 showed no problems with any of the files or any value of
tftpblocksize.
Looking at what had changed in net.c or tftp.c since January showed
only one remotely interesting thing, b85d130ea0ca.
So I fired up wireshark on my host to see if somehow one of the
packets would be too small. But no, with both v2022.01 and v2022.10,
the exact same sequence of packets were sent, all but the last of size
1500, and the last being 1280 bytes.
But then it struck me that 1280 is 5*256, so one of the two bytes
on-the-wire is 0 and the other is 5, and when then looking at the code
again the lack of endianness conversion becomes obvious. [ntohs is
both applied to ip->ip_off just above, as well as to ip->ip_len just a
little further down when the "len" is actually computed].
IOWs the current code would falsely reject any packet which happens to
be a multiple of 256 bytes in size, breaking tftp transfers somewhat
randomly, and if it did get one of those "malicious" packets with
ip_len set to, say, 27, it would be seen by this check as being 6912
and hence not rejected.
====
Now, just adding the missing ntohs() would make my initial problem go
away, in that I can now download the file where the last fragment ends
up being 1280 bytes. But there's another bug in the code and/or
analysis: The right-hand side is too strict, in that it is ok for the
last fragment not to have a multiple of 8 bytes as payload - it really
must be ok, because nothing in the IP spec says that IP datagrams must
have a multiple of 8 bytes as payload. And comments in the code also
mention this.
To fix that, replace the comparison with <= IP_HDR_SIZE and add
another check that len is actually a multiple of 8 when the "more
fragments" bit is set - which it necessarily is for the case where
offset8 ends up being 0, since we're only called when
(ip_off & (IP_OFFS | IP_FLAGS_MFRAG)).
====
So, does this fix CVE-2022-30790 for real? It certainly correctly
rejects the POC code which relies on sending a packet of size 27 with
the MFRAG flag set. Can the attack be carried out with a size 27
packet that doesn't set MFRAG (hence must set a non-zero fragment
offset)? I dunno. If we get a packet without MFRAG, we update
h->last_byte in the hole we've found to be start+len, hence we'd enter
one of
if ((h >= thisfrag) && (h->last_byte <= start + len)) {
or
} else if (h->last_byte <= start + len) {
and thus won't reach any of the
/* overlaps with initial part of the hole: move this hole */
newh = thisfrag + (len / 8);
/* fragment sits in the middle: split the hole */
newh = thisfrag + (len / 8);
IOW these division are now guaranteed to be exact, and thus I think
the scenario in CVE-2022-30790 cannot happen anymore.
====
However, there's a big elephant in the room, which has always been
spelled out in the comments, and which makes me believe that one can
still cause mayhem even with packets whose payloads are all 8-byte
aligned:
This code doesn't deal with a fragment that overlaps with two
different holes (thus being a superset of a previously-received
fragment).
Suppose each character below represents 8 bytes, with D being already
received data, H being a hole descriptor (struct hole), h being
non-populated chunks, and P representing where the payload of a just
received packet should go:
DDDHhhhhDDDDHhhhDDDD
PPPPPPPPP
I'm pretty sure in this case we'd end up with h being the first hole,
enter the simple
} else if (h->last_byte <= start + len) {
/* overlaps with final part of the hole: shorten this hole */
h->last_byte = start;
case, and thus in the memcpy happily overwrite the second H with our
chosen payload. This is probably worth fixing...
Signed-off-by: Rasmus Villemoes <[email protected]>
|
|
While the code mostly/only handles UDP packets, it's possible for the
last fragment of a fragmented UDP packet to be smaller than 28 bytes;
it can be as small as 21 bytes (an IP header plus one byte of
payload). So until we've performed the defragmentation step and thus
know whether we're now holding a full packet, we should only check for
the existence of the fields in the ip header, i.e. that there are at
least 20 bytes present.
In practice, we always seem to be handed a "len" of minimum 60 from the
device layer, i.e. minimal ethernet frame length minus FCS, so this is
mostly theoretical.
After we've fetched the header's claimed length and used that to
update the len variable, check that the header itself claims to be the
minimal possible length.
This is probably how CVE-2022-30552 should have been dealt with in the
first place, because net_defragment() is not the only place that wants
to know the size of the IP datagram payload: If we receive a
non-fragmented ICMP packet, we pass "len" to receive_icmp() which in
turn may pass it to ping_receive() which does
compute_ip_checksum(icmph, len - IP_HDR_SIZE)
and due to the signature of compute_ip_checksum(), that would then
lead to accessing ~4G of address space, very likely leading to a
crash.
Signed-off-by: Rasmus Villemoes <[email protected]>
|
|
There's no reason we should accept an IP packet with a malformed IHL
field. So ensure that it is exactly 5, not just <= 5.
Signed-off-by: Rasmus Villemoes <[email protected]>
Reviewed-by: Ramon Fried <[email protected]>
|
|
Adds an "ncsi" command to manually start NC-SI configuration.
Signed-off-by: Samuel Mendoza-Jonas <[email protected]>
Signed-off-by: Joel Stanley <[email protected]>
Reviewed-by: Cédric Le Goater <[email protected]>
|
|
Add the handling of NC-SI ethernet frames, and add a check at the start
of net_loop() to configure NC-SI before starting other network commands.
Signed-off-by: Samuel Mendoza-Jonas <[email protected]>
Signed-off-by: Joel Stanley <[email protected]>
Reviewed-by: Cédric Le Goater <[email protected]>
Reviewed-by: Ramon Fried <[email protected]>
|
|
Globally replace all occurances of WATCHDOG_RESET() with schedule(),
which handles the HW_WATCHDOG functionality and the cyclic
infrastructure.
Signed-off-by: Stefan Roese <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
Tested-by: Tom Rini <[email protected]> [am335x_evm, mx6cuboxi, rpi_3,dra7xx_evm, pine64_plus, am65x_evm, j721e_evm]
|
|
Nicolas Bidron and Nicolas Guigo reported the two bugs below:
"
----------BUG 1----------
In compiled versions of U-Boot that define CONFIG_IP_DEFRAG, a value of
`ip->ip_len` (IP packet header's Total Length) higher than `IP_HDR_SIZE`
and strictly lower than `IP_HDR_SIZE+8` will lead to a value for `len`
comprised between `0` and `7`. This will ultimately result in a
truncated division by `8` resulting value of `0` forcing the hole
metadata and fragment to point to the same location. The subsequent
memcopy will overwrite the hole metadata with the fragment data. Through
a second fragment, this can be exploited to write to an arbitrary offset
controlled by that overwritten hole metadata value.
This bug is only exploitable locally as it requires crafting two packets
the first of which would most likely be dropped through routing due to
its unexpectedly low Total Length. However, this bug can potentially be
exploited to root linux based embedded devices locally.
```C
static struct ip_udp_hdr *__net_defragment(struct ip_udp_hdr *ip, int *lenp)
{
static uchar pkt_buff[IP_PKTSIZE] __aligned(PKTALIGN);
static u16 first_hole, total_len;
struct hole *payload, *thisfrag, *h, *newh;
struct ip_udp_hdr *localip = (struct ip_udp_hdr *)pkt_buff;
uchar *indata = (uchar *)ip;
int offset8, start, len, done = 0;
u16 ip_off = ntohs(ip->ip_off);
/* payload starts after IP header, this fragment is in there */
payload = (struct hole *)(pkt_buff + IP_HDR_SIZE);
offset8 = (ip_off & IP_OFFS);
thisfrag = payload + offset8;
start = offset8 * 8;
len = ntohs(ip->ip_len) - IP_HDR_SIZE;
```
The last line of the previous excerpt from `u-boot/net/net.c` shows how
the attacker can control the value of `len` to be strictly lower than
`8` by issuing a packet with `ip_len` between `21` and `27`
(`IP_HDR_SIZE` has a value of `20`).
Also note that `offset8` here is `0` which leads to `thisfrag = payload`.
```C
} else if (h >= thisfrag) {
/* overlaps with initial part of the hole: move this hole */
newh = thisfrag + (len / 8);
*newh = *h;
h = newh;
if (h->next_hole)
payload[h->next_hole].prev_hole = (h - payload);
if (h->prev_hole)
payload[h->prev_hole].next_hole = (h - payload);
else
first_hole = (h - payload);
} else {
```
Lower down the same function, execution reaches the above code path.
Here, `len / 8` evaluates to `0` leading to `newh = thisfrag`. Also note
that `first_hole` here is `0` since `h` and `payload` point to the same
location.
```C
/* finally copy this fragment and possibly return whole packet */
memcpy((uchar *)thisfrag, indata + IP_HDR_SIZE, len);
```
Finally, in the above excerpt the `memcpy` overwrites the hole metadata
since `thisfrag` and `h` both point to the same location. The hole
metadata is effectively overwritten with arbitrary data from the
fragmented IP packet data. If `len` was crafted to be `6`, `last_byte`,
`next_hole`, and `prev_hole` of the `first_hole` can be controlled by
the attacker.
Finally the arbitrary offset write occurs through a second fragment that
only needs to be crafted to write data in the hole pointed to by the
previously controlled hole metadata (`next_hole`) from the first packet.
### Recommendation
Handle cases where `len` is strictly lower than 8 by preventing the
overwrite of the hole metadata during the memcpy of the fragment. This
could be achieved by either:
* Moving the location where the hole metadata is stored when `len` is
lower than `8`.
* Or outright rejecting fragmented IP datagram with a Total Length
(`ip_len`) lower than 28 bytes which is the minimum valid fragmented IP
datagram size (as defined as the minimum fragment of 8 octets in the IP
Specification Document:
[RFC791](https://datatracker.ietf.org/doc/html/rfc791) page 25).
----------BUG 2----------
In compiled versions of U-Boot that define CONFIG_IP_DEFRAG, a value of
`ip->ip_len` (IP packet header's Total Length) lower than `IP_HDR_SIZE`
will lead to a negative value for `len` which will ultimately result in
a buffer overflow during the subsequent `memcpy` that uses `len` as it's
`count` parameter.
This bug is only exploitable on local ethernet as it requires crafting
an invalid packet to include an unexpected `ip_len` value in the IP UDP
header that's lower than the minimum accepted Total Length of a packet
(21 as defined in the IP Specification Document:
[RFC791](https://datatracker.ietf.org/doc/html/rfc791)). Such packet
would in all likelihood be dropped while being routed to its final
destination through most routing equipment and as such requires the
attacker to be in a local position in order to be exploited.
```C
static struct ip_udp_hdr *__net_defragment(struct ip_udp_hdr *ip, int *lenp)
{
static uchar pkt_buff[IP_PKTSIZE] __aligned(PKTALIGN);
static u16 first_hole, total_len;
struct hole *payload, *thisfrag, *h, *newh;
struct ip_udp_hdr *localip = (struct ip_udp_hdr *)pkt_buff;
uchar *indata = (uchar *)ip;
int offset8, start, len, done = 0;
u16 ip_off = ntohs(ip->ip_off);
/* payload starts after IP header, this fragment is in there */
payload = (struct hole *)(pkt_buff + IP_HDR_SIZE);
offset8 = (ip_off & IP_OFFS);
thisfrag = payload + offset8;
start = offset8 * 8;
len = ntohs(ip->ip_len) - IP_HDR_SIZE;
```
The last line of the previous excerpt from `u-boot/net/net.c` shows
where the underflow to a negative `len` value occurs if `ip_len` is set
to a value strictly lower than 20 (`IP_HDR_SIZE` being 20). Also note
that in the above excerpt the `pkt_buff` buffer has a size of
`CONFIG_NET_MAXDEFRAG` which defaults to 16 KB but can range from 1KB to
64 KB depending on configurations.
```C
/* finally copy this fragment and possibly return whole packet */
memcpy((uchar *)thisfrag, indata + IP_HDR_SIZE, len);
```
In the above excerpt the `memcpy` overflows the destination by
attempting to make a copy of nearly 4 gigabytes in a buffer that's
designed to hold `CONFIG_NET_MAXDEFRAG` bytes at most which leads to a DoS.
### Recommendation
Stop processing of the packet if `ip_len` is lower than 21 (as defined
by the minimum length of a data carrying datagram in the IP
Specification Document:
[RFC791](https://datatracker.ietf.org/doc/html/rfc791) page 34)."
Add a check for ip_len lesser than 28 and stop processing the packet
in this case.
Such a check covers the two reported bugs.
Reported-by: Nicolas Bidron <[email protected]>
Signed-off-by: Fabio Estevam <[email protected]>
|
|
- U-boot's PXE flow supports prefixing your bootfile name with an
IP address to fetch from a server other than the DHCP server,
e.g. `hostIPaddr:bootfilename`:
https://github.com/u-boot/u-boot/commit/a93907c43f847f076dd0e34ee3b69b5e8e6d0d29
- However, this breaks bootfile paths which contain a colon, e.g.
`f0:ad:4e:10:1b:87/7/pxelinux.cfg/default`
- This patch checks whether the `hostIPaddr` prefix is a valid
IP address before overriding the serverIP otherwise the whole
bootfile path is preserved
Signed-off-by: Lyle Franklin <[email protected]>
|
|
Use IS_ENABLED() instead, to reduce the number of build paths.
Signed-off-by: Simon Glass <[email protected]>
Reviewed-by: Ramon Fried <[email protected]>
|
|
This converts the following to Kconfig:
CONFIG_UDP_CHECKSUM
Signed-off-by: Simon Glass <[email protected]>
|
|
It is a pain to have to specify the value 10 in each call. Add a new
dectoul() function and update the code to use it.
Signed-off-by: Simon Glass <[email protected]>
|
|
Should not init eth device when doing ping in netconsole.
Signed-off-by: Yang Liu <[email protected]>
Cc: Joe Hershberger <[email protected]>
|
|
net_init does not always succeed, and there is no existing mechanism to
discover errors. This patch allows callers of net_init (such as net_init)
to handle errors. The root issue is that eth_get_dev can fail, but
net_init_loop doesn't expose that. The ideal way to fix eth_get_dev would
be to return an error with ERR_PTR, but there are a lot of callers, and all
of them just check if it's NULL. Another approach would be to change the
signature to something like
int eth_get_dev(struct udevice **pdev)
but that would require rewriting all of the many callers.
Signed-off-by: Sean Anderson <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
This commits update the support of sntp to use
the framework udp. This change allows to remove
all the reference to sntp in the main network
file net/net.c.
Signed-off-by: Philippe Reynes <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
