From caa2ad6f8c8cc4c295c77aaff464c580d52c3ba6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvin=20=C5=A0ipraga?= Date: Thu, 2 Oct 2025 11:43:36 +0200 Subject: tftp: make TFTP ports unconditionally configurable MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit A few lines of code being guarded by the CONFIG_TFTP_PORT option seems an unnecessary restriction on the TFTP support provided by a vanilla U-Boot image. In cases where the TFTP server cannot run as superuser - and hence cannot run on the well-known port 69 - this quirk incurs a full reconfiguration and rebuild of the bootloader only in order to select the appropriate destination port. Remove the CONFIG_TFTP_PORT option entirely and make the tftpdstp and tftpsrcp variables always have an effect. Their being unset will mean that U-Boot behaves the same as if CONFIG_TFTP_PORT was unset. Update the documentation accordingly. And fix up the single board which was originally enabling this option. Signed-off-by: Alvin Šipraga Reviewed-by: Quentin Schulz --- net/Kconfig | 18 ------------------ net/tftp.c | 3 +-- 2 files changed, 1 insertion(+), 20 deletions(-) (limited to 'net') diff --git a/net/Kconfig b/net/Kconfig index 40ec6bbce76..7ba64d43b39 100644 --- a/net/Kconfig +++ b/net/Kconfig @@ -60,24 +60,6 @@ config SYS_FAULT_ECHO_LINK_DOWN this option is active, then CONFIG_SYS_FAULT_MII_ADDR also needs to be configured. -config TFTP_PORT - bool "Set TFTP UDP source/destination ports via the environment" - help - If this is defined, the environment variable tftpsrcp is used to - supply the TFTP UDP source port value. If tftpsrcp isn't defined, - the normal pseudo-random port number generator is used. - - Also, the environment variable tftpdstp is used to supply the TFTP - UDP destination port value. If tftpdstp isn't defined, the normal - port 69 is used. - - The purpose for tftpsrcp is to allow a TFTP server to blindly start - the TFTP transfer using the pre-configured target IP address and UDP - port. This has the effect of "punching through" the (Windows XP) - firewall, allowing the remainder of the TFTP transfer to proceed - normally. A better solution is to properly configure the firewall, - but sometimes that is not allowed. - config TFTP_WINDOWSIZE int "TFTP window size" default 1 diff --git a/net/tftp.c b/net/tftp.c index 1ca9a5ea7cf..1760877107f 100644 --- a/net/tftp.c +++ b/net/tftp.c @@ -926,14 +926,13 @@ void tftp_start(enum proto_t protocol) /* Use a pseudo-random port unless a specific port is set */ tftp_our_port = 1024 + (get_timer(0) % 3072); -#ifdef CONFIG_TFTP_PORT ep = env_get("tftpdstp"); if (ep != NULL) tftp_remote_port = simple_strtol(ep, NULL, 10); ep = env_get("tftpsrcp"); if (ep != NULL) tftp_our_port = simple_strtol(ep, NULL, 10); -#endif + tftp_cur_block = 0; tftp_windowsize = 1; tftp_last_nack = 0; -- cgit v1.2.3 From f8220460372b2e2c12afec3faf89921dd4e39b6c Mon Sep 17 00:00:00 2001 From: Tom Rini Date: Thu, 25 Sep 2025 14:44:12 -0600 Subject: net: Add SYS_FAULT_MII_ADDR to Kconfig The support found under SYS_FAULT_ECHO_LINK_DOWN requires that the SYS_FAULT_MII_ADDR symbol also be set. This wasn't previously found in Kconfig, so add it now. Signed-off-by: Tom Rini Acked-by: Jerome Forissier --- net/Kconfig | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'net') diff --git a/net/Kconfig b/net/Kconfig index 7ba64d43b39..42fcba5323f 100644 --- a/net/Kconfig +++ b/net/Kconfig @@ -60,6 +60,10 @@ config SYS_FAULT_ECHO_LINK_DOWN this option is active, then CONFIG_SYS_FAULT_MII_ADDR also needs to be configured. +config SYS_FAULT_MII_ADDR + hex "MII address of the PHY to check for the Ethernet link state" + depends on SYS_FAULT_ECHO_LINK_DOWN && LED_STATUS_RED_ENABLE + config TFTP_WINDOWSIZE int "TFTP window size" default 1 -- cgit v1.2.3 From 99707a0baaa85736529a172f515b44598e5a8bc8 Mon Sep 17 00:00:00 2001 From: Tom Rini Date: Thu, 25 Sep 2025 14:44:13 -0600 Subject: net: Remove BOOTP_VENDOREX support It has been over a decade since we had a platform that implemented the bootp vendor extension support hook. Remove this option due to lack of use. Signed-off-by: Tom Rini Acked-by: Jerome Forissier --- net/bootp.c | 13 ------------- net/bootp.h | 4 ---- 2 files changed, 17 deletions(-) (limited to 'net') diff --git a/net/bootp.c b/net/bootp.c index 19e7453daed..a28d11cb368 100644 --- a/net/bootp.c +++ b/net/bootp.c @@ -491,9 +491,6 @@ static int dhcp_extended(u8 *e, int message_type, struct in_addr server_ip, #endif int clientarch = -1; -#if defined(CONFIG_BOOTP_VENDOREX) - u8 *x; -#endif #if defined(CONFIG_BOOTP_SEND_HOSTNAME) char *hostname; #endif @@ -584,12 +581,6 @@ static int dhcp_extended(u8 *e, int message_type, struct in_addr server_ip, e = add_vci(e); -#if defined(CONFIG_BOOTP_VENDOREX) - x = dhcp_vendorex_prep(e); - if (x) - return x - start; -#endif - *e++ = 55; /* Parameter Request List */ cnt = e++; /* Pointer to count of requested items */ *cnt = 0; @@ -977,10 +968,6 @@ static void dhcp_process_options(uchar *popt, uchar *end) } break; default: -#if defined(CONFIG_BOOTP_VENDOREX) - if (dhcp_vendorex_proc(popt)) - break; -#endif printf("*** Unhandled DHCP Option in OFFER/ACK:" " %d\n", *popt); break; diff --git a/net/bootp.h b/net/bootp.h index 47c743479e7..14f5af68e15 100644 --- a/net/bootp.h +++ b/net/bootp.h @@ -24,10 +24,6 @@ #if defined(CONFIG_CMD_DHCP) /* Minimum DHCP Options size per RFC2131 - results in 576 byte pkt */ #define OPT_FIELD_SIZE 312 -#if defined(CONFIG_BOOTP_VENDOREX) -extern u8 *dhcp_vendorex_prep(u8 *e); /*rtn new e after add own opts. */ -extern u8 *dhcp_vendorex_proc(u8 *e); /*rtn next e if mine,else NULL */ -#endif #else #define OPT_FIELD_SIZE 64 #endif -- cgit v1.2.3 From 4b8e78585171787794611205d661b97bc5f4dd83 Mon Sep 17 00:00:00 2001 From: Jerome Forissier Date: Thu, 9 Oct 2025 14:30:14 +0200 Subject: net: make dhcp_run() common for NET and NET_LWIP There are currently two implementations of dhcp_run(): one in cmd/net.c for NET and one in net/lwip/dhcp.c for NET_LWIP. There is no justification for that. Therefore, move the NET version into net/net-common.c to be used by both stacks, and drop the NET_LWIP version which by the way does not look totally correct. Signed-off-by: Jerome Forissier Suggested-by: Tom Rini Acked-by: Benjamin Hahn --- net/lwip/dhcp.c | 22 ---------------------- net/net-common.c | 35 +++++++++++++++++++++++++++++++++++ 2 files changed, 35 insertions(+), 22 deletions(-) (limited to 'net') diff --git a/net/lwip/dhcp.c b/net/lwip/dhcp.c index 531bf2c6705..b798014ebcb 100644 --- a/net/lwip/dhcp.c +++ b/net/lwip/dhcp.c @@ -150,25 +150,3 @@ int do_dhcp(struct cmd_tbl *cmdtp, int flag, int argc, char *const argv[]) return CMD_RET_SUCCESS; } - -int dhcp_run(ulong addr, const char *fname, bool autoload) -{ - char *dhcp_argv[] = {"dhcp", NULL, }; -#ifdef CONFIG_CMD_TFTPBOOT - char *tftp_argv[] = {"tftpboot", boot_file_name, NULL, }; -#endif - struct cmd_tbl cmdtp = {}; /* dummy */ - - if (autoload) { -#ifdef CONFIG_CMD_TFTPBOOT - /* Assume DHCP was already performed */ - if (boot_file_name[0]) - return do_tftpb(&cmdtp, 0, 2, tftp_argv); - return 0; -#else - return -EOPNOTSUPP; -#endif - } - - return do_dhcp(&cmdtp, 0, 1, dhcp_argv); -} diff --git a/net/net-common.c b/net/net-common.c index b064557d524..442b0597558 100644 --- a/net/net-common.c +++ b/net/net-common.c @@ -1,6 +1,7 @@ // SPDX-License-Identifier: GPL-2.0 #include +#include #include #include #include @@ -48,3 +49,37 @@ void net_sntp_set_rtc(u32 seconds) tm.tm_year, tm.tm_mon, tm.tm_mday, tm.tm_hour, tm.tm_min, tm.tm_sec); } + +#if defined(CONFIG_CMD_DHCP) +int dhcp_run(ulong addr, const char *fname, bool autoload) +{ + char *dhcp_argv[] = {"dhcp", NULL, (char *)fname, NULL}; + struct cmd_tbl cmdtp = {}; /* dummy */ + char file_addr[17]; + int old_autoload; + int ret, result; + + log_debug("addr=%lx, fname=%s, autoload=%d\n", addr, fname, autoload); + old_autoload = env_get_yesno("autoload"); + ret = env_set("autoload", autoload ? "y" : "n"); + if (ret) + return log_msg_ret("en1", -EINVAL); + + if (autoload) { + sprintf(file_addr, "%lx", addr); + dhcp_argv[1] = file_addr; + } + + result = do_dhcp(&cmdtp, 0, !autoload ? 1 : fname ? 3 : 2, dhcp_argv); + + ret = env_set("autoload", old_autoload == -1 ? NULL : + old_autoload ? "y" : "n"); + if (ret) + return log_msg_ret("en2", -EINVAL); + + if (result) + return log_msg_ret("res", -ENOENT); + + return 0; +} +#endif -- cgit v1.2.3 From 81e5708cc2c865df606e49aed5415adb2a662171 Mon Sep 17 00:00:00 2001 From: Paul HENRYS Date: Thu, 9 Oct 2025 17:43:28 +0200 Subject: net: bootp: Prevent buffer overflow to avoid leaking the RAM content CVE-2024-42040 describes a possible buffer overflow when calling bootp_process_vendor() in bootp_handler() since the total length of the packet is passed to bootp_process_vendor() without being reduced to len-(offsetof(struct bootp_hdr,bp_vend)+4). The packet length is also checked against its minimum size to avoid reading data from struct bootp_hdr outside of the packet length. Signed-off-by: Paul HENRYS Signed-off-by: Philippe Reynes --- net/bootp.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) (limited to 'net') diff --git a/net/bootp.c b/net/bootp.c index a28d11cb368..64fca9a42d9 100644 --- a/net/bootp.c +++ b/net/bootp.c @@ -379,6 +379,14 @@ static void bootp_handler(uchar *pkt, unsigned dest, struct in_addr sip, debug("got BOOTP packet (src=%d, dst=%d, len=%d want_len=%zu)\n", src, dest, len, sizeof(struct bootp_hdr)); + /* Check the minimum size of a BOOTP packet is respected. + * A BOOTP packet is between 300 bytes and 576 bytes big + */ + if (len < offsetof(struct bootp_hdr, bp_vend) + 64) { + printf("Error: got an invalid BOOTP packet (len=%u)\n", len); + return; + } + bp = (struct bootp_hdr *)pkt; /* Filter out pkts we don't want */ @@ -396,7 +404,8 @@ static void bootp_handler(uchar *pkt, unsigned dest, struct in_addr sip, /* Retrieve extended information (we must parse the vendor area) */ if (net_read_u32((u32 *)&bp->bp_vend[0]) == htonl(BOOTP_VENDOR_MAGIC)) - bootp_process_vendor((uchar *)&bp->bp_vend[4], len); + bootp_process_vendor((uchar *)&bp->bp_vend[4], len - + (offsetof(struct bootp_hdr, bp_vend) + 4)); net_set_timeout_handler(0, (thand_f *)0); bootstage_mark_name(BOOTSTAGE_ID_BOOTP_STOP, "bootp_stop"); -- cgit v1.2.3