From patchwork Fri Oct 14 17:43:37 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
X-Patchwork-Id: 1690109
X-Patchwork-Delegate: trini@ti.com
Return-Path: <u-boot-bounces@lists.denx.de>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de
 (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de;
 envelope-from=u-boot-bounces@lists.denx.de; receiver=<UNKNOWN>)
Authentication-Results: legolas.ozlabs.org;
	dkim=pass (1024-bit key;
 unprotected) header.d=prevas.dk header.i=@prevas.dk header.a=rsa-sha256
 header.s=selector1 header.b=LU2TO+A4;
	dkim-atps=neutral
Received: from phobos.denx.de (phobos.denx.de
 [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384)
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4Mpv0H0Jcdz23jf
	for <incoming@patchwork.ozlabs.org>; Sat, 15 Oct 2022 04:44:31 +1100 (AEDT)
Received: from h2850616.stratoserver.net (localhost [IPv6:::1])
	by phobos.denx.de (Postfix) with ESMTP id 127D584EC4;
	Fri, 14 Oct 2022 19:44:13 +0200 (CEST)
Authentication-Results: phobos.denx.de;
 dmarc=pass (p=reject dis=none) header.from=prevas.dk
Authentication-Results: phobos.denx.de;
 spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de
Authentication-Results: phobos.denx.de;
	dkim=pass (1024-bit key;
 unprotected) header.d=prevas.dk header.i=@prevas.dk header.b="LU2TO+A4";
	dkim-atps=neutral
Received: by phobos.denx.de (Postfix, from userid 109)
 id 22FEF84EB6; Fri, 14 Oct 2022 19:44:07 +0200 (CEST)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
 DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,
 SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2
Received: from EUR05-DB8-obe.outbound.protection.outlook.com
 (mail-db8eur05on2101.outbound.protection.outlook.com [40.107.20.101])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by phobos.denx.de (Postfix) with ESMTPS id 3DF7984E06
 for <u-boot@lists.denx.de>; Fri, 14 Oct 2022 19:43:59 +0200 (CEST)
Authentication-Results: phobos.denx.de;
 dmarc=pass (p=reject dis=none) header.from=prevas.dk
Authentication-Results: phobos.denx.de;
 spf=pass smtp.mailfrom=rasmus.villemoes@prevas.dk
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=KwpgfzERfoR1ZX3B2q2B9shmFY8u7WKUjXHAXC7fqg7f24upZdEbE7h3D+/3Emh0ZA4JV9ZSB8eEMHzVCvCX76VoKU/tKKGbbzN2WFPB7iNIN9rrEJy0UJexUm0075tutzhjN2n9uavONh7eIiqnwvVObgduD61NphZsIJKJ6jg8dPyKiF34M9XWPpGx1wqwKp3tS7EUyQY5JGqGFeeRwiHiugHPYnsK31Zfbhvg6Hzfrnd7nBKE7RYHDWdnJUfASUFC8hp+kIyTlTx1C/lCMg3s53iedtc0iRXlwLBA5A5A9wllcg2NHXuL6Py6Ygd+XXe/xBWrerfgiAoPgScesA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=kvf+QfkoIukeIEVmUhWeBjynK0ZdVZ/NPiv/T2y9N1w=;
 b=MFQpG8yrkGL1aBm8PEkVDUVH5ckdPOBGHU4YdvG3ePu9rJGlAhdkOB5UXOpS1UUOglA7olaoTS4sLajgCSGuYqsD4izXThdLoI1h+wNfmlACCZuYKxsR30WN+CzSIcBC1grX8Hjgeq2oinin2qeZWrWYKJ6JfNeDa0bZ4slYuZadX1iN0qP/hG2ZJhMCN9tVE6I2Y9rZobfj/+SeEO6dK6MDSkVt6meJDAOKboEV5xxIFLJP1TPyuCwNWwXs066/dYcBtzEx0RdtbDCns94b5bswS5GXeFC5z20BMvxLVMnZIVNkxVp29ej7RKr0ccnAuYqOB47LhhN/wFBwY+mfFQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=prevas.dk; dmarc=pass action=none header.from=prevas.dk;
 dkim=pass header.d=prevas.dk; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=prevas.dk;
 s=selector1;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=kvf+QfkoIukeIEVmUhWeBjynK0ZdVZ/NPiv/T2y9N1w=;
 b=LU2TO+A4nbXiSo/2lmlz6X1aNR+DG8vHkBgze+r8g2OF7v2HZ9CyzRcGz3e4A/wF0hB3iISHvru7W2IqfKpmnMEy2tcN26wBXUKHFEqiJ8K4D0UrCzKMwKvcMaKIw8zURLxh2tmFSyiemabrLk/Gils6UfQ2cLyZXKAe56L11TA=
Authentication-Results: dkim=none (message not signed)
 header.d=none;dmarc=none action=none header.from=prevas.dk;
Received: from DU0PR10MB5266.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:34a::22)
 by DB8PR10MB3305.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:11c::11)
 with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5723.29; Fri, 14 Oct
 2022 17:43:58 +0000
Received: from DU0PR10MB5266.EURPRD10.PROD.OUTLOOK.COM
 ([fe80::dc91:193:719e:5fb0]) by DU0PR10MB5266.EURPRD10.PROD.OUTLOOK.COM
 ([fe80::dc91:193:719e:5fb0%8]) with mapi id 15.20.5676.044; Fri, 14 Oct 2022
 17:43:58 +0000
From: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
To: u-boot@lists.denx.de
Cc: Fabio Estevam <festevam@denx.de>,
 Nicolas Bidron <nicolas.bidron@nccgroup.com>,
 Tom Rini <trini@konsulko.com>, Joe Hershberger <joe.hershberger@ni.com>,
 Ramon Fried <rfried.dev@gmail.com>,
 Rasmus Villemoes <rasmus.villemoes@prevas.dk>
Subject: [PATCH 1/6] net: improve check for no IP options
Date: Fri, 14 Oct 2022 19:43:37 +0200
Message-Id: <20221014174342.3216982-2-rasmus.villemoes@prevas.dk>
X-Mailer: git-send-email 2.37.2
In-Reply-To: <20221014174342.3216982-1-rasmus.villemoes@prevas.dk>
References: <20221014174342.3216982-1-rasmus.villemoes@prevas.dk>
X-ClientProxiedBy: BE1P281CA0021.DEUP281.PROD.OUTLOOK.COM
 (2603:10a6:b10:15::7) To DU0PR10MB5266.EURPRD10.PROD.OUTLOOK.COM
 (2603:10a6:10:34a::22)
MIME-Version: 1.0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: DU0PR10MB5266:EE_|DB8PR10MB3305:EE_
X-MS-Office365-Filtering-Correlation-Id: 6ce3e10d-d19c-4ee0-f701-08daae0bac2d
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 
 ysO8EZGRGQ6lBORBKB7rYwFbwgF5HaqbWXKNw7Ctll38Mo4YwPa2yKJE48Q/jJ/UiZVDdNcbp+rXpZI+m+FQ+6m4en4MAqyKjAbr3CMjFrgx2aXGtOqjQlGWPLH9tLDrjAHIozc52JZAxbWOuOzYS905mkE1w94A1uaZyHa+PRO2+xTWA+vOcuFGdBa1U7vOJnHZSoj7i7W10pdOhURbT28UZ0NhZ3bQiJw8jf5tN6cAade3Izyn3+uKA2PuPll8D2mPgU3eFkm24Xqo1G5DXO/lnO4z9SrzLNAMqB6ZRbL0FKVWlxbEpX0DsJ+s374b18MistUzjwonpyhjv8lGdDw+WZOd5mmx/5CNa9FLUyIwSFES5dbR8CfYu0HckPa4nL0WMjudXn2XGWGadiQnwOzXWg6TjY9fgJYj+RTRWNbSIMkpV5vMxB1qpiHPs5agybrPyc17UTGUlDPBd/AHnfjhqCokGUUXdTVx3pW5r4EKEmTs2GsEIL2oavSf4rvP1Fw/I6L612Ev6QXYRxtyEdnHsDIE85TdrqtZr1pVWZribuxzoIdoG3Si2gb5DKq/htR/nks4dFf0ENvKWMd3dyCVesDGjH94BSAFmQRgIxL6caLcN+NLMa+gBlSoKUH8ljfiJg5idsURWa3cvO+AG/MhwlLbWGdFy1IKImYWrH134zRJVSXy7VizJKtYUWjz73a/0oAlYqs3n5hGYCtjxOq2WRarKR1mCt7SmE1AfDTXVju/N3WN7LxHI9yyHM7WZRbV1C8ErjXvxL51ojCGJA==
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:;
 IPV:NLI; SFV:NSPM; H:DU0PR10MB5266.EURPRD10.PROD.OUTLOOK.COM; PTR:; CAT:NONE;
 SFS:(13230022)(366004)(39850400004)(396003)(376002)(346002)(136003)(451199015)(66899015)(36756003)(52116002)(2616005)(6506007)(6512007)(26005)(41300700001)(6486002)(66946007)(66556008)(66476007)(8676002)(4326008)(478600001)(38350700002)(38100700002)(86362001)(8936002)(83380400001)(6916009)(44832011)(5660300002)(8976002)(4744005)(316002)(1076003)(186003)(6666004)(107886003)(54906003)(2906002);
 DIR:OUT; SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: 
 UjDy+tyXflJJAMKLEE452hnAQFaYpnHU2/9I3dm5mcT+NBLZDFc4dMJCQltR3ap/nB453sIfE1je1tVWHqqkMEBxUNTlVbbeseGf3FKaLY5+euEUVd6IxD4mXNuXECo09AcxK0WTfKMj3y3qwhxoUYqjItuAeSvxSxOBAjljksLP4eW7KQpdSPUU+2+V3S154VZY1FRYTt79/850xTa/4G2zTJfZG4jd55N8HfpEGUGYhzop/Z9BmY/IVQcEVEYb5P5ASjTb5oMjAG0FIRyFa7K3FfOcSDWtBmaAfzy6FNfZBhA2qFZhaJ4BgvePIXsYLvRnVOa9uvjwGUlSnBjNXP29iH72KxyyhHGcUTUIyuLOCJuYR8GFLb3UaFiZF2ksoNHGoNTOPvuorAygO0y8gHaHEY2fBgXs67N10f/pFoALabYPYO2KZ2sSO9gRbSV+yj4U6nbIhjY0a0Egfg5/FczjE4dHC5Hxqnp0C46mFml3ek/8+suZkTBJ/sYjC77jOCkBBguE+cI7f/y7doIlPipXf8glb8nwkMYJLbskbZZqMTTczA8PkuJyuCiBepDALFHyM5NmxmCMBj4MH/U+uHDAYVo+O/xN5XI9yFZ5STv3eLR4rY/ggJzQChUcJf2/d6t9f+Km0PBbwl7u7Px83g72KU2lQxLyi1Zz5G4M+DCa5lekYRHijCsFt+qbbivplpaDzIKt4RqUpiSJRt1KhPDmsDd71D5psNDP/lzY9x5FV1INEJlIxPUw1ebBa6O0gvBFcGjx89OG3Oxet7BLNUfnVXCIRHel653Z4391FXxc9o///i1LGZZwQrPO1N0SuUjnwJoO3tHICOyVi4p5qOPV5P7j90a26ICWDK32VoY6NE2CfMb6b7aXDToMMLENB/QOncFr6eM7QKB//vt0+YHNwYZ4LuQerfl5ND4k5pZOb5tauEuFcvdZANLSpR/lzPYuLa7D6RUKHb31TnZ6ffXXycGrNgiXUL97Bzet2pwEZXsCQ56NsDrIJL/bUpLxd4WdKx5gtOUmRdiEiPQI5uPuUOLgJ+LoJ054Z8QZPyIpoh02UtIDDAha93dDTuBh/wrMEVY6shZMHoE3/Fh7TTv1XsJUUe+jTXTlvJ4gceNJFLURo3Ij04M/8/E/eEtK34RlVrbvA/iolQ70F313W95goj6MX9Vj9pWbI9hflXBTy1K/sbD0I3b8VCRoBflDMQid0+j2ty6WED4LiHj2YiH8vFEwuHvNMFfLisSklUTGE9CQFnNYcw2PpA4CQu0Ztf45qXyVKFkB88g/eV4dSMQr6OLjPCb1+43oQmOwKPjxBr+bsTtYYz0ZFMi5i9bakwU7nziO0pNxapweZdsf/+mMjpMOyE9wF7uAo6fSpas2qHPVhVjkMUaLLcY3kYu3Bom9mNW9pq/73Er91rbMkJx1BN/Qz/5iEVVSGV54fHwqMslA/cQpQCVrppY74O/HQbFSxihGkboFm9ZOauUizEE/WeIxy7gUV43n5dvRcPKw/wMGuOpbvaXmh1Ixbl+kP19r3EWJvITVFsoBdRN2NZdUn9CJNlo7OqcYy4couNXbLsZhQSn+1iAuA3J6YXq9kDKhXPcnoAxTmE4XpD+prQ==
X-OriginatorOrg: prevas.dk
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 6ce3e10d-d19c-4ee0-f701-08daae0bac2d
X-MS-Exchange-CrossTenant-AuthSource: DU0PR10MB5266.EURPRD10.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 14 Oct 2022 17:43:58.4631 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: d350cf71-778d-4780-88f5-071a4cb1ed61
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 
 E6bPkZKp6C0th9o8P+xnuXL/MFwndDvcyDNVXG+nZvHrND63RZ3FvBkp3/oULa0pEcaAlxyOgUh1YFnFFSnoIfofRtWabk//oYwdu3dfi8c=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB8PR10MB3305
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: U-Boot discussion <u-boot.lists.denx.de>
List-Unsubscribe: <https://lists.denx.de/options/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
List-Archive: <https://lists.denx.de/pipermail/u-boot/>
List-Post: <mailto:u-boot@lists.denx.de>
List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
List-Subscribe: <https://lists.denx.de/listinfo/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=subscribe>
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
X-Virus-Scanned: clamav-milter 0.103.6 at phobos.denx.de
X-Virus-Status: Clean

There's no reason we should accept an IP packet with a malformed IHL
field. So ensure that it is exactly 5, not just <= 5.

Signed-off-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
Reviewed-by: Ramon Fried <rfried.dev@gmail.com>
---
 net/net.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/net.c b/net/net.c
index 81905f6315..536731245b 100644
--- a/net/net.c
+++ b/net/net.c
@@ -1209,7 +1209,7 @@ void net_process_received_packet(uchar *in_packet, int len)
 		if ((ip->ip_hl_v & 0xf0) != 0x40)
 			return;
 		/* Can't deal with IP options (headers != 20 bytes) */
-		if ((ip->ip_hl_v & 0x0f) > 0x05)
+		if ((ip->ip_hl_v & 0x0f) != 0x05)
 			return;
 		/* Check the Checksum of the header */
 		if (!ip_checksum_ok((uchar *)ip, IP_HDR_SIZE)) {

From patchwork Fri Oct 14 17:43:38 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
X-Patchwork-Id: 1690108
X-Patchwork-Delegate: trini@ti.com
Return-Path: <u-boot-bounces@lists.denx.de>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de
 (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de;
 envelope-from=u-boot-bounces@lists.denx.de; receiver=<UNKNOWN>)
Authentication-Results: legolas.ozlabs.org;
	dkim=pass (1024-bit key;
 unprotected) header.d=prevas.dk header.i=@prevas.dk header.a=rsa-sha256
 header.s=selector1 header.b=cpLVpHIa;
	dkim-atps=neutral
Received: from phobos.denx.de (phobos.denx.de
 [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384))
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4Mpv046XwBz23jf
	for <incoming@patchwork.ozlabs.org>; Sat, 15 Oct 2022 04:44:20 +1100 (AEDT)
Received: from h2850616.stratoserver.net (localhost [IPv6:::1])
	by phobos.denx.de (Postfix) with ESMTP id 234BA84EB9;
	Fri, 14 Oct 2022 19:44:10 +0200 (CEST)
Authentication-Results: phobos.denx.de;
 dmarc=pass (p=reject dis=none) header.from=prevas.dk
Authentication-Results: phobos.denx.de;
 spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de
Authentication-Results: phobos.denx.de;
	dkim=pass (1024-bit key;
 unprotected) header.d=prevas.dk header.i=@prevas.dk header.b="cpLVpHIa";
	dkim-atps=neutral
Received: by phobos.denx.de (Postfix, from userid 109)
 id 4470C84F06; Fri, 14 Oct 2022 19:44:06 +0200 (CEST)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
 DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,
 SPF_PASS autolearn=ham autolearn_force=no version=3.4.2
Received: from EUR05-VI1-obe.outbound.protection.outlook.com
 (mail-vi1eur05on2107.outbound.protection.outlook.com [40.107.21.107])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by phobos.denx.de (Postfix) with ESMTPS id 3A41284EB7
 for <u-boot@lists.denx.de>; Fri, 14 Oct 2022 19:44:00 +0200 (CEST)
Authentication-Results: phobos.denx.de;
 dmarc=pass (p=reject dis=none) header.from=prevas.dk
Authentication-Results: phobos.denx.de;
 spf=pass smtp.mailfrom=rasmus.villemoes@prevas.dk
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=dYNYQA5u+/8nptJjDkbnp65CO1UPVcQI03DlMV8pHX9GuxjbfGJsJB5xgaJtn7BD0qd0oEm++37LfmI54IawQqH6/JCeKt9n6OGF8m+nlCIV2i6c2Tj2zRw/QvibstKX1Xn5E5yD5zwHkOrVZDhf+upXmTL9qNW040PBh6TiBqXr1HwDeSLPG3xbjks1QD95JHi96kVcsZ8Ui01N804FUJtsHcLIkvAoO5MiCjbEk80ifYz2/T8H9Eruftc4kbPGTuN4fM2nLe/G/z1sEU29pVDfgRpt4p5k7a6YJKV+61jP4wG+Lku2l5WZCdBw32mWHALQMXCBm7NggZst1vX9fA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=WRBr3aMxOloZt2WWRnUJhZVKl4lcn5Lurdpc5o4HI2M=;
 b=RwZLkdQCNZMVUPMLnvlSVgndKipF72X7UCqNgBmBTL6jjkkjLd3OHTtzvfZviSNEjPV9tJRY5bkUnyYtrGpOr6eTFM2mXUqa1AlgL+56ylTGmsfrVZZ+FnomozueYXz14KEqCb2g3b/EamS5lhKhdXFdVHhpOW47zSLRSgq/YCMz2ZC+JmIkGs6AfHepgBTNPL1VBjAIkITMSZ/zvpcOOx8rjHeJ+NNJtwlLivuxNPUVDrU+mUzEGA/vGfPgevEPgoaAhmklpMEwjoCa2EDm8jjvrCFgaEwL9TOWH6FA0IBULhtbn5EwVw69b9/BQXizvx70WT8nHp54teFIbjlf3w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=prevas.dk; dmarc=pass action=none header.from=prevas.dk;
 dkim=pass header.d=prevas.dk; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=prevas.dk;
 s=selector1;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=WRBr3aMxOloZt2WWRnUJhZVKl4lcn5Lurdpc5o4HI2M=;
 b=cpLVpHIaTt93SwNSgnq32Tx7K3QxtR1NNi5F+qhW+hSNzrhP1CWGDmgkWkLnYh+K6F4nXk4mJ0hvmaryd5RfZXsOkKqSMkDALhOM23L+U99wPcGV6cUfUsI0jRRmLbSlEMF5q6hI5x1w1lXzr3rAa8+zPLrs5ae7QQX/Kqt4/0M=
Authentication-Results: dkim=none (message not signed)
 header.d=none;dmarc=none action=none header.from=prevas.dk;
Received: from DU0PR10MB5266.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:34a::22)
 by DB8PR10MB3305.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:11c::11)
 with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5723.29; Fri, 14 Oct
 2022 17:43:59 +0000
Received: from DU0PR10MB5266.EURPRD10.PROD.OUTLOOK.COM
 ([fe80::dc91:193:719e:5fb0]) by DU0PR10MB5266.EURPRD10.PROD.OUTLOOK.COM
 ([fe80::dc91:193:719e:5fb0%8]) with mapi id 15.20.5676.044; Fri, 14 Oct 2022
 17:43:59 +0000
From: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
To: u-boot@lists.denx.de
Cc: Fabio Estevam <festevam@denx.de>,
 Nicolas Bidron <nicolas.bidron@nccgroup.com>,
 Tom Rini <trini@konsulko.com>, Joe Hershberger <joe.hershberger@ni.com>,
 Ramon Fried <rfried.dev@gmail.com>,
 Rasmus Villemoes <rasmus.villemoes@prevas.dk>
Subject: [PATCH 2/6] net: compare received length to sizeof(ip_hdr),
 not sizeof(ip_udp_hdr)
Date: Fri, 14 Oct 2022 19:43:38 +0200
Message-Id: <20221014174342.3216982-3-rasmus.villemoes@prevas.dk>
X-Mailer: git-send-email 2.37.2
In-Reply-To: <20221014174342.3216982-1-rasmus.villemoes@prevas.dk>
References: <20221014174342.3216982-1-rasmus.villemoes@prevas.dk>
X-ClientProxiedBy: BE1P281CA0021.DEUP281.PROD.OUTLOOK.COM
 (2603:10a6:b10:15::7) To DU0PR10MB5266.EURPRD10.PROD.OUTLOOK.COM
 (2603:10a6:10:34a::22)
MIME-Version: 1.0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: DU0PR10MB5266:EE_|DB8PR10MB3305:EE_
X-MS-Office365-Filtering-Correlation-Id: 124a3ffd-a60a-4c71-5dc2-08daae0baca5
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 
 EN2gJO+Nb63Iyi71fCp2i4Ar3Rbrde3E+BQKZqrcH8gstjoH4kzrtXZfYF7odZHxkws5gaZi/HwRhYQ/A+ZgBmUxjj35CmLWmM9QgZD9j7xub+eGXXHJxXV70gBUXmhO5VzQlFYop9cAaO9xIyEKoAXtoRR7ua6bRrIk8cPH+M2f3p4ggTOB4SwX4dNxw9a/QndPKYMTuLXkTvHuv0TNHfb1Mw8BdTPQVLmQyabjfEKSS4xsjGjpi79ZjC6UwJr9KCrk7fnEAXZukhHkxD719pzirdcGsUGvnqn69K3vTO9LtuAHNh/RAeq7ipejm+0XxG40kdbbpCpXTeMp9xG6hjgp2O2Yz9lhGs80W5ZMnofAZI0uyRYq2g+o5HafrRZBLSiC0L3PhbUyaCfgtAqJSi32uXr/LGqWnjyi3eGiqh3+kStFFbhAZ2LvI1ixOJXM6jgywm9HZvQoVAeN8jEUiwSCp57fC1MIL4bTZH3zeOpqUnt8G7zbZIsTX5h7zyhk7RwRyfp6IOcLC14SbRzC2911PIF+WpDM1Ojul93c1SFdz94gpMDM0Y9g7NNlv0oY3qOvWSjLZi5CCnxFroA6xDICPy+ycGVMX1nwBA0ESckNS1h7ToAs9P4tivhHiuKDGYXlo4bWvgpRRsddRImm0XipGzu3DoKlgJE1QMwUztcbfBTKt612oxncOJ0P5Uj15ggf/s4nWzPodzgH6mRxGoXt8teG4diSOebeBS48EcOnWBskNBmgc5trfZQ99kSQYxhETyuBh6FCz2KGYnSjLw==
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:;
 IPV:NLI; SFV:NSPM; H:DU0PR10MB5266.EURPRD10.PROD.OUTLOOK.COM; PTR:; CAT:NONE;
 SFS:(13230022)(366004)(39850400004)(396003)(376002)(346002)(136003)(451199015)(66899015)(36756003)(52116002)(2616005)(6506007)(6512007)(26005)(41300700001)(6486002)(66946007)(66556008)(66476007)(8676002)(4326008)(478600001)(38350700002)(38100700002)(86362001)(8936002)(83380400001)(6916009)(44832011)(5660300002)(8976002)(316002)(1076003)(186003)(6666004)(107886003)(54906003)(2906002);
 DIR:OUT; SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: 
 UHoK4BI3i5wgP91s7Gdx68P1MdCYSLVoAmFo9m24Z9KKxQI+REHoXHdAqEwxvNMQXGtFBH2Q5559Xuwm3R5i4S3mJ4V6n+ZBgCYOR7BUMU5IIMMULbbRaG1AuABkU3bW2JJHf3Dq7E80TKlKSXL4mgf2ABhcX3sC8yPHJNjpbnsVg8mjVxSRj0SEvuTevgckI/3T0wVNPnoRXk/BADfU7TO0Wbvfj5Q0fh6YeXoFGnzamAXWoJg36QHVukrnbBc6Yau7grCxsqTfxVHG0aZloSWTtS9iIthOB9D6gG9SurV+8EANzx/8F9JYEANB9xcqvp02bMzlK+7Q5320J9AIHSXqoBmlceiU1+k2Juz5ezqYKdZXISlmJwQhoGzqFSuHj3lPrSbRxMZQAdnZKwG+7AExcTkeTmTWS6x3fn64ss5eiZAgchasJuqx+xVYjjjJpijGMgz2i6/8yw5XMfNREomPzp2pMQspIlHsz9cX74EWjS8sxQ3G/u/ZOl6m/7IrozqVKHsCDzPqhI1X/Ek/A6IOa4OoDP2hlnnUG0kLurmUJW6cJgI3D7v/e0t8zOvms/QUp8ATmBFJfy+JqerjLxEyrG3xSEMoCzaj9jQPnXk8umsFtYGPkV0KxJFZ6HYDKAkdwWh8L4jtfsY/tMe1EPuq6B5ItVs4cPnbLw1IGrSOsVWkrsOrTZe5LQStnxVA9Z6k+TT0p3D8HIIpVxIEy9wzhJGJMaEP6mOg4jhZJPozkv0GIlYgybKve//OpubnKwSGJBvCpKzgkIgPy2aipHwBCZLifBAgZbZYZBk9qgWvh9nUn6+wSbiw0hu9bP20PDmCNE4+HotTNsOAGnFbbJvIX5gYgu06R9wHHqKwYu/NZGrYU8txCWGjP67v9d456kSymf9ysxkZe4nYXpxZ3TqUwv7ObeVdgDU7Y5ZnxEm/QDcCp8ZFlRnbozA5vRsqp2QoIR2TpZbFZ1SeiphXXSptGRx1yY2gcB49DEPIAF3aEFXtkz7QJh2AwdOVTDyatyNtzlkXLXhnLWFrq7HbqaMGOC7C4TjYMk6X6IqjU6/PiQBG+4m4hPM8uDGyEqFvPiHRNeIukRRtQ+se2ho9mqGtb6CzrX47P4Y5piFtRNZdSR57FnZMJ1Zeq4A1vY67JX7hI5eUjdO0uV+/jf8iYPs2exxg+XsTYDKWTxAAck4eCH60G1Q9y4ta4Z7VxmHgO3cxm6H/cYBeLHPd4hpihtIgLDVzr7BMU/UQ/gUJg6Um89dMRGfinebF5vcOZvdgA/AAzArQNT3lO7i0cz4zKYUeS4ljFJgKbCzR6GEJJyqKJDfxpnnpkUuH1GJI0aM4OxIIe7+7dw178BrOc98JlVHNDoBYk+pTlexFduLRTYDTpkcvrqmqAA/yCYFbtPznULcL8szBqbCjfITHIZLI9GE6er3RkM9i9ix8pw2k2l80UiqF7Ye9wiDWHPifqGjvpItz5FGGU5osT3H6SLt01xLioqvTGhm3kDKyl3tPqzdsfTcs0TGJKt4/dpTG4OkaUygu7zjJ3r/I5rY8E0NC8gL8e76S12wLjplKEKlHoFB1XSzoVNuaGCafdFFybwfautaoxYCn+smvW12Bcz0sAQ==
X-OriginatorOrg: prevas.dk
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 124a3ffd-a60a-4c71-5dc2-08daae0baca5
X-MS-Exchange-CrossTenant-AuthSource: DU0PR10MB5266.EURPRD10.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 14 Oct 2022 17:43:59.1988 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: d350cf71-778d-4780-88f5-071a4cb1ed61
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 
 n1gJ0qXg1sWPdOKC9kuCVbq1atMkmFN6sEkGHwAtxir5RcTk+1VAW/1nIRFouQv//n1ZGHS3Q8OmdbccOpFKyxYzIpt0EENfanCt9b1OOXQ=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB8PR10MB3305
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: U-Boot discussion <u-boot.lists.denx.de>
List-Unsubscribe: <https://lists.denx.de/options/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
List-Archive: <https://lists.denx.de/pipermail/u-boot/>
List-Post: <mailto:u-boot@lists.denx.de>
List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
List-Subscribe: <https://lists.denx.de/listinfo/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=subscribe>
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
X-Virus-Scanned: clamav-milter 0.103.6 at phobos.denx.de
X-Virus-Status: Clean

While the code mostly/only handles UDP packets, it's possible for the
last fragment of a fragmented UDP packet to be smaller than 28 bytes;
it can be as small as 21 bytes (an IP header plus one byte of
payload). So until we've performed the defragmentation step and thus
know whether we're now holding a full packet, we should only check for
the existence of the fields in the ip header, i.e. that there are at
least 20 bytes present.

In practice, we always seem to be handed a "len" of minimum 60 from the
device layer, i.e. minimal ethernet frame length minus FCS, so this is
mostly theoretical.

After we've fetched the header's claimed length and used that to
update the len variable, check that the header itself claims to be the
minimal possible length.

This is probably how CVE-2022-30552 should have been dealt with in the
first place, because net_defragment() is not the only place that wants
to know the size of the IP datagram payload: If we receive a
non-fragmented ICMP packet, we pass "len" to receive_icmp() which in
turn may pass it to ping_receive() which does

  compute_ip_checksum(icmph, len - IP_HDR_SIZE)

and due to the signature of compute_ip_checksum(), that would then
lead to accessing ~4G of address space, very likely leading to a
crash.

Signed-off-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
---
 net/net.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/net/net.c b/net/net.c
index 536731245b..86b1d90159 100644
--- a/net/net.c
+++ b/net/net.c
@@ -1191,9 +1191,9 @@ void net_process_received_packet(uchar *in_packet, int len)
 	case PROT_IP:
 		debug_cond(DEBUG_NET_PKT, "Got IP\n");
 		/* Before we start poking the header, make sure it is there */
-		if (len < IP_UDP_HDR_SIZE) {
+		if (len < IP_HDR_SIZE) {
 			debug("len bad %d < %lu\n", len,
-			      (ulong)IP_UDP_HDR_SIZE);
+			      (ulong)IP_HDR_SIZE);
 			return;
 		}
 		/* Check the packet length */
@@ -1202,6 +1202,10 @@ void net_process_received_packet(uchar *in_packet, int len)
 			return;
 		}
 		len = ntohs(ip->ip_len);
+		if (len < IP_HDR_SIZE) {
+			debug("bad ip->ip_len %d < %d\n", len, (int)IP_HDR_SIZE);
+			return;
+		}
 		debug_cond(DEBUG_NET_PKT, "len=%d, v=%02x\n",
 			   len, ip->ip_hl_v & 0xff);
 

From patchwork Fri Oct 14 17:43:39 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
X-Patchwork-Id: 1690110
X-Patchwork-Delegate: trini@ti.com
Return-Path: <u-boot-bounces@lists.denx.de>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de
 (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de;
 envelope-from=u-boot-bounces@lists.denx.de; receiver=<UNKNOWN>)
Authentication-Results: legolas.ozlabs.org;
	dkim=pass (1024-bit key;
 unprotected) header.d=prevas.dk header.i=@prevas.dk header.a=rsa-sha256
 header.s=selector1 header.b=ihVDm6nE;
	dkim-atps=neutral
Received: from phobos.denx.de (phobos.denx.de
 [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384))
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4Mpv0T2nX0z23jf
	for <incoming@patchwork.ozlabs.org>; Sat, 15 Oct 2022 04:44:41 +1100 (AEDT)
Received: from h2850616.stratoserver.net (localhost [IPv6:::1])
	by phobos.denx.de (Postfix) with ESMTP id 453F684DFC;
	Fri, 14 Oct 2022 19:44:16 +0200 (CEST)
Authentication-Results: phobos.denx.de;
 dmarc=pass (p=reject dis=none) header.from=prevas.dk
Authentication-Results: phobos.denx.de;
 spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de
Authentication-Results: phobos.denx.de;
	dkim=pass (1024-bit key;
 unprotected) header.d=prevas.dk header.i=@prevas.dk header.b="ihVDm6nE";
	dkim-atps=neutral
Received: by phobos.denx.de (Postfix, from userid 109)
 id C1AAB84EB7; Fri, 14 Oct 2022 19:44:06 +0200 (CEST)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
 DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,
 SPF_PASS autolearn=ham autolearn_force=no version=3.4.2
Received: from EUR05-DB8-obe.outbound.protection.outlook.com
 (mail-db8eur05on2123.outbound.protection.outlook.com [40.107.20.123])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by phobos.denx.de (Postfix) with ESMTPS id 09C2284EC0
 for <u-boot@lists.denx.de>; Fri, 14 Oct 2022 19:44:01 +0200 (CEST)
Authentication-Results: phobos.denx.de;
 dmarc=pass (p=reject dis=none) header.from=prevas.dk
Authentication-Results: phobos.denx.de;
 spf=pass smtp.mailfrom=rasmus.villemoes@prevas.dk
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=YDTQ4rG8j1GnRMgIrtNnNWz8dSyONZ6f8m9wzz97wyPmWUSg25adJwT+Qav2250qJEkUvpya8eHZxe6ZviE9YYUQkZwp1dFCfK0BogSgAE4y0FwFEWcz2qD4Odfy0O+9U0kk80FfnpoV+jUP9Vyj9wtPXur8oB5c3JLKHQwkfJHhymJWXmub6E9Tiim8ZAlb2vItwhq4bFPj6awAHraaVk+q6zmond427I+dV/67Szu96VTkpqmNNj+jKtpQVnTtqNU3I6wKSQR3gKkelleM1bnVhsxmmPWSFkC6AwDtNuF6WoH5m7RaEceRT4pqOME352RCsjH32zkxKRJN58ktKg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=cpBgDuHiWPfb60b3/YoU5jQ/jfB77cV15pbFSOvNtn0=;
 b=ZfLzfqE8N79B2MgqaDYzxPeEp29ZEIK00JfZrQMp1yw5hnTv2qSeyLXjYw1fIzMVz4UWBIv9Q2afeHkddTFRlyN9U/zXhk/JCb+ea0V9krph2cfcbHJSrYkhWZJIHJ8FFUfPrNgoaWt0u2hm1cSDNBoUi+sByQSa/foUWZ9tZKc0Oso464mCSsY+U0Iwpl37RlBY86UuiAXg1aUQjmIc5ByCWsisOSqQuag3kyz371nPjmWK24UJ/JzLPSnzoniP64TEc3WyOUI29lGd2VW5wKfyZ5uKO8ldJVBGqSWdrDl59f2HHIwDfJpYuvr2XpMb8F+9UyXs7VY7gHAGyPFp5w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=prevas.dk; dmarc=pass action=none header.from=prevas.dk;
 dkim=pass header.d=prevas.dk; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=prevas.dk;
 s=selector1;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=cpBgDuHiWPfb60b3/YoU5jQ/jfB77cV15pbFSOvNtn0=;
 b=ihVDm6nEx4o1LcQ3gG2TjKU329/h8ddKW6NZbKIfkWsyRALUlqI8LeKMteUrP6EaNAHnKt6EgFTWKPrv7+bhoG32UC9wRlEGB4Rl4ApPOiqSBBC3g3UVYjHQkyOfpk74nLNGwCNvYc3Rqi5cEAOfC+OdZZfyz3x7vznIz0ruNr4=
Authentication-Results: dkim=none (message not signed)
 header.d=none;dmarc=none action=none header.from=prevas.dk;
Received: from DU0PR10MB5266.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:34a::22)
 by DB8PR10MB3305.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:11c::11)
 with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5723.29; Fri, 14 Oct
 2022 17:44:00 +0000
Received: from DU0PR10MB5266.EURPRD10.PROD.OUTLOOK.COM
 ([fe80::dc91:193:719e:5fb0]) by DU0PR10MB5266.EURPRD10.PROD.OUTLOOK.COM
 ([fe80::dc91:193:719e:5fb0%8]) with mapi id 15.20.5676.044; Fri, 14 Oct 2022
 17:44:00 +0000
From: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
To: u-boot@lists.denx.de
Cc: Fabio Estevam <festevam@denx.de>,
 Nicolas Bidron <nicolas.bidron@nccgroup.com>,
 Tom Rini <trini@konsulko.com>, Joe Hershberger <joe.hershberger@ni.com>,
 Ramon Fried <rfried.dev@gmail.com>,
 Rasmus Villemoes <rasmus.villemoes@prevas.dk>
Subject: [PATCH 3/6] net: (actually/better) deal with CVE-2022-{30790,30552}
Date: Fri, 14 Oct 2022 19:43:39 +0200
Message-Id: <20221014174342.3216982-4-rasmus.villemoes@prevas.dk>
X-Mailer: git-send-email 2.37.2
In-Reply-To: <20221014174342.3216982-1-rasmus.villemoes@prevas.dk>
References: <20221014174342.3216982-1-rasmus.villemoes@prevas.dk>
X-ClientProxiedBy: BE1P281CA0021.DEUP281.PROD.OUTLOOK.COM
 (2603:10a6:b10:15::7) To DU0PR10MB5266.EURPRD10.PROD.OUTLOOK.COM
 (2603:10a6:10:34a::22)
MIME-Version: 1.0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: DU0PR10MB5266:EE_|DB8PR10MB3305:EE_
X-MS-Office365-Filtering-Correlation-Id: 32153146-4473-40af-674a-08daae0bad15
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 
 65xPjtV9iouPCf03Z6hJrSZtIaVWkMBwGLB4i0dq5r3M8+V4G3iC1GwPW/4YzXohdWCMyDiOajxnD+gw+iKiID8bmVkafiuvaXAWhjc4dA9BTdhiZFPZkwPExbVIkP8jhL+F0duL9gc60Pu+ik7nUaQc6J/elN4UWkQglvJk7PgTj4Pvt5JeysLTwW6A8LpOLryOnlSOpqWMmmkvqSVWLPocZLBiKZYQPJVtAlSzmeHNn+5pdurXScSVb9NpcxguM6mn4RgQ+h6j1/qQ8WaavEZ6x5kUAj2gNrWIFqrmOxLvDyGTHA5Kutd2NdBbMKj/hQLvlc5Da4tKbUkuBeCEkp86g/RwDSKSaT6PXsYdY7up4CnSLC09AQuXnCrfjSJiRA/shkF/cDMTDi8PwJ9vbbwPJhkU2k6fhOdTPu1uu24YO9SKtkA291x+23mNDzVqHRvOB+JsvUUyRYeN62EfNlcazc3hzoyseZCKK8BHCm+jNj7EDAEtzVvIhqJ8q/G1ktZC2WDApp7txwjYA2mzRcU+UFwBJ5r3owNYYtVr9EE0h730yjWdXVdKMDtXxYiVmdz2Sm2uw9B6FpJbws9ojkw5UR+fMbj9mGb+4fjF7hcvvrlJQeENdKpUobTZzN2boR9cvYfLCbHFONEB7GWqPgAhemN/WC5l/NupvrSsVpUPXoZSXRtwTQWAUJQLFWvGT64IXUA3cJCRtkrDqb51l1aXMWAFk0HVdAdeBWiavwMqMHQdTD4HiegC6rBrSdmOQ8o2Hs6bS9veSmint7sXcg==
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:;
 IPV:NLI; SFV:NSPM; H:DU0PR10MB5266.EURPRD10.PROD.OUTLOOK.COM; PTR:; CAT:NONE;
 SFS:(13230022)(366004)(39850400004)(396003)(376002)(346002)(136003)(451199015)(66899015)(36756003)(52116002)(2616005)(6506007)(6512007)(26005)(41300700001)(6486002)(66946007)(66556008)(66476007)(8676002)(4326008)(478600001)(38350700002)(38100700002)(86362001)(8936002)(83380400001)(6916009)(44832011)(5660300002)(8976002)(316002)(1076003)(186003)(6666004)(107886003)(54906003)(2906002);
 DIR:OUT; SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: 
 gyG2780AttsPi3kg8KQYTOiI0YRkBH8FOdVaeKs7Bc75glkBqd7+f8IBY4woCWKirJY1vjO5MFpehkKuUfol1yy8A6dUeCBpT3cV1gvgTnHgBGE8vCt3YDFIysl2n/u2leCy85EDw8p7/OlmPNBpB2UxHxUCBiAC2u/50fdpQhIAx88eyOc8CH8R2C/a/lv6sP/OKY2G1XnlGp6ha6VxRIocDjBQiqHnxcJN0UcHMwnZ4DqLiX8Mx9GCXQbMkCj7xC3J5uIYZvjoIebG7b56UEQb1Wz2wcngvYsPSmDs9so72DOxsydY0cv3MGsGDFzgayeKmoY8AvmVSvQZ5dK/M45g1lOGKoijGfciIW6WbAzDZB0UMTOUIy5oeu/IXFILhe/xkoHZF4Ka7c7H5SIthsscsyWb9XsFckYjAukd28zgjFUjxNdpoBxN35p0scx5R5m4JYyECdUZTQsyopcmvS2FF60CrnTRcNa4DLcUzqVsvRe4MILmTPq+O7I2RYmNtFp65kHXdlNZyrVZfHfDsjxXfwiEQvNGxbrF+3qE8rWhn43USTo0Mxl1LAlcopwVvZGyYiWg16AwtJccvJeO/n2+Zmt/I3HYzYyWquH7nceKEXvcqLnYYR6t1Zgulo+KtMQAZPRbGC/Ivtvf2RT5+/B4ctcT4jbURDoIx+ms7+Uowx9rLEQ+gEOnxfph5ExBhPIjSG5oDb464RamxMAGbwjJHNu4nD9j7myZwVDKct0qGEjE/1frESCM4cTyd6qTOAImzd4HfQEkfWnGEq5lgF3CaelLb8+YqAfsbnF5oYJPwclBsINrRKT37SJx/qrECNwRG0jNlzCiIJ0x8LziTZrh8vCyW4PLtRAHv8A7nDGcmrk8foBIJKLcGcA92Hgz/UPyKZhQAnpvzdG276HeoH2+FvJ5//nCkK8z2eEoDT9ErBHaBO7o7VVOkGFaZiRsvnzr3+nqxYcsX52l6aILA96XYGrjQH2Gp7o371QXvgOa+Wa/f3881oU/8b12pgoHF3wey/p31IV4uCYlEIQEvvCXXgL7OCA2oY6gO+/u5xCykXThyc0SYf092G9by0arHvKioapMy+YdNo1vr8AebLXBKH8IYffPRn2D+cLcnxZcxixYck923NvMiskxqCbwfhU/ge12escSfoWo2XTZtVPlgkQP6ZPYYR1OYzzwUivQWRmGymw+tThkJRjyJ2rr7SuHFI03G+E4mqjmoxN3GCU2iH+pm/12jWYDUOKaExfW92eF/IZ/bzop1mnTZ9h9fI8a9k7HiSw14rSM58On3n7qzcEC5dp9TPpAmZIOCbqLtBSeU2V0+d85eq5DTlpy8RN0JlpBiI65I9Q4D+yYfdMCt0mQ4XnV3Qqzf6ZJnGo7Otnz6dH72ZAzu/7TilyFBAK55thV/0dvpv2HroXmCDu04n5gONz8EebofN9E9LureXjM1OPZ/JsKkZMGV9RQyYtOqBAgQIqbfy/TsGRcEayL6dxNfNtV63HHVTAwI0kKPn+LHqpRl4/qQRyowYNNLJfH0cfASJiV1H+iIZlX8WeiGvEr1D8c3ZPLYdUKJuy63Km/aBDEYBZdhtupdffxjqBQBpjDBD5LIja/ZEOcQg==
X-OriginatorOrg: prevas.dk
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 32153146-4473-40af-674a-08daae0bad15
X-MS-Exchange-CrossTenant-AuthSource: DU0PR10MB5266.EURPRD10.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 14 Oct 2022 17:43:59.9486 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: d350cf71-778d-4780-88f5-071a4cb1ed61
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 
 0D3lgAgG9ApMdOFQUDWVBPEsWSCj+t9q7HkqPCJsEgb4lzORpya6Hrt+lOztYNxeiGeeOy41qlspqKgo1QO5BFI4VKIpnIa15GlK0LCMr+o=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB8PR10MB3305
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: U-Boot discussion <u-boot.lists.denx.de>
List-Unsubscribe: <https://lists.denx.de/options/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
List-Archive: <https://lists.denx.de/pipermail/u-boot/>
List-Post: <mailto:u-boot@lists.denx.de>
List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
List-Subscribe: <https://lists.denx.de/listinfo/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=subscribe>
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
X-Virus-Scanned: clamav-milter 0.103.6 at phobos.denx.de
X-Virus-Status: Clean

I hit a strange problem with v2022.10: Sometimes my tftp transfer
would seemingly just hang. It only happened for some files. Moreover,
changing tftpblocksize from 65464 to 65460 or 65000 made it work again
for all the files I tried. So I started suspecting it had something to
do with the file sizes and in particular the way the tftp blocks get
fragmented and reassembled.

v2022.01 showed no problems with any of the files or any value of
tftpblocksize.

Looking at what had changed in net.c or tftp.c since January showed
only one remotely interesting thing, b85d130ea0ca.

So I fired up wireshark on my host to see if somehow one of the
packets would be too small. But no, with both v2022.01 and v2022.10,
the exact same sequence of packets were sent, all but the last of size
1500, and the last being 1280 bytes.

But then it struck me that 1280 is 5*256, so one of the two bytes
on-the-wire is 0 and the other is 5, and when then looking at the code
again the lack of endianness conversion becomes obvious. [ntohs is
both applied to ip->ip_off just above, as well as to ip->ip_len just a
little further down when the "len" is actually computed].

IOWs the current code would falsely reject any packet which happens to
be a multiple of 256 bytes in size, breaking tftp transfers somewhat
randomly, and if it did get one of those "malicious" packets with
ip_len set to, say, 27, it would be seen by this check as being 6912
and hence not rejected.

====

Now, just adding the missing ntohs() would make my initial problem go
away, in that I can now download the file where the last fragment ends
up being 1280 bytes. But there's another bug in the code and/or
analysis: The right-hand side is too strict, in that it is ok for the
last fragment not to have a multiple of 8 bytes as payload - it really
must be ok, because nothing in the IP spec says that IP datagrams must
have a multiple of 8 bytes as payload. And comments in the code also
mention this.

To fix that, replace the comparison with <= IP_HDR_SIZE and add
another check that len is actually a multiple of 8 when the "more
fragments" bit is set - which it necessarily is for the case where
offset8 ends up being 0, since we're only called when

  (ip_off & (IP_OFFS | IP_FLAGS_MFRAG)).

====

So, does this fix CVE-2022-30790 for real? It certainly correctly
rejects the POC code which relies on sending a packet of size 27 with
the MFRAG flag set. Can the attack be carried out with a size 27
packet that doesn't set MFRAG (hence must set a non-zero fragment
offset)? I dunno. If we get a packet without MFRAG, we update
h->last_byte in the hole we've found to be start+len, hence we'd enter
one of

	if ((h >= thisfrag) && (h->last_byte <= start + len)) {

or

	} else if (h->last_byte <= start + len) {

and thus won't reach any of the

		/* overlaps with initial part of the hole: move this hole */
		newh = thisfrag + (len / 8);

		/* fragment sits in the middle: split the hole */
		newh = thisfrag + (len / 8);

IOW these division are now guaranteed to be exact, and thus I think
the scenario in CVE-2022-30790 cannot happen anymore.

====

However, there's a big elephant in the room, which has always been
spelled out in the comments, and which makes me believe that one can
still cause mayhem even with packets whose payloads are all 8-byte
aligned:

    This code doesn't deal with a fragment that overlaps with two
    different holes (thus being a superset of a previously-received
    fragment).

Suppose each character below represents 8 bytes, with D being already
received data, H being a hole descriptor (struct hole), h being
non-populated chunks, and P representing where the payload of a just
received packet should go:

  DDDHhhhhDDDDHhhhDDDD
        PPPPPPPPP

I'm pretty sure in this case we'd end up with h being the first hole,
enter the simple

	} else if (h->last_byte <= start + len) {
		/* overlaps with final part of the hole: shorten this hole */
		h->last_byte = start;

case, and thus in the memcpy happily overwrite the second H with our
chosen payload. This is probably worth fixing...

Signed-off-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
---
 net/net.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/net/net.c b/net/net.c
index 86b1d90159..340e7b8f18 100644
--- a/net/net.c
+++ b/net/net.c
@@ -907,7 +907,11 @@ static struct ip_udp_hdr *__net_defragment(struct ip_udp_hdr *ip, int *lenp)
 	int offset8, start, len, done = 0;
 	u16 ip_off = ntohs(ip->ip_off);
 
-	if (ip->ip_len < IP_MIN_FRAG_DATAGRAM_SIZE)
+	/*
+	 * Calling code already rejected <, but we don't have to deal
+	 * with an IP fragment with no payload.
+	 */
+	if (ntohs(ip->ip_len) <= IP_HDR_SIZE)
 		return NULL;
 
 	/* payload starts after IP header, this fragment is in there */
@@ -917,6 +921,10 @@ static struct ip_udp_hdr *__net_defragment(struct ip_udp_hdr *ip, int *lenp)
 	start = offset8 * 8;
 	len = ntohs(ip->ip_len) - IP_HDR_SIZE;
 
+	/* All but last fragment must have a multiple-of-8 payload. */
+	if ((len & 7) && (ip_off & IP_FLAGS_MFRAG))
+		return NULL;
+
 	if (start + len > IP_MAXUDP) /* fragment extends too far */
 		return NULL;
 

From patchwork Fri Oct 14 17:43:40 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
X-Patchwork-Id: 1690111
X-Patchwork-Delegate: trini@ti.com
Return-Path: <u-boot-bounces@lists.denx.de>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de
 (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de;
 envelope-from=u-boot-bounces@lists.denx.de; receiver=<UNKNOWN>)
Authentication-Results: legolas.ozlabs.org;
	dkim=pass (1024-bit key;
 unprotected) header.d=prevas.dk header.i=@prevas.dk header.a=rsa-sha256
 header.s=selector1 header.b=Q7VfBVBs;
	dkim-atps=neutral
Received: from phobos.denx.de (phobos.denx.de
 [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384))
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4Mpv0g3H8qz23jf
	for <incoming@patchwork.ozlabs.org>; Sat, 15 Oct 2022 04:44:51 +1100 (AEDT)
Received: from h2850616.stratoserver.net (localhost [IPv6:::1])
	by phobos.denx.de (Postfix) with ESMTP id E7C2684EC1;
	Fri, 14 Oct 2022 19:44:19 +0200 (CEST)
Authentication-Results: phobos.denx.de;
 dmarc=pass (p=reject dis=none) header.from=prevas.dk
Authentication-Results: phobos.denx.de;
 spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de
Authentication-Results: phobos.denx.de;
	dkim=pass (1024-bit key;
 unprotected) header.d=prevas.dk header.i=@prevas.dk header.b="Q7VfBVBs";
	dkim-atps=neutral
Received: by phobos.denx.de (Postfix, from userid 109)
 id 55D9B84DFC; Fri, 14 Oct 2022 19:44:10 +0200 (CEST)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
 DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,
 SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2
Received: from EUR05-DB8-obe.outbound.protection.outlook.com
 (mail-db8eur05on2123.outbound.protection.outlook.com [40.107.20.123])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by phobos.denx.de (Postfix) with ESMTPS id 3646F84EC4
 for <u-boot@lists.denx.de>; Fri, 14 Oct 2022 19:44:01 +0200 (CEST)
Authentication-Results: phobos.denx.de;
 dmarc=pass (p=reject dis=none) header.from=prevas.dk
Authentication-Results: phobos.denx.de;
 spf=pass smtp.mailfrom=rasmus.villemoes@prevas.dk
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=MzFGAjDh2oSlSNb1EGM5ALwqRUGpwGMV6Z3c9RM1KBOenC/INTlwOqG/EJtEnJfo4eE3CfyqmhLGc5WfddGaLYcNjCL5tRiYh9H6zWrrw8PWSaG9dJFmeMMg5cyjXSOe5kJTpsa66D7evMvruBbcVdg9vqI8/loXzf8iBsfG8JMJhhFA+PL7UvdMjbvFHv7xcmgTftIoE03qFJdOFYkPTaPqOdr1JsQtS8/OJ3z3fYi9uPJEYM2nO4FeVrzLYf2xQDWqvSGAnkGwABdPPrgJdGrfYe1z53GPEchO8VV6aK0qaiS8YK1Y8EOU9rMjBY8MaN8oW48q7p+3H6PgtlwriQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=7ObtEpZAF1FB4RUogYwpweDsEDEg/dC9huK0CZKsoqU=;
 b=PrUF3dlszRiRNXbkgJssFZkhECQSw7t/xWDxsJ3l5zoScX5SGTrrkhNoD4p1tb/O9bQmzliTtWS4qk9RnUFKXKA9Mw+Dc6RyEMB3V3ffta3ZMmFHcmc7VvIzlBCTP9jyel2wU5+2sKIQS8Y+Ra6xQKM6A33LMbShpt3e5JIarSwysrUSQy/do1WPrgOY4r8drkxUSUezCAhogOWK5/xE/H9/vmPnW9ddt4/kuoaanKIWuFoYbCpuJ2/jRn3OAYspTXaMONWacs1UkcDRz38HEjtMpVKg8p5tkODalXwmF8jJPKthXlbSVzp/6YMEjQjjq2+Nr1B8BF83jF6hlNvSeg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=prevas.dk; dmarc=pass action=none header.from=prevas.dk;
 dkim=pass header.d=prevas.dk; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=prevas.dk;
 s=selector1;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=7ObtEpZAF1FB4RUogYwpweDsEDEg/dC9huK0CZKsoqU=;
 b=Q7VfBVBsgGbEKi2T4TvyRjpxchW/nkohsgTzq918FW5W6rZglIVF6rQkcC2P52j1BHAiqdlPMkrwdqRe8mGmRDqiYqtRypL+gJUkj8Y86bGsAeQ0/fG6aakWScL2+C2kV8IeLcxLjgblbeF/hkDR+D7FYsCJbw6cpdbR/Mi2KIA=
Authentication-Results: dkim=none (message not signed)
 header.d=none;dmarc=none action=none header.from=prevas.dk;
Received: from DU0PR10MB5266.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:34a::22)
 by DB8PR10MB3305.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:11c::11)
 with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5723.29; Fri, 14 Oct
 2022 17:44:00 +0000
Received: from DU0PR10MB5266.EURPRD10.PROD.OUTLOOK.COM
 ([fe80::dc91:193:719e:5fb0]) by DU0PR10MB5266.EURPRD10.PROD.OUTLOOK.COM
 ([fe80::dc91:193:719e:5fb0%8]) with mapi id 15.20.5676.044; Fri, 14 Oct 2022
 17:44:00 +0000
From: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
To: u-boot@lists.denx.de
Cc: Fabio Estevam <festevam@denx.de>,
 Nicolas Bidron <nicolas.bidron@nccgroup.com>,
 Tom Rini <trini@konsulko.com>, Joe Hershberger <joe.hershberger@ni.com>,
 Ramon Fried <rfried.dev@gmail.com>,
 Rasmus Villemoes <rasmus.villemoes@prevas.dk>
Subject: [PATCH 4/6] net: fix ip_len in reassembled IP datagram
Date: Fri, 14 Oct 2022 19:43:40 +0200
Message-Id: <20221014174342.3216982-5-rasmus.villemoes@prevas.dk>
X-Mailer: git-send-email 2.37.2
In-Reply-To: <20221014174342.3216982-1-rasmus.villemoes@prevas.dk>
References: <20221014174342.3216982-1-rasmus.villemoes@prevas.dk>
X-ClientProxiedBy: BE1P281CA0021.DEUP281.PROD.OUTLOOK.COM
 (2603:10a6:b10:15::7) To DU0PR10MB5266.EURPRD10.PROD.OUTLOOK.COM
 (2603:10a6:10:34a::22)
MIME-Version: 1.0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: DU0PR10MB5266:EE_|DB8PR10MB3305:EE_
X-MS-Office365-Filtering-Correlation-Id: f77b392e-c187-44ef-35bd-08daae0bad8a
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 
 zh96buU58flh8JrW926LskYQpmq21tjH0dzcMHIq1ZT1UGEph28/oLAKwiKqeeTLC35L4mAgUnOfGep76fLCrCfWlScRSK9xtGeRa7mzn1fqnFVT0cVj9lv6a9sFmJx8rANySSd7ALOBL/A5wKidmiiV66XBzV3fAJpxXCllejvMb43bJmQYf4MVYd/tD1pCGE6Hio5gEOXlIGg7m9lHdEZlZqdYm5EX7qx6QBWNeBRzIZbmJY8KUBwy4chYju0y2iwYFEYp7CNv6X4+60M1TyKKfyLs9MYinN68xYWeZnRfytjH9Y74PUU4Urb+HAhWNJbPYEFxb5XUslbVQ0NjrkCMRIx0Tu21xG6EoDAZag6Laow0lMWVr1s4F55umIyVhmJpeTwCRjhDujVIKc5E/gUJeGf5xXEYcyS8jYJUc+FrNXMKBQKwiVUlKpHu3UTVMc1RzU5pTu1jCoe3v8Ype/5k/bzPSSsq1U1Gvd03YOOlQNd/tNEOGe8RD6/qk8PzinZqKiyLRpUpzFnL3lXxePCM9TDMAzisvplwaq+76Ct/eMpMle5ZpzI9zoGwSdIS7qlMU58+S8L8xYLbIn8vtzzTjWzHhRSUp3D7FEz4G05DtwYDu6fmHzEp3L+hFLjBlJYG/kUIfjZgUspSu6nNNMPvhVCOrKJ5Mj381aWnruuRzw7muQwZDwt8TIxNOn/kvNpTvGQRNEI/T4pIhFSH2WYcomry4/Z/qfn9sAM3O2OcIA58J6B/M+MQyHoFp8E4NLAOzlaF7mUYwrsJv5oI+gVVa9CfDR5fphnoe3m6CrE=
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:;
 IPV:NLI; SFV:NSPM; H:DU0PR10MB5266.EURPRD10.PROD.OUTLOOK.COM; PTR:; CAT:NONE;
 SFS:(13230022)(366004)(39850400004)(396003)(376002)(346002)(136003)(451199015)(66899015)(36756003)(52116002)(2616005)(6506007)(6512007)(26005)(41300700001)(6486002)(66946007)(66556008)(66476007)(8676002)(4326008)(478600001)(38350700002)(38100700002)(86362001)(8936002)(83380400001)(6916009)(44832011)(5660300002)(8976002)(316002)(1076003)(186003)(6666004)(107886003)(54906003)(2906002)(143363002);
 DIR:OUT; SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: 
 B1FTtUunwJhQpPzFNwHecZQV2xgq/M5usa0GxbsuQzT9oeDjOacQzWIjKlJzUhsfNphE2gIQ46S0DSKUCPzVDPvubkCqGvAqk49o1xPfa4OEt9NWRaajv0rHJaCESz1O7U9+/6xlhWv62YcSDnkEJ6iiJAIZZ0HRSFpMQ84v0jXw4VI09HUi6HCqfbIDqjJEaP4LMttRXrdjUEM9Gf1pZx1H111/QAL13fOGkdCJ7mpLVYQuOWh22TQPVBukG9hplSWvKoUJHZL6CE7m2PSm8vywgoC4XoYvWzgCnE3EEu7J5RnAG7LXZK2HHVOjSGnTra/POQqSpPfKJ3TpZB2JnRbAz8sr9WPi2ENRlwsdUPPC/u8JbaTXPCyth5N98icWq6s/iUhgodFSDf1Drd3t383rbEby73fyq16/O7D3QuKi8mXKIeSsrc2D7r++3deY9vfL663pXa/a8bHhaUHd/svRwN6GzIg+52wDKWGKBinbQaS/WXTovk32hqAfZAZRxj+ValSC84tBNz/Ly1JCMRnrko3FJLLU8wMfruPFcF6GwfXr3/MWiIvu3ab9EoVe3dszGrwjjle4c9JoWKMVj0SYmN1mRpyiwT+9yFn3dAE0BeG6UF16aJ9rKkRfwMHoTml90UlUjW+alMODUyIal1vB53xCyimGghM2sosVVqxqmJfC4lLBKnTOqNaWt+0t48IN97685NAT0QW7AU73sgzN3V0f/4bPQworOJSLHuBQt04yg2Pdy0dE1BPxXWSkSrAln25WyxpDoe2Ea5rDqQJqz5qIZX4b1l6HwVOw16FQJGQUaKPt2SnSrPjvzyE0bSB1V4uV4IjTs7yTLielEBK6h2KyONrUcIVrk7XESxnnz6SjYnO0Ayb1aZ3xVYmsIli7lYe6AtJSYQopcJY27fHP1WsKdI6CA2ENB+M/LEEvyvCHeOuYtTd5AjfIJkhxxEBfKtQoi4W9m4tQnWsIAn1TmzffzWT6kRbVraykDToJkGGz52SZrrXDoijoFfHKyAPNQYUt0PolJa3CEyWwleoeAn9S9IFzUKgwrANUy3QnQ1P7pt/AaIMulo1oQ+PxHe1OH3EJVgT2shnGRcVFJS7mL0a/rtFEk822CpxEDxT7QtqY1irJ25grS1QgfCzPaPfAJuzJV1ILSrhwGJgqinM5nvlxPo7/bj+bad3LWkPxuaabBTjeWMNPNu7ApXqe73ZUFbxLgbiyEWN74xFMIteh4CrQEONrxlzhbHcd5iaPFAIBLJdQi60E/4VBNCfPA+o2Eudi6sMiJDcbqil6XVbytJ/T5tD1QSOZVhrmFyEJ0P/RGwwGIXRqZsInO/TtyQ8QE4ud7aPslOSaiJlRmAi+2Idqyi+itlgUieNunzJD+5wwcrG8Y9R5ywsX3KvOoBtgQvHFiRxeG2RiZF6qIzE/EF0/3RGNI2B2bUIjkeDzYDT/zoOg3H8QplEItqH3GZ7ydVCxhfO3EMyIANytZGRAUUv4UuRdrJDaq5KSq38vEOU9HB55ihtk2GJ3BECdzYztOW/zz08n37erCQ28TvoQCNfeOvcS2B6ZIyqR1dnDQoMUcw5vD0aIvy61Dm4tini/t6XIbm/cUWjntSmEZA==
X-OriginatorOrg: prevas.dk
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 f77b392e-c187-44ef-35bd-08daae0bad8a
X-MS-Exchange-CrossTenant-AuthSource: DU0PR10MB5266.EURPRD10.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 14 Oct 2022 17:44:00.6829 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: d350cf71-778d-4780-88f5-071a4cb1ed61
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 
 DPw74QWgD1jn9horbZrBbJD0v0nZ0jp0NQkDzFQcYm+JSU7m6SQChIxSvHjYAH330PVg9amRgQU2rsDphnybuhQOLmC7pvWoovRjlYi48gc=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB8PR10MB3305
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: U-Boot discussion <u-boot.lists.denx.de>
List-Unsubscribe: <https://lists.denx.de/options/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
List-Archive: <https://lists.denx.de/pipermail/u-boot/>
List-Post: <mailto:u-boot@lists.denx.de>
List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
List-Subscribe: <https://lists.denx.de/listinfo/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=subscribe>
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
X-Virus-Scanned: clamav-milter 0.103.6 at phobos.denx.de
X-Virus-Status: Clean

For some reason, the ip_len field in a reassembled IP datagram is set
to just the size of the payload, but it should be set to the value it
would have had if the datagram had never been fragmented in the first
place, i.e. size of payload plus size of IP header.

That latter value is currently returned correctly via the "len"
variable. And before entering net_defragment(), len does have the
value ntohs(ip->ip_len), so if we're not dealing with a
fragment (so net_defragment leaves *len alone), that relationship of
course also holds after the net_defragment() call.

The only use I can find of ip->ip_len after the net_defragment call is
the ntohs(ip->udp_len) > ntohs(ip->ip_len) sanity check - none of the
functions that are passed the "ip" pointer themselves inspect ->ip_len
but instead use the passed len.

But that sanity check is a bit odd, since the RHS really should be
"ntohs(ip->ip_len) - 20", i.e. the IP payload size.

Now that we've fixed things so that len == ntohs(ip->ip_len) in all
cases, change that sanity check to use len-20 as the RHS.

Signed-off-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
---
 net/net.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/net.c b/net/net.c
index 340e7b8f18..d3ff871bca 100644
--- a/net/net.c
+++ b/net/net.c
@@ -1023,8 +1023,8 @@ static struct ip_udp_hdr *__net_defragment(struct ip_udp_hdr *ip, int *lenp)
 	if (!done)
 		return NULL;
 
-	localip->ip_len = htons(total_len);
 	*lenp = total_len + IP_HDR_SIZE;
+	localip->ip_len = htons(*lenp);
 	return localip;
 }
 
@@ -1272,7 +1272,7 @@ void net_process_received_packet(uchar *in_packet, int len)
 			return;
 		}
 
-		if (ntohs(ip->udp_len) < UDP_HDR_SIZE || ntohs(ip->udp_len) > ntohs(ip->ip_len))
+		if (ntohs(ip->udp_len) < UDP_HDR_SIZE || ntohs(ip->udp_len) > len - IP_HDR_SIZE)
 			return;
 
 		debug_cond(DEBUG_DEV_PKT,

From patchwork Fri Oct 14 17:43:41 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
X-Patchwork-Id: 1690112
X-Patchwork-Delegate: trini@ti.com
Return-Path: <u-boot-bounces@lists.denx.de>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de
 (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de;
 envelope-from=u-boot-bounces@lists.denx.de; receiver=<UNKNOWN>)
Authentication-Results: legolas.ozlabs.org;
	dkim=pass (1024-bit key;
 unprotected) header.d=prevas.dk header.i=@prevas.dk header.a=rsa-sha256
 header.s=selector1 header.b=GYA3NoWH;
	dkim-atps=neutral
Received: from phobos.denx.de (phobos.denx.de
 [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384))
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4Mpv0s2LZgz23jf
	for <incoming@patchwork.ozlabs.org>; Sat, 15 Oct 2022 04:45:01 +1100 (AEDT)
Received: from h2850616.stratoserver.net (localhost [IPv6:::1])
	by phobos.denx.de (Postfix) with ESMTP id 4460E84F1A;
	Fri, 14 Oct 2022 19:44:22 +0200 (CEST)
Authentication-Results: phobos.denx.de;
 dmarc=pass (p=reject dis=none) header.from=prevas.dk
Authentication-Results: phobos.denx.de;
 spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de
Authentication-Results: phobos.denx.de;
	dkim=pass (1024-bit key;
 unprotected) header.d=prevas.dk header.i=@prevas.dk header.b="GYA3NoWH";
	dkim-atps=neutral
Received: by phobos.denx.de (Postfix, from userid 109)
 id 34E5384EAF; Fri, 14 Oct 2022 19:44:11 +0200 (CEST)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
 DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,
 SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2
Received: from EUR05-DB8-obe.outbound.protection.outlook.com
 (mail-db8eur05on2107.outbound.protection.outlook.com [40.107.20.107])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by phobos.denx.de (Postfix) with ESMTPS id 5B95584B2B
 for <u-boot@lists.denx.de>; Fri, 14 Oct 2022 19:44:02 +0200 (CEST)
Authentication-Results: phobos.denx.de;
 dmarc=pass (p=reject dis=none) header.from=prevas.dk
Authentication-Results: phobos.denx.de;
 spf=pass smtp.mailfrom=rasmus.villemoes@prevas.dk
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=RqVHTV9KfjQvMGgK3Lj/lzoK79y0ji7IzUuPpcx21iGPt6mE3X38OTrazkupRd/ogeAAaOGqRNwOvKnp9vkm+h6Z6JYmA4Xqp5fEIWWtcTOe7EH/Sq6mHjLzhfkv6txV+HsonOpT8+dzApZwJfdOTKPH4bjAlvjsiUrRklIlMQOoszf4BA7JBm61tK+kjCnKDnXui6cbmHE4QarY2vjGQMpbTPsElIEcsc22871OYb5dLSXxTe9eM2r3KUpq2U23VLEaYB6wrreTT9X/a1A8o0xaJUlMY8phCRQ+F11KxKv1HHwhht2+on+WxwE9XrbCBnElGIEkL/WcBh2na8azFA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=hHt7sykvqubXAotFJIRIDdFpgSTMIlGBOpaVz6cDKCg=;
 b=Ee71X4foDewYPCyrZEdKy4+T32was8DtE0x8gq3DWtooREWPSyJOQpnPHZA00AiM1Ag7UKn6JBgjGvrwjONTp3VonX6C/6w4nO6VD75/1KboR4TEkXvJ+NTPWMpN27faktGnKk0IVx2Ml3/Jc9J3inZG50+6RyIUALbT0EPHEtuZagRfQbwzETHof0w76yeec+yVfrB3v3F6j4yhrhWXC4x+wPIUIFrtD6zuMbnvPCOtkb0EadgrfuzjumrKVo42NQE3vw/xKG++dlmzKDpizcuwwqYBvQaKF7WlPya3TnnK/d5KQ2hpP9CXUOP+mBijhOc4zKtXMY6+33Uxe3W3vg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=prevas.dk; dmarc=pass action=none header.from=prevas.dk;
 dkim=pass header.d=prevas.dk; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=prevas.dk;
 s=selector1;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=hHt7sykvqubXAotFJIRIDdFpgSTMIlGBOpaVz6cDKCg=;
 b=GYA3NoWHFxhziSNyWoeWpkvp7BbZZwRj3DlbvDkKJ5Z9y2HRC2BcsErwUWK24G6Rh5ZNVikyDebgAzpkz6M7jwvna26PFX7yT6rCzDXrgEzkxn/pzFJZjBD8VUoVcsqsREeOBzhE7N2r9pr2O833h/3i6FZ6AAl8q7gGBaLxCv8=
Authentication-Results: dkim=none (message not signed)
 header.d=none;dmarc=none action=none header.from=prevas.dk;
Received: from DU0PR10MB5266.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:34a::22)
 by DB8PR10MB3305.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:11c::11)
 with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5723.29; Fri, 14 Oct
 2022 17:44:01 +0000
Received: from DU0PR10MB5266.EURPRD10.PROD.OUTLOOK.COM
 ([fe80::dc91:193:719e:5fb0]) by DU0PR10MB5266.EURPRD10.PROD.OUTLOOK.COM
 ([fe80::dc91:193:719e:5fb0%8]) with mapi id 15.20.5676.044; Fri, 14 Oct 2022
 17:44:01 +0000
From: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
To: u-boot@lists.denx.de
Cc: Fabio Estevam <festevam@denx.de>,
 Nicolas Bidron <nicolas.bidron@nccgroup.com>,
 Tom Rini <trini@konsulko.com>, Joe Hershberger <joe.hershberger@ni.com>,
 Ramon Fried <rfried.dev@gmail.com>,
 Rasmus Villemoes <rasmus.villemoes@prevas.dk>
Subject: [PATCH 5/6] net: tftp: use IS_ENABLED(CONFIG_NET_TFTP_VARS) instead
 of #if
Date: Fri, 14 Oct 2022 19:43:41 +0200
Message-Id: <20221014174342.3216982-6-rasmus.villemoes@prevas.dk>
X-Mailer: git-send-email 2.37.2
In-Reply-To: <20221014174342.3216982-1-rasmus.villemoes@prevas.dk>
References: <20221014174342.3216982-1-rasmus.villemoes@prevas.dk>
X-ClientProxiedBy: BE1P281CA0021.DEUP281.PROD.OUTLOOK.COM
 (2603:10a6:b10:15::7) To DU0PR10MB5266.EURPRD10.PROD.OUTLOOK.COM
 (2603:10a6:10:34a::22)
MIME-Version: 1.0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: DU0PR10MB5266:EE_|DB8PR10MB3305:EE_
X-MS-Office365-Filtering-Correlation-Id: 816497fe-429f-4a07-70be-08daae0bae01
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 
 PD+0KDj7YTizvvdvs9R8pkEEVA2bfnFFFYA08u79OxhjEFobLqPOTBuIlm8M9+FLfd7aBUVs7M5yjXrckwJSEafGrFM+wqQLwS5v7OuROROFTOlViFofBTsbrNIw2stdXZ1Y5NXFlaOyEFHaXU8zU5+GxCPGUBgwu6nlsPXXy/C8ukCPCD+MUYRagb4CNOTSKmp/eQGzizt9OETzbkUj8Lwyfsve7Ut9EOjsXZeNb/EdKb8WqMO9xsAXW+xXWfZs20TDZc8GqM4u+EggigK37aPdzzP7TID06XixgfA3eTmGBWugLHWmz+rhZIvfIP7RPZZCKo3NroU03/RVHkWe7swyRxP/BGVGP0vC8KHeqfiSJ4zX3deuiJLnZ9XhRZSZyeP9TH1iFT26p+Y6KJC5386dxkNKLWcOI6JudW3yvYCRDkHVvm2S2oK85FbI5/aaentFTS/15qQqn22rBxUquhENXLjY3xqq1QwupoIxK+yF2CwsN8uELqjinHUOmIPthmixy4pYiUw/2mv1Rx88/ycONWyzH6tYoveXSbQOi2TkFm3HtUM/sPCh2z5Zz56qqAh5c+0ZQfYXWPtMdZO+1qiNWmGrcgZIpxxcTKSLIHdNsY+sKVmUfHFdcyW0i7ahbE3wm8NhLCJQi0VGrygc8LOfGNTVYGCfF+JPXjWcg84M8FtsDQAIy4PETmV8COXqTYAcsD8o9lAoXxdS9rCXn+tRLdiGIHYSUdAFHfRX5M00CQ02apQi1FyVgipuYNGWewww1tDd4+nYgGhOWg1YXQ==
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:;
 IPV:NLI; SFV:NSPM; H:DU0PR10MB5266.EURPRD10.PROD.OUTLOOK.COM; PTR:; CAT:NONE;
 SFS:(13230022)(366004)(39850400004)(396003)(376002)(346002)(136003)(451199015)(36756003)(52116002)(2616005)(6506007)(6512007)(26005)(41300700001)(6486002)(66946007)(66556008)(66476007)(8676002)(4326008)(478600001)(38350700002)(38100700002)(86362001)(8936002)(83380400001)(6916009)(44832011)(5660300002)(8976002)(316002)(1076003)(186003)(6666004)(107886003)(54906003)(45080400002)(2906002);
 DIR:OUT; SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: 
 xaa7pG/zUpH2/i09t2PEiVzp4f59+g9ribQ4zriUAkQ0/9ETlKZWLGkisEbpwJbqegVAB9WuzxderYRj387PKGn7xSD6oTVvTFLCRaIgelIZZjfH1U5GVOPX0HWFjPAxJJpqSPwwMdptEg4ck+cGsHBrgLmeD5gvZvZ+FCiZ/1FDTj2pn70tEqZciUUZhg8fyoG6RzFHZ8iS8Fum9HvqVg1vbf43JFMDiOWuB+H9MlaPle9FkJvhW/WsiLnTRYRUUzPpT14UZcn+5YwWLEZ1QjHJK+2rmlePhSx/mfcuMMOTxwp8UIpx4rI1ah9mjXk2dwTzR5fm9s6yTEa6L/LOrmqdhUB9Y4wPCozcM0YRqI0FsV8rnccuG2wkHj6GKESjmwNHcHrlU6mpVv8C/2gouOVCUaSaeIBscL3VRC+mN3yg++XnoADrESmWnwtTWlyyWOPaQwgaE9wSbDjLt35WJyWnPE5k4dkDWA61FPoeCvU0eXLOrHRup6vQAV6HoGLcYDzWJVD1b9F9uM8JvGZlUk9rCauS5VsqgRyL5Rp1ocMZXFQ5SbrxuGwkP+7NVnNWEWrChzguSs8/+4wGHyggBbuSy3ZbW8nyNbHWF2QcRLb9HplnjOo3b99hU45p0CU/36RMSrOJd4Q3qdoF4S5kq3MMjYguki85Ch4w4VyYIe4nB40wyH+kPq74qeqW/fmBnnXMartytI+67E30N7jXrxBaw5npK83yWGWW7liLuck6Sgs0SXNV1N8eq1HOqnRfzPKk2HMcvWZWs5nSB9AJY15maBLMO9dgXY/fcJpdgEosVDhLpKu9c5ShWdzvaHN+B11w+YBYOY25durii62Izs9RApRUI8jpsUGh0xGkFsb7jM6k8c3KKH2FO7zAw3NCHmX2H+570EIGjkvq9ZOQ0YFK68hi7u2gAxZONQtWPW00S/zp+477vPJYxDGuRG2SQvmWn66xrDt3xp7CLoDb8PB5Znt7AKQRxcUGWkA6l/uvDyc30nJqm71gL6LwrhINLFi5YSbgqFOh01S0Wa/LFieMq+rs1bZbhRH/9Gl26GfqVHTMryyQMNMnxfoEcRaSXNHAJvaPrenZaSZ1I3Ln0bSvc6D7qZt0KtcMzGw+sNByAR69mDfgzK3y/oi4U8s0udu9SPGP/03+D0A5AwsZEqaw5zh4s4Qp3AcvXMuxloY1YlF/VlkhW4nctVofQ3Htzy3xEAt8gGaRhB00XFPQ24vHhU8v5Jpq8o2Cb29CRgDeekz/RbJLm+IFMpUuSq9KwrFJpEgRTD1Nqi5DnNzjEV2guCHB7GsuVwEaHMZiqWuKJBChWQgsQ08uOYBRQOwVRu5xaqjazCoCI0/nP4nAWjECYfvkGE0rnqVb13mrohCTPF0T8UTsV2F5vcHtbKmHCkIyiDuKGhwhPmc8jXJEU4fpYBeN7pX/r2qIzw8DggA/vq1FHrPDKaodwj1fbNbEpi/ciOhHYgVcm8L4fJIyMA1BDFrrYg1b8hvUD2BNgkWvKHM185V8sl1e0GcANbqLukq42GdP13c2Vz/Y1DL89TdaoFLg5K8XoPRyZXvbca+Esa2S4Lj6SSTIifBbc17H1vv160cx5viRSWXaddvkPA==
X-OriginatorOrg: prevas.dk
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 816497fe-429f-4a07-70be-08daae0bae01
X-MS-Exchange-CrossTenant-AuthSource: DU0PR10MB5266.EURPRD10.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 14 Oct 2022 17:44:01.4643 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: d350cf71-778d-4780-88f5-071a4cb1ed61
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 
 EQE4hEOrjW7gMezIuyVvXk8tfbWFYWr3pjmQTqovKFuaPdrQyTMXW27GtaZTPRmmM6R/sXY5L5wtYvUTyLyoYYYyqdQ58mG47QIKYBvFamA=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB8PR10MB3305
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: U-Boot discussion <u-boot.lists.denx.de>
List-Unsubscribe: <https://lists.denx.de/options/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
List-Archive: <https://lists.denx.de/pipermail/u-boot/>
List-Post: <mailto:u-boot@lists.denx.de>
List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
List-Subscribe: <https://lists.denx.de/listinfo/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=subscribe>
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
X-Virus-Scanned: clamav-milter 0.103.6 at phobos.denx.de
X-Virus-Status: Clean

Nothing inside this block depends on NET_TFTP_VARS to be set to parse
correctly. Switch to C if() in preparation for adding code before
this (to avoid a declaration-after-statement warning).

Signed-off-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
---
 net/tftp.c | 56 +++++++++++++++++++++++++++---------------------------
 1 file changed, 28 insertions(+), 28 deletions(-)

diff --git a/net/tftp.c b/net/tftp.c
index dea9c25ffd..e5e140bcd5 100644
--- a/net/tftp.c
+++ b/net/tftp.c
@@ -710,42 +710,42 @@ static int tftp_init_load_addr(void)
 
 void tftp_start(enum proto_t protocol)
 {
-#if CONFIG_NET_TFTP_VARS
-	char *ep;             /* Environment pointer */
+	if (IS_ENABLED(CONFIG_NET_TFTP_VARS)) {
+		char *ep;             /* Environment pointer */
 
-	/*
-	 * Allow the user to choose TFTP blocksize and timeout.
-	 * TFTP protocol has a minimal timeout of 1 second.
-	 */
+		/*
+		 * Allow the user to choose TFTP blocksize and timeout.
+		 * TFTP protocol has a minimal timeout of 1 second.
+		 */
 
-	ep = env_get("tftpblocksize");
-	if (ep != NULL)
-		tftp_block_size_option = simple_strtol(ep, NULL, 10);
+		ep = env_get("tftpblocksize");
+		if (ep != NULL)
+			tftp_block_size_option = simple_strtol(ep, NULL, 10);
 
-	ep = env_get("tftpwindowsize");
-	if (ep != NULL)
-		tftp_window_size_option = simple_strtol(ep, NULL, 10);
+		ep = env_get("tftpwindowsize");
+		if (ep != NULL)
+			tftp_window_size_option = simple_strtol(ep, NULL, 10);
 
-	ep = env_get("tftptimeout");
-	if (ep != NULL)
-		timeout_ms = simple_strtol(ep, NULL, 10);
+		ep = env_get("tftptimeout");
+		if (ep != NULL)
+			timeout_ms = simple_strtol(ep, NULL, 10);
 
-	if (timeout_ms < 1000) {
-		printf("TFTP timeout (%ld ms) too low, set min = 1000 ms\n",
-		       timeout_ms);
-		timeout_ms = 1000;
-	}
+		if (timeout_ms < 1000) {
+			printf("TFTP timeout (%ld ms) too low, set min = 1000 ms\n",
+			       timeout_ms);
+			timeout_ms = 1000;
+		}
 
-	ep = env_get("tftptimeoutcountmax");
-	if (ep != NULL)
-		tftp_timeout_count_max = simple_strtol(ep, NULL, 10);
+		ep = env_get("tftptimeoutcountmax");
+		if (ep != NULL)
+			tftp_timeout_count_max = simple_strtol(ep, NULL, 10);
 
-	if (tftp_timeout_count_max < 0) {
-		printf("TFTP timeout count max (%d ms) negative, set to 0\n",
-		       tftp_timeout_count_max);
-		tftp_timeout_count_max = 0;
+		if (tftp_timeout_count_max < 0) {
+			printf("TFTP timeout count max (%d ms) negative, set to 0\n",
+			       tftp_timeout_count_max);
+			tftp_timeout_count_max = 0;
+		}
 	}
-#endif
 
 	debug("TFTP blocksize = %i, TFTP windowsize = %d timeout = %ld ms\n",
 	      tftp_block_size_option, tftp_window_size_option, timeout_ms);

From patchwork Fri Oct 14 17:43:42 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
X-Patchwork-Id: 1690113
X-Patchwork-Delegate: trini@ti.com
Return-Path: <u-boot-bounces@lists.denx.de>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de
 (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de;
 envelope-from=u-boot-bounces@lists.denx.de; receiver=<UNKNOWN>)
Authentication-Results: legolas.ozlabs.org;
	dkim=pass (1024-bit key;
 unprotected) header.d=prevas.dk header.i=@prevas.dk header.a=rsa-sha256
 header.s=selector1 header.b=XPdWzuMI;
	dkim-atps=neutral
Received: from phobos.denx.de (phobos.denx.de
 [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384))
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4Mpv140NGFz1yqk
	for <incoming@patchwork.ozlabs.org>; Sat, 15 Oct 2022 04:45:12 +1100 (AEDT)
Received: from h2850616.stratoserver.net (localhost [IPv6:::1])
	by phobos.denx.de (Postfix) with ESMTP id 84ECA84F17;
	Fri, 14 Oct 2022 19:44:25 +0200 (CEST)
Authentication-Results: phobos.denx.de;
 dmarc=pass (p=reject dis=none) header.from=prevas.dk
Authentication-Results: phobos.denx.de;
 spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de
Authentication-Results: phobos.denx.de;
	dkim=pass (1024-bit key;
 unprotected) header.d=prevas.dk header.i=@prevas.dk header.b="XPdWzuMI";
	dkim-atps=neutral
Received: by phobos.denx.de (Postfix, from userid 109)
 id 1B78484DFC; Fri, 14 Oct 2022 19:44:12 +0200 (CEST)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
 DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,
 SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2
Received: from EUR05-DB8-obe.outbound.protection.outlook.com
 (mail-db8eur05on2100.outbound.protection.outlook.com [40.107.20.100])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by phobos.denx.de (Postfix) with ESMTPS id 3F42084EE6
 for <u-boot@lists.denx.de>; Fri, 14 Oct 2022 19:44:03 +0200 (CEST)
Authentication-Results: phobos.denx.de;
 dmarc=pass (p=reject dis=none) header.from=prevas.dk
Authentication-Results: phobos.denx.de;
 spf=pass smtp.mailfrom=rasmus.villemoes@prevas.dk
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=JZ7PWNaU+hnRQRqo9Y3TYzmRNGJf/YWKDS0e5MUSmjcvLaSGoWMu6/Gb0JFoBNIcaFgVCNZvQgCa3KH5HwIMUkIPqewnA6DPhyJbQiPW5JVIYK2MQW3bLZ2n0T9821JU48SsdZRbvUeUVUUyIkTOIMAn5rvqJRrkGXhn10qFKosdP+U/9v67rJY8JgDQi9ADaOz5iDpvVGqD+riwRjEuPqdgpyT5pyIXYyH1hYgBW+l3rFC9Mn046Aq+rILAMrdtzrf2ywray5ILsVfU/xaLOH0S6WyQL7irRm3TY3ruEUvhJlod6KIL7E68TL6TWxNNCjEjVuDuYqx2uDeofzX9mQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=UQ2ltWZyI1ofqlPguM5pTUmnivnZ7xel7YAXVwVAEZ4=;
 b=aBB/Kjuz0TcHuXSmCR8qUBwq4EKj75ov9oY1akM9q563UHCORjaq4rvWUsfYGMYpmxzyFJzn0JFJfKyLkB7o+VGNuct7VKnriOdYShyIvF8f/sR1oG5bwd+UwzHi2++jGTOXWSDYbU6W7Ylsam7D0UDQkV+cuL6a+FbD/pRwsbskwe9BYwtv85LIjA7N16C0LzpBvruVD666e/L7ItZU+AYme93WgJd81TkjoRIvBiTlTFc/Etpyx9Ths+A84XbpLpJmrEmMsEp8ce1IF3Dc33wlZnT0W81mj4w65dCro0pxkQTdTbrfjh2rxE0/+MWRscl+0PkkFu6Nq6ktysncfA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=prevas.dk; dmarc=pass action=none header.from=prevas.dk;
 dkim=pass header.d=prevas.dk; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=prevas.dk;
 s=selector1;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=UQ2ltWZyI1ofqlPguM5pTUmnivnZ7xel7YAXVwVAEZ4=;
 b=XPdWzuMI9NJPINVE23hTcE/bdArpbXlVBM1QsotFMHeBUJEl9iiF5KLBVimgdzYAK4Dllcpo72Sdf7HKY73M3pd6t2k77XTho+JH1sAoJkKc8LA883Ucn1qcauCQ6MySZMopebvGUe80FgAchNbJCZlgBj6PX4g9z+ALNKiYtpE=
Authentication-Results: dkim=none (message not signed)
 header.d=none;dmarc=none action=none header.from=prevas.dk;
Received: from DU0PR10MB5266.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:34a::22)
 by DB8PR10MB3305.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:11c::11)
 with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5723.29; Fri, 14 Oct
 2022 17:44:02 +0000
Received: from DU0PR10MB5266.EURPRD10.PROD.OUTLOOK.COM
 ([fe80::dc91:193:719e:5fb0]) by DU0PR10MB5266.EURPRD10.PROD.OUTLOOK.COM
 ([fe80::dc91:193:719e:5fb0%8]) with mapi id 15.20.5676.044; Fri, 14 Oct 2022
 17:44:02 +0000
From: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
To: u-boot@lists.denx.de
Cc: Fabio Estevam <festevam@denx.de>,
 Nicolas Bidron <nicolas.bidron@nccgroup.com>,
 Tom Rini <trini@konsulko.com>, Joe Hershberger <joe.hershberger@ni.com>,
 Ramon Fried <rfried.dev@gmail.com>,
 Rasmus Villemoes <rasmus.villemoes@prevas.dk>
Subject: [PATCH 6/6] net: tftp: sanitize tftp block size, especially for TX
Date: Fri, 14 Oct 2022 19:43:42 +0200
Message-Id: <20221014174342.3216982-7-rasmus.villemoes@prevas.dk>
X-Mailer: git-send-email 2.37.2
In-Reply-To: <20221014174342.3216982-1-rasmus.villemoes@prevas.dk>
References: <20221014174342.3216982-1-rasmus.villemoes@prevas.dk>
X-ClientProxiedBy: BE1P281CA0021.DEUP281.PROD.OUTLOOK.COM
 (2603:10a6:b10:15::7) To DU0PR10MB5266.EURPRD10.PROD.OUTLOOK.COM
 (2603:10a6:10:34a::22)
MIME-Version: 1.0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: DU0PR10MB5266:EE_|DB8PR10MB3305:EE_
X-MS-Office365-Filtering-Correlation-Id: 4b80b705-cb05-4dfc-534a-08daae0bae6a
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 
 iPf5t1aAuwQwrc/PaOneB1pJtZ+1BU5xyG8VLH3wgJ7j1LFcy8KETpS8qqekAvE9CoYKVsqZqhuWc2vma5pU8z7gZRwYyI+g2AbGMABrCqxqE0BfqPSUL8Tud7uI5FnXZHUWjQG2T1IXNpAN6CurrWw2vasbmskYzItVDPpO8sl7IOp2JTMxwMWDeNxxhA31ltXWdieMo5HHaDR8pfid8GAvODFqLLr+gMY7LTYstRPT5k3If7msFunu4vfzJ20mRP+DHRsLrOkTwyZdGg8yB9+HyFtMYx90LLeKPby1lS/ay+CzhqwZ9Krgj7hW05bdghktsRPO9yKNb9OdwFE/dPCacR5RPcadoThWeBKGOcFN822G20Cvx76LCYGppga/D2COo+Vj9HcLKGtiLWqJ3xkiuaL+AkvgPu4FXzFz0Uq6Twgfbq+3rv0/0qwnS8Q+GWgi4VxGP1ReZTi8Ba/I4YKUUuu4hpgCFK2sje2yyntzhznr5PxipjP4nULQ1EWsTSn30S/F9t5ycyYU2NNOg7WHMP4vxhcMgGXHSP/0b+h2Eq1mdhVqADTKbZ0HLFrykBkfBZ/kHWs6nWwa7//PT1EbJ28XfxRzzs6gJ+sVecO8dew1qPsbA1mDUf/zuyZPVDLYIWNf71ppYxEX7wC3JqXHz9xS0qtphA9unvbZ6RQqU/aPu5Nkss429OAramM6XrdNz2C46+jbQUu3aHCf1Sub7PcAXBgyDKOwG+SYrGcEHLGmhlgECm2U3GdIspGI
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:;
 IPV:NLI; SFV:NSPM; H:DU0PR10MB5266.EURPRD10.PROD.OUTLOOK.COM; PTR:; CAT:NONE;
 SFS:(13230022)(366004)(39850400004)(396003)(376002)(346002)(136003)(451199015)(36756003)(52116002)(2616005)(6506007)(6512007)(26005)(41300700001)(6486002)(66946007)(66556008)(66476007)(8676002)(4326008)(478600001)(38350700002)(38100700002)(86362001)(8936002)(83380400001)(6916009)(44832011)(5660300002)(8976002)(316002)(1076003)(186003)(6666004)(107886003)(54906003)(45080400002)(2906002);
 DIR:OUT; SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: 
 D+916zJR2THMkm3OYlgrtGk1s6XkfujpooCu61hylIEEtC7IYdgSWpiu31DTudT+7Sl0zmkRHsa/4c6YpS9QdlxoeBdnKL0GkSqMuLS2vXhLf9Sl2W4B+wUx34bv/ftRiFmQY5kE7gQKWEWc0SLHFVPwlbZZx8TjOABxsR6Ihi0voALZo508QUwGBfhp7gxVb5H+Sofc9aymsU4EvKl71b0mO3FjmHE18KDcpZa/ZLREyUWKMI3cL7jULTFgsZjIyiF6pTPnuFSC97DPTEVBo8IULnVgnlfmU87GZlkm2p6dqiLtQckWQRUmhlkYwXRZW6Z4kuxafe91yeXnhmq1or71yoq0ml+rlQJ0LPa1NhUJMoUU0qLd+zmLAQphKSfzOn3LNu/BunrH+MhIt8hG4TNcAFRrOnFRpbLoorRxTqSeG8YeWwlJpsDIY1LMyTAzq+Eczh3xc4SsZjL32Q2Jtf8xFb00wAbo5jYwcg5IolWPu9AGEWzaQO9LSWzJ2RJcOqos5mGXSBantG4bvlZFRXM2GvQdFgFZ9MQXObGvzqP8NErqUtdQ4zlZjHZydQqw+tOv0WTigPpyBWDo+4wFp9rj6G/NUG74W4ydSDZea+bnCqG7VLX5naBKfXWe5hQSSygOjiRQC451LdP6VF567jNFNzunbBAHOiH5sN/kbE5208GKgkAPjqzjLav0FR7RGNaIDKbH78NvpOIO9SSoYCdMWNwJfnahOsph7rFYyl751qMw49ES+LOUn64Xg3cv4bXW4oK2YGa6vZnZquJih67zB5ygP/8eVrFGDi7DQIMgUy1q+UQwOJnA0db/WvCjOFGREt7hnYgcOoVfuzphhgsyJgfQCyzeT868BSkpKKez14MXAE+ccjiCnoqIBpRsX8s089M5siJ+v0ME1eIraXpKnhe5tbEb2nkiORJLDIRqaL0dvQj0bnLi+Df+fRs27V5hfbVL6ZgLKm2ir3saZ8BN4M3iH7WGJRZbPsH1+fiVJvPiKE3mZqJYa11bOTJpVA/Ud+SXeVzJrw3lqLfq1Hxm0TuRpKOyLesV16UCNAiHKZpzxh1yVj76MNJRVr9lanUKayR8fFQnd8rf0sDOK+T9JOEXC1NAUJwBfBjCdd76dhTU1HgOuqIg+J2SfofD1n/cprTbiDMTW0GZD0nccUttfEO7hERhLf/MR7fC0HFQG8KiwIAy7GnXtdehdjNRTqv9A/to0rwMVGjEe0EmjMUkd6xotHrmnV/EG57yk4QPJpwPd5J6VwpfYsUs3Bj/w5AWU7CXspJcbwexaxPfS9zC9aHxVPmr8T6Di0yfFVC8Tss3ShtNXFIvdoNbkzBgQzBH8irY8Bx4KMjvBm2tINqf3dMY/meWSyQrr0KTjaJd6xL3dRw7EG7RhnyRpAsbuU68HD9yUnPEJcbSm6ivZ4msPwCS/zN0DZyHunwAGxLnXy1HLermoJu6XSPu/RnE6vvo6FfiM+RPooxhKLxKvfxz7/d5AJ+9S1CYXvnZwjv/epb7FrK0JtC/QLaA7YWTDgOyDbssFXC5T6H6lwr3gafM0g6cA1dSL80Qn2vRzFNEjTt3DSD5jX+Y7z4AMpIYLgi1vlJQ1gVN0Spb1BBM+w==
X-OriginatorOrg: prevas.dk
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 4b80b705-cb05-4dfc-534a-08daae0bae6a
X-MS-Exchange-CrossTenant-AuthSource: DU0PR10MB5266.EURPRD10.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 14 Oct 2022 17:44:02.1673 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: d350cf71-778d-4780-88f5-071a4cb1ed61
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 
 tujZRrdqmHUcKkxHyaJJCSi5pjNK1tbalEjhtdgIgY2yTkaLRTZU3dx6pu7MUMPUmh0L73vUCd8Y9/f82+vWtLyxvoj30b04aNQWgr+uIaA=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB8PR10MB3305
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: U-Boot discussion <u-boot.lists.denx.de>
List-Unsubscribe: <https://lists.denx.de/options/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
List-Archive: <https://lists.denx.de/pipermail/u-boot/>
List-Post: <mailto:u-boot@lists.denx.de>
List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
List-Subscribe: <https://lists.denx.de/listinfo/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=subscribe>
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
X-Virus-Scanned: clamav-milter 0.103.6 at phobos.denx.de
X-Virus-Status: Clean

U-Boot does not support IP fragmentation on TX (and unless
CONFIG_IP_DEFRAG is set, neither on RX). So the blocks we send must
fit in a single ethernet packet.

Currently, if tftpblocksize is set to something like 5000 and I
tftpput a large enough file, U-Boot crashes because we overflow
net_tx_packet (which only has room for 1500 bytes plus change).

Similarly, if tftpblocksize is set to something larger than what we
can actually receive (e.g. 50000, with NET_MAXDEFRAG being 16384), any
tftp get just hangs because we never receive any packets.

Signed-off-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
Reviewed-by: Ramon Fried <rfried.dev@gmail.com>
---
 net/tftp.c | 46 ++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 46 insertions(+)

diff --git a/net/tftp.c b/net/tftp.c
index e5e140bcd5..60e1273332 100644
--- a/net/tftp.c
+++ b/net/tftp.c
@@ -708,8 +708,52 @@ static int tftp_init_load_addr(void)
 	return 0;
 }
 
+static int saved_tftp_block_size_option;
+static void sanitize_tftp_block_size_option(enum proto_t protocol)
+{
+	int cap, max_defrag;
+
+	switch (protocol) {
+	case TFTPGET:
+		max_defrag = config_opt_enabled(CONFIG_IP_DEFRAG, CONFIG_NET_MAXDEFRAG, 0);
+		if (max_defrag) {
+			/* Account for IP, UDP and TFTP headers. */
+			cap = max_defrag - (20 + 8 + 4);
+			/* RFC2348 sets a hard upper limit. */
+			cap = min(cap, 65464);
+			break;
+		}
+		/*
+		 * If not CONFIG_IP_DEFRAG, cap at the same value as
+		 * for tftp put, namely normal MTU minus protocol
+		 * overhead.
+		 */
+		/* fall through */
+	case TFTPPUT:
+	default:
+		/*
+		 * U-Boot does not support IP fragmentation on TX, so
+		 * this must be small enough that it fits normal MTU
+		 * (and small enough that it fits net_tx_packet which
+		 * has room for PKTSIZE_ALIGN bytes).
+		 */
+		cap = 1468;
+	}
+	if (tftp_block_size_option > cap) {
+		printf("Capping tftp block size option to %d (was %d)\n",
+		       cap, tftp_block_size_option);
+		saved_tftp_block_size_option = tftp_block_size_option;
+		tftp_block_size_option = cap;
+	}
+}
+
 void tftp_start(enum proto_t protocol)
 {
+	if (saved_tftp_block_size_option) {
+		tftp_block_size_option = saved_tftp_block_size_option;
+		saved_tftp_block_size_option = 0;
+	}
+
 	if (IS_ENABLED(CONFIG_NET_TFTP_VARS)) {
 		char *ep;             /* Environment pointer */
 
@@ -747,6 +791,8 @@ void tftp_start(enum proto_t protocol)
 		}
 	}
 
+	sanitize_tftp_block_size_option(protocol);
+
 	debug("TFTP blocksize = %i, TFTP windowsize = %d timeout = %ld ms\n",
 	      tftp_block_size_option, tftp_window_size_option, timeout_ms);
 

From patchwork Mon Oct 17 07:52:51 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
X-Patchwork-Id: 1690684
X-Patchwork-Delegate: trini@ti.com
Return-Path: <u-boot-bounces@lists.denx.de>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de
 (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de;
 envelope-from=u-boot-bounces@lists.denx.de; receiver=<UNKNOWN>)
Authentication-Results: legolas.ozlabs.org;
	dkim=pass (1024-bit key;
 unprotected) header.d=prevas.dk header.i=@prevas.dk header.a=rsa-sha256
 header.s=selector1 header.b=hHNb9FRV;
	dkim-atps=neutral
Received: from phobos.denx.de (phobos.denx.de
 [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384))
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4MrTkf4rTdz23kK
	for <incoming@patchwork.ozlabs.org>; Mon, 17 Oct 2022 18:53:14 +1100 (AEDT)
Received: from h2850616.stratoserver.net (localhost [IPv6:::1])
	by phobos.denx.de (Postfix) with ESMTP id 2C7BE84F48;
	Mon, 17 Oct 2022 09:53:08 +0200 (CEST)
Authentication-Results: phobos.denx.de;
 dmarc=pass (p=reject dis=none) header.from=prevas.dk
Authentication-Results: phobos.denx.de;
 spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de
Authentication-Results: phobos.denx.de;
	dkim=pass (1024-bit key;
 unprotected) header.d=prevas.dk header.i=@prevas.dk header.b="hHNb9FRV";
	dkim-atps=neutral
Received: by phobos.denx.de (Postfix, from userid 109)
 id 8BC2F82F29; Mon, 17 Oct 2022 09:53:05 +0200 (CEST)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
 DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,
 SPF_PASS autolearn=ham autolearn_force=no version=3.4.2
Received: from EUR05-AM6-obe.outbound.protection.outlook.com
 (mail-am6eur05on2116.outbound.protection.outlook.com [40.107.22.116])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by phobos.denx.de (Postfix) with ESMTPS id D18E584F64
 for <u-boot@lists.denx.de>; Mon, 17 Oct 2022 09:53:01 +0200 (CEST)
Authentication-Results: phobos.denx.de;
 dmarc=pass (p=reject dis=none) header.from=prevas.dk
Authentication-Results: phobos.denx.de;
 spf=pass smtp.mailfrom=rasmus.villemoes@prevas.dk
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=cLJqqa6Ea/KzSuV9lCSgSsReV6oyEpmYypAdRNC1phFKiUQ92cFN27qBDWa84sJqA2+6o0dOprs/UxY7Fs1oPkWJEDmV7NR++KDZiD2qYy98N8MT/e564gKFSPRZ1ZQT8CwiEgnwO0GPDlEnaAAG+GOilodaNi/iVPr+5NS+iBkdvhU7xruatdMIo3N7o1vMT+2Olw6BDj1T2M708RpXwMIYSa3OBmzlEGIre3fGum+N18DPcVdGBdlNXfnMXsiXDhlrcCf88nAtkPGGSyOpWF9aiaPkU033mLRPlpTMclIM4Htr8pItM5X59I4HLlG48qpkwiv9DWLSpxRA5mMmkw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=kIYnriMds4dzgcyCfqlcwKJq4rd/KMxCYsxf0MfpIo0=;
 b=YEyqaxvSaypV/r6Wqp7mQQLBGH0NpiT3+EyQZAXoysBqEYoG9zLlmClKAbz+Ss857QD0wBRFWRgvFxJWZ0AoURcFmeIRwm3alH83XUPUVgecTfrUYlAmdosKO8KcjHejAfy1ZzoYU4xUxq6LfigMAI9zEM3gnxGD5NnzWVqX/sPrTFWXj2oOd5kyQGtWfynydUnplkLzTfpOlnFFKVqFNtX0gINg/1VIgD4p+QfY66O4tZ9sqzRgxtwRS8KYMyHfP5LGkyJVNk3p7N+d7+pSZkyVSj0nyimKw6Q57f7FgVRaHfNU07asUQD+PXq/Cyc+AbY9Qv7KnRZOg0GeYX/K8g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=prevas.dk; dmarc=pass action=none header.from=prevas.dk;
 dkim=pass header.d=prevas.dk; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=prevas.dk;
 s=selector1;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=kIYnriMds4dzgcyCfqlcwKJq4rd/KMxCYsxf0MfpIo0=;
 b=hHNb9FRVswfG3tYlaw846L8h1h/oUJODNHS1Q2dWMquUjzt+YhulUwHswFhNTapYan918+uPmmkUsAM/OM3MiqlWZL+dvAoUxLpSoEIdYcSdKOwYoEAaGUcUbaC/KcHcfANLArgMX2fclVI6WvuragLvTdVrZt/l3clxoBBdJO0=
Authentication-Results: dkim=none (message not signed)
 header.d=none;dmarc=none action=none header.from=prevas.dk;
Received: from DU0PR10MB5266.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:34a::22)
 by DU0PR10MB6132.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:3e7::14)
 with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5723.30; Mon, 17 Oct
 2022 07:53:00 +0000
Received: from DU0PR10MB5266.EURPRD10.PROD.OUTLOOK.COM
 ([fe80::732f:4316:a0be:bdbc]) by DU0PR10MB5266.EURPRD10.PROD.OUTLOOK.COM
 ([fe80::732f:4316:a0be:bdbc%3]) with mapi id 15.20.5723.032; Mon, 17 Oct 2022
 07:53:00 +0000
From: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
To: u-boot@lists.denx.de
Cc: Fabio Estevam <festevam@denx.de>,
 Nicolas Bidron <nicolas.bidron@nccgroup.com>,
 Tom Rini <trini@konsulko.com>, Joe Hershberger <joe.hershberger@ni.com>,
 Ramon Fried <rfried.dev@gmail.com>,
 Rasmus Villemoes <rasmus.villemoes@prevas.dk>
Subject: [PATCH 7/6] net: deal with fragment-overlapping-two-holes case
Date: Mon, 17 Oct 2022 09:52:51 +0200
Message-Id: <20221017075251.3359940-1-rasmus.villemoes@prevas.dk>
X-Mailer: git-send-email 2.37.2
In-Reply-To: <20221014174342.3216982-1-rasmus.villemoes@prevas.dk>
References: <20221014174342.3216982-1-rasmus.villemoes@prevas.dk>
X-ClientProxiedBy: MM0P280CA0048.SWEP280.PROD.OUTLOOK.COM
 (2603:10a6:190:b::30) To DU0PR10MB5266.EURPRD10.PROD.OUTLOOK.COM
 (2603:10a6:10:34a::22)
MIME-Version: 1.0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: DU0PR10MB5266:EE_|DU0PR10MB6132:EE_
X-MS-Office365-Filtering-Correlation-Id: 68ebf373-0888-47a8-fdf5-08dab0149cab
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 
 cDyEAzil9YF6PgjQx40011QNIYrcFZ5yF0/3yFe7elSJmJ4hY3LLRJSduuSifNy41IMgRtI0DIKs5OIyJUq9jxfduVNI+OJVsSlor47e9ZH4z/KRXhkkP9sOjCHFe+vsB4VXmdQjB4/Mr4HNmZg7nfcD3qhTnloZY0sMdyU0tZDzEzRnxG/O72FoL9MaB+vpVZ25mPqAGAFudfc7oT9G65vEdFn85DdF5EaRXg0dHl8SIbEVFcs4oUrtzyKvHXY46iCQjm6wo/ANEdgnyRoMsvEYtSl97Qml8LOCpASL7W5YeUE3s7GpzC2aDwewEwevyzVYxnZ2ljIQRei+RZOqhirHlm62eVOuirbrcHOAT6AzrsN7lXbhrvT3klUpDdhGH5GO3daDU7nJpAHV8+x/fsiciZEBhNSu4+c1YcdkkoMGSiVIWi7XTVdi4E0S1oKYaCySdJbR/GbK6Xp0FG1z6XsvOwI4Khn6xR96eOVaQcysfcW4XHl/8MkaPn6l94YEMXXWi7m0khtan9QzDjVWViW9KjZczRsKV+6ObNF06dnk1sbsGsqlsHtW0T2ypleBRij1MtC9cZnxDERaTOjmEqGRvkxqt2G0UUrZWEdKcn7OtjCFucB1qjdbsZ9udVgDp2thPmDdwIlQVmbMB6c2dY6vyNsoIbvj0GttiQdSYGTNBPHcjPIVDhusP/it4/jatXT5qQqv1Ni45ZqESMR8WJjEWAL8JE8ifSnqpt/nTiTepvXDI4S6lFcEW3loBQM+
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:;
 IPV:NLI; SFV:NSPM; H:DU0PR10MB5266.EURPRD10.PROD.OUTLOOK.COM; PTR:; CAT:NONE;
 SFS:(13230022)(39840400004)(366004)(376002)(346002)(396003)(136003)(451199015)(36756003)(86362001)(38350700002)(38100700002)(83380400001)(6666004)(107886003)(66556008)(66946007)(8676002)(5660300002)(54906003)(316002)(66899015)(66476007)(6916009)(44832011)(4326008)(1076003)(186003)(6486002)(2906002)(8936002)(2616005)(8976002)(6506007)(478600001)(41300700001)(6512007)(52116002)(26005);
 DIR:OUT; SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: 
 cBxKcTEZWcwGJIpPD8dGWdvNPm9AR9yFnS1hUGkPhhFW+0lk+2sd9vG3meng+Lo1ldPb6McPNSbxw1Pk6AiYZeMY7X8Xar0WRL732gD/4jlYq84KgbGSuzvcvjbxQNNVhSgwkwSKK2A2vfWnQSAGHmnES8Qoll/wyZg6GhdM28W4zT6j3p0Ze9enzXw7IdqFqVHNhqeLLpLhIDCPD5zM1xr63rKRYKVYU3cXNe/qSFPZD8M1TkZ6jHZvWdsn2YOCAba9TFkJ+D4xs0B/R8BxDNTeHUZ7aJnDF8wHwgKGQX4fguTAq1Na6tD82S26vT/+et0+2dUhTQzzht9WsHvRJMcbHl3hyyOKBLwTk3BQX/kLurtlefI9x2tCACY5bhls59HSrIwUC9J8zYnFqsSqcTMigY+itbnrjnMj8vCfHct7eiBd9wN7uS0SZmQp/TwECiVKltbJM1+NNOl5l3Z3WelhjBN8D35+/T1BZE7vwdm4Ha/MHtY4J1K/i4iCLxWcWz841YzjvQ0cU4KG72JJEbqVjb0FCXeMBb1ZL3PgeA3j1V4evuN+iWKmFH3tGG3Nwmh+sp8COUgBPMqfTJ7pmuWjnmyNFIE/gqAuI0Xg6R3sX4yoNULHisuEje0m4iXiR6WxgJbRnDikNN0Z0ck1uqObhEfitHNkv7KEcYDT33gAd/vOoiX/Zz+cANzKncSApeL3lNIVamVjBUYtmpEi06IfCGpLDZgl2g4J4kL9D2do7W16L4YpR+LH0K96B1wr3PYHhbJZls6XSiE7CWlt3R7fo/x5VjwySrkTEsLyDndCYcG8iY7u4EtPNQUTEQW0+kNQY9+t/gZrSydTmLdgrfbRKeKUJWejshiKurHXca5QtoBYNBJVvCZUXcRmXKudIoFJ2ETBvOSiyG1UMJLEzfeLRmp7bkXfUF6KQUt28onbQ88z9P8eFvPpt0uzD4Z2RPTjzr08WYnA7UfZnJnTEsgvyHYf+DDIqL6syFvwqWVFyIGhryNYt9QHaLUvB5jQznmKinWgIk9lTYIHHJ+uQU2n6VAzff/j225FVtkeoL/qVJeyLX8wpp0xyqAWfGX8ibXBpZ6JCLAsH2bO/ecRaEjDqeaiG3GvrLx+LMps3zbEFOAeqFaJkN9COFtwNIPsKKZKaW0Og0GMcBMvqOmr7N1GKjoJQGrnUnempY17ywWgLwLiwxjjEtSrvKBq7WOb7aAz6P3wVoQiVo/nrxaKKYikjT/jHGXmps++9PkzDecuvGidyQKrZT4MRlAgAplk78dz9EU2rXjLQKZcDBox9+j1JP6Yl86aTKOihygXT/0Udv8z+xDIOrKPNEQfO5lw1PV5wtQfCxtbyjrpdrN3E18CIk70ydqI5jPB3/cGeGCNEFMVTcdR9TJtW5IAoYFc1uEiS7UAk14AGHiz6SmlwjPypDx4R3mG2n2lDIp2gp3/VSbetq3uEaJZDnPaPN20I/wAOgaaml2ASJV8PLk479JPmsYTrNeA1b6+PTb7JCqpew7kpOyIvBRfXlUFMlXOkTnTFS58g26c0ZPnG5+5xWd36BdNPXaNn+WRXua45RtJ9giN085OBf7kcuReProp3a4f9wib+fHkjBrqzxEvTw==
X-OriginatorOrg: prevas.dk
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 68ebf373-0888-47a8-fdf5-08dab0149cab
X-MS-Exchange-CrossTenant-AuthSource: DU0PR10MB5266.EURPRD10.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 17 Oct 2022 07:53:00.6166 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: d350cf71-778d-4780-88f5-071a4cb1ed61
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 
 Qr2RjHmuYDByPoJCu9HKHHfDYqccAQLx7qExVvqAVxeVU3QiZQiC6h13O9QvyvrUAiqNKUib4eumjRIJPKyBNNDItnEYN7mABOqB6mJLktw=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DU0PR10MB6132
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: U-Boot discussion <u-boot.lists.denx.de>
List-Unsubscribe: <https://lists.denx.de/options/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
List-Archive: <https://lists.denx.de/pipermail/u-boot/>
List-Post: <mailto:u-boot@lists.denx.de>
List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
List-Subscribe: <https://lists.denx.de/listinfo/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=subscribe>
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
X-Virus-Scanned: clamav-milter 0.103.6 at phobos.denx.de
X-Virus-Status: Clean

With a suitable sequence of malicious packets, it's currently possible
to get a hole descriptor to contain arbitrary attacker-controlled
contents, and then with one more packet to use that as an arbitrary
write vector.

While one could possibly change the algorithm so we instead loop over
all holes, and in each hole puts as much of the current fragment as
belongs there (taking care to carefully update the hole list as
appropriate), it's not worth the complexity: In real, non-malicious
scenarios, one never gets overlapping fragments, and certainly not
fragments that would be supersets of one another.

So instead opt for this simple protection: Simply don't allow the
eventual memcpy() to write beyond the last_byte of the current hole.

Signed-off-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
---

I've been mulling over this over the weekend, and concluded that this
should be enough for now. Even if I'm wrong about overlapping
fragments not happening in real life, this doesn't break something
that works currently, and does prevent the trivial attacker-controller
hole descriptor.

 net/net.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/net/net.c b/net/net.c
index d3ff871bca..5c6aea0c55 100644
--- a/net/net.c
+++ b/net/net.c
@@ -968,10 +968,14 @@ static struct ip_udp_hdr *__net_defragment(struct ip_udp_hdr *ip, int *lenp)
 	}
 
 	/*
-	 * There is some overlap: fix the hole list. This code doesn't
-	 * deal with a fragment that overlaps with two different holes
-	 * (thus being a superset of a previously-received fragment).
+	 * There is some overlap: fix the hole list. This code deals
+	 * with a fragment that overlaps with two different holes
+	 * (thus being a superset of a previously-received fragment)
+	 * by only using the part of the fragment that fits in the
+	 * first hole.
 	 */
+	if (h->last_byte < start + len)
+		len = h->last_byte - start;
 
 	if ((h >= thisfrag) && (h->last_byte <= start + len)) {
 		/* complete overlap with hole: remove hole */