During testing of qemu-riscv32 with a 2GiB memory configuration,
tftp always fails with a error message:
Load address: 0x84000000
Loading: #
TFTP error: trying to overwrite reserved memory...
It turns out the result of 'tftp_load_addr + tftp_load_size' just
overflows (0x100000000) and the test logic in store_block() fails.
Fix this by adjusting the end address to ULONG_MAX when overflow
is detected.
Fixes: a156c47e39 ("tftp: prevent overwriting reserved memory")
Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
Acked-by: Joe Hershberger <joe.hershberger@ni.com>
sandbox_defconfig does not compile using GCC 9.2.1:
net/net.c: In function ‘net_process_received_packet’:
net/net.c:1288:23: error: taking address of packed member of ‘struct
ip_udp_hdr’ may result in an unaligned pointer value
[-Werror=address-of-packed-member]
1288 | sumptr = (ushort *)&(ip->udp_src);
| ^~~~~~~~~~~~~~
Avoid the error by using a u8 pointer instead of an u16 pointer and
in-lining ntohs().
Simplify the checksumming of the last message byte.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: Simon Goldschmidt <simon.k.r.goldschmidt@gmail.com>
Acked-by: Joe Hershberger <joe.hershberger@ni.com>
While we have networking use cases within SPL we do not support loading
files via NFS at this point in time. Disable calling nfs_start() so
that the NFS related code can be garbage collected at link time.
Signed-off-by: Tom Rini <trini@konsulko.com>
Acked-by: Joe Hershberger <joe.hershberger@ni.com>
Part of the env cleanup moved this out of the environment code and into
the net code. However, this helper is sometimes needed even when the net
stack isn't included.
Move the helper to lib/net_utils.c like it's similarly-purposed
string_to_ip(). Also rename the moved function to similar naming.
Signed-off-by: Joe Hershberger <joe.hershberger@ni.com>
Reported-by: Ondrej Jirman <megous@megous.com>
This function belongs in time.h so move it over and add a comment.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Tom Rini <trini@konsulko.com>
Create a new rand.h header file and move functions into it, to reduce
the size of common.h
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Tom Rini <trini@konsulko.com>
With GCC 9.2.1 net/nfs.c leads to multiple errors of type
address-of-packed-member.
net/nfs.c: In function ‘rpc_req’:
net/nfs.c:199:18: error: taking address of packed member of
‘struct rpc_t’ may result in an unaligned pointer value
[-Werror=address-of-packed-member]
199 | p = (uint32_t *)&(rpc_pkt.u.call.data);
| ^~~~~~~~~~~~~~~~~~~~~~
net/nfs.c: In function ‘nfs_readlink_reply’:
net/nfs.c:631:46: error: taking address of packed member of
‘struct rpc_t’ may result in an unaligned pointer value
[-Werror=address-of-packed-member]
631 | nfs3_get_attributes_offset(rpc_pkt.u.reply.data);
| ~~~~~~~~~~~~~~~^~~~~
LD drivers/block/built-in.o
net/nfs.c: In function ‘nfs_read_reply’:
net/nfs.c:692:46: error: taking address of packed member of
‘struct rpc_t’ may result in an unaligned pointer value
[-Werror=address-of-packed-member]
692 | nfs3_get_attributes_offset(rpc_pkt.u.reply.data);
| ~~~~~~~~~~~~~~~^~~~~
struct rpc_t is only used as local variable. It is naturally packed. So
there is no need for the attribute packed.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
Acked-by: Joe Hershberger <joe.hershberger@ni.com>
rpc_pkt.u.call.data is an array of uint32_t. There is no need to convert
it to uint32_t *.
memcpy() expects void * as it 1st and 2nd argument. There is no point in
converting pointers to char * before passing them to memcpy().
In ntohl(data[1]) != 0 calling ntohl() is superfluous. If the value is
zero, does not depend on the byte order.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
Acked-by: Joe Hershberger <joe.hershberger@ni.com>
This patch adds a check to rpc_pkt.u.reply.data at nfs_lookup_reply.
Signed-off-by: Cheng Liu <liucheng32@huawei.com>
Reported-by: Fermín Serna <fermin@semmle.com>
Acked-by: Joe Hershberger <joe.hershberger@ni.com>
This patch adds a check to rpc_pkt.u.reply.data at nfs_readlink_reply.
Signed-off-by: Cheng Liu <liucheng32@huawei.com>
Reported-by: Fermín Serna <fermin@semmle.com>
Acked-by: Joe Hershberger <joe.hershberger@ni.com>
This patch adds a check to rpc_pkt.u.reply.data at nfs_read_reply.
Signed-off-by: Cheng Liu <liucheng32@huawei.com>
Reported-by: Fermín Serna <fermin@semmle.com>
Acked-by: Joe Hershberger <joe.hershberger@ni.com>
This patch adds a check to nfs_handler to fix buffer overflow for CVE-2019-14197,
CVE-2019-14200, CVE-2019-14201, CVE-2019-14202, CVE-2019-14203 and CVE-2019-14204.
Signed-off-by: Cheng Liu <liucheng32@huawei.com>
Reported-by: Fermín Serna <fermin@semmle.com>
Acked-by: Joe Hershberger <joe.hershberger@ni.com>
This patch adds a check to udp_len to fix unbounded memcpy for
CVE-2019-14192, CVE-2019-14193 and CVE-2019-14199.
Signed-off-by: Cheng Liu <liucheng32@huawei.com>
Reviewed-by: Simon Goldschmidt <simon.k.r.goldschmidt@gmail.com>
Reported-by: Fermín Serna <fermin@semmle.com>
Acked-by: Joe Hershberger <joe.hershberger@ni.com>
Use the optional property device-name to name the MDIO bus. This works
around limitations with using the DT node name on devices such as
Armada-8040, which integrates two cp100 cores, both featuring MDIOs at the
same relative offsets and with the same DT node names.
The concept was originally proposed by Marvell as a custom property called
mdio-name specific to Marvell driver. This patch uses the more generic
property device-name and moves this into MDIO class code so other can use
it as well.
Signed-off-by: Alex Marginean <alexm.osslist@gmail.com>
Acked-by: Joe Hershberger <joe.hershberger@ni.com>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
Add support for capturing ethernet packets and storing
them in memory in PCAP(2.4) format, later to be analyzed by
any PCAP viewer software (IE. Wireshark)
This feature greatly assist debugging network issues such
as detecting dropped packets, packet corruption etc.
Signed-off-by: Ramon Fried <rfried.dev@gmail.com>
Reviewed-by: Alex Marginean <alexm.osslist@gmail.com>
Tested-by: Alex Marginean <alexm.osslist@gmail.com>
Acked-by: Joe Hershberger <joe.hershberger@ni.com>
This file contains lots of internal details about the environment. Most
code can include env.h instead, calling the functions there as needed.
Rename this file and add a comment at the top to indicate its internal
nature.
Signed-off-by: Simon Glass <sjg@chromium.org>
Acked-by: Joe Hershberger <joe.hershberger@ni.com>
Reviewed-by: Simon Goldschmidt <simon.k.r.goldschmidt@gmail.com>
[trini: Fixup apalis-tk1.c]
Signed-off-by: Tom Rini <trini@konsulko.com>
This header file is now only used by files that access internal
environment features. Drop it from various places where it is not needed.
Acked-by: Joe Hershberger <joe.hershberger@ni.com>
Signed-off-by: Simon Glass <sjg@chromium.org>
This function fits better with the network subsystem, so move it.
Signed-off-by: Simon Glass <sjg@chromium.org>
Suggested-by: Joe Hershberger <joe.hershberger@ni.com>
Move env_set_hex() over to the new header file along with env_set_addr()
which uses it.
Signed-off-by: Simon Glass <sjg@chromium.org>
Acked-by: Joe Hershberger <joe.hershberger@ni.com>
Move this function over to the new header file. Also rename it to have an
env_ prefix like the other functions.
Signed-off-by: Simon Glass <sjg@chromium.org>
Acked-by: Joe Hershberger <joe.hershberger@ni.com>
Adds a class for MDIO MUXes, which control access to a series of
downstream child MDIOs.
MDIO MUX drivers are required to implement a select function used to switch
between child buses.
MUX children are registered as MDIO buses and they can be used just like
regular MDIOs.
Signed-off-by: Alex Marginean <alexm.osslist@gmail.com>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
Acked-by: Joe Hershberger <joe.hershberger@ni.com>
Adds UCLASS_MDIO DM class supporting MDIO buses that are probed as
stand-alone devices. Useful in particular for systems that support
DM_ETH and have a stand-alone MDIO hardware block shared by multiple
Ethernet interfaces.
Signed-off-by: Alex Marginean <alexm.osslist@gmail.com>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
Acked-by: Joe Hershberger <joe.hershberger@ni.com>
Convert CONFIG_TFTP_BLOCKSIZE to Kconfig, update defconfigs,
headers and whitelist.
Signed-off-by: Marek Vasut <marek.vasut+renesas@gmail.com>
Cc: Christian Gmeiner <christian.gmeiner@gmail.com>
Cc: Joe Hershberger <joe.hershberger@ni.com>
Convert CONFIG_IP_DEFRAG to Kconfig, update defconfigs, headers
and whitelist. This patch is a follow-up on a patch by Christian
Gmeiner with the added config/header/whitelist updates.
Signed-off-by: Marek Vasut <marek.vasut+renesas@gmail.com>
Reported-by: Christian Gmeiner <christian.gmeiner@gmail.com>
Cc: Joe Hershberger <joe.hershberger@ni.com>
Add the standard Ethernet device tree bindings (imported from v5.0 of
the Linux kernel) and implement support for reading the MAC address for
Ethernet devices in the Ethernet uclass. If the "mac-address" property
exists, the MAC address will be parsed from that. If that property does
not exist, the "local-mac-address" property will be tried as fallback.
MAC addresses from device tree take precedence over the ones stored in
a network interface card's ROM.
Acked-by: Joe Hershberger <joe.hershberger@ni.com>
Reviewed-by: Grygorii Strashko <grygorii.strashko@ti.com>
Signed-off-by: Thierry Reding <treding@nvidia.com>
In order for the device to use the proper MAC address, which can have
been configured in the environment prior to the device being registered,
ensure that the MAC address is written after the device has been probed.
For devices that are registered before the network stack is initialized,
this is already done during eth_initialize(). If the Ethernet device is
on a bus that is not initialized on early boot, such as PCI, the device
is not available at the time eth_initialize() is called, so we need the
MAC address programming to also happen after probe.
Acked-by: Joe Hershberger <joe.hershberger@ni.com>
Signed-off-by: Thierry Reding <treding@nvidia.com>
This fixes the automatic lmb initialization and reservation for boards
with more than one DRAM bank.
This fixes the CVE-2018-18439 and -18440 fixes that only allowed to load
files into the firs DRAM bank from fs and via tftp.
Found-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: Simon Goldschmidt <simon.k.r.goldschmidt@gmail.com>
Tested-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: Simon Glass <sjg@chromium.org>
As a follow-up, change the name of the newly introduced function
'lmb_get_unreserved_size' to 'lmb_get_free_size', which is more
appropriate.
Signed-off-by: Simon Goldschmidt <simon.k.r.goldschmidt@gmail.com>
[trini: Fix test/lib/lmb.c]
Signed-off-by: Tom Rini <trini@konsulko.com>
No mainline board enables CONFIG_MCAST_TFTP and there have been
compilation issues with the code for some time. Additionally, it has a
potential buffer underrun issue (reported as a side note in
CVE-2018-18439).
Remove the multicast TFTP code but keep the driver API for the future
addition of IPv6.
Cc: Simon Goldschmidt <simon.k.r.goldschmidt@gmail.com>
Signed-off-by: Chris Packham <judge.packham@gmail.com>
Acked-by: Joe Hershberger <joe.hershberger@ni.com>
ether_crc was added to the core net code in commit 53a5c424bf
("multicast tftp: RFC2090") so that other drivers could use it. However
the only current user of it is tsec.c so move it there.
Signed-off-by: Chris Packham <judge.packham@gmail.com>
Acked-by: Joe Hershberger <joe.hershberger@ni.com>
When dealing with two ethernet ports and having "netretry" set
to "once", it could occur that the connection (e.g. an ARP
request) failed, hence the status of the netloop was
"NETLOOP_FAIL". Due to the setting of "netretry", the network
logic would then switch to the other network interface,
assigning "ret" with the return value of "net_start_again()".
If this call succeeded we would return 0 (i.e. success) to
the caller when in reality the network action failed.
Signed-off-by: Thomas RIENOESSL <thomas.rienoessl@bachmann.info>
Reviewed-by: Christian Gmeiner <christian.gmeiner@gmail.com>
Acked-by: Joe Hershberger <joe.hershberger@ni.com>
This fixes CVE-2018-18439 ("insufficient boundary checks in network
image boot") by using lmb to check for a valid range to store
received blocks.
Signed-off-by: Simon Goldschmidt <simon.k.r.goldschmidt@gmail.com>
Acked-by: Joe Hershberger <joe.hershberger@ni.com>
[trini: Always build lib/lmb.o on LMB and lib/fdtdec.o on OF_LIBFDT]
Signed-off-by: Tom Rini <trini@konsulko.com>
Make it possible to add TCP versions of the same, while reusing
IP portions. This patch should not change any behavior.
Signed-off-by: Duncan Hare <DH@Synoia.com>
Acked-by: Joe Hershberger <joe.hershberger@ni.com>
Peter originally sent a fix, but it breaks a number of other things.
This addresses the original reported issue in a different way.
That report was:
> U-Boot has 1 common buffer to send Ethernet frames, pointed to by
> net_tx_packet. When sending to an IP address without knowing the MAC
> address, U-Boot makes an ARP request (using the arp_tx_packet buffer)
> to find out the MAC address of the IP addressr. When a matching ARP
> reply is received, U-Boot continues sending the frame stored in the
> net_tx_packet buffer.
>
> However, in the mean time, if U-Boot needs to send out any network
> packets (e.g. replying ping packets or ARP requests for its own IP
> address etc.), it will use the net_tx_packet buffer to prepare the
> new packet. Thus this buffer is no longer the original packet meant
> to be transmitted after the ARP reply. The original packet will be
> lost.
This instead uses the ARP tx buffer to send async replies in the case
where we are actively waiting for an ARP reply.
Signed-off-by: Joe Hershberger <joe.hershberger@ni.com>
Reported-by: Tran Tien Dat <peter.trantiendat@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
Tested-by: Bin Meng <bmeng.cn@gmail.com>
This single-sources the state of the ARP.
Signed-off-by: Joe Hershberger <joe.hershberger@ni.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
When a USB ethernet device is halted, the device driver is removed. When
this happens the uclass private memory is freed and uclass_priv is set to
NULL. This causes a data abort when uclass_priv->state is then set to
ETH_STATE_PASSIVE.
Fix it by checking if uclass_priv is NULL before setting uclass_priv->state
Signed-off-by: Jean-Jacques Hiblot <jjhiblot@ti.com>
Acked-by: Joe Hershberger <joe.hershberger@ni.com>
The same basic parsing was implemented in tftp and nfs, so add a helper
function to do the work once.
Signed-off-by: Joe Hershberger <joe.hershberger@ni.com>
Instead of depending on a env callback for bootfile, read it explicitly.
We do this because the bootfile can be specified on the command line and
if it is, we will overwrite the internal variable. If a netboot_common()
is called again with no bootfile parameter, we want to use the one in
the environment.
Signed-off-by: Joe Hershberger <joe.hershberger@ni.com>
With net autoload, we check the prerequisites for the initial command,
but the greater prerequisites when autoloading are not checked.
If we would attempt to autoload, check those prerequisites too.
If we are not expecting a serverip from the server, then don't worry
about it not being set, but don't attempt to load if it isn't.
Signed-off-by: Joe Hershberger <joe.hershberger@ni.com>
For net_boot_common, we allow the serverip to be specified as part of
the boot file name. For net commands that require serverip, include that
source as a valid specification of serverip.
Signed-off-by: Joe Hershberger <joe.hershberger@ni.com>
Reviewed-by: Alexander Graf <agraf@suse.de>
nfs was only printing basic info about the transfer in the case of a
DEBUG build. Print the same level of detail as tftp always.
Signed-off-by: Joe Hershberger <joe.hershberger@ni.com>
The check for sending to the gateway was not using the correct variable
for comparison, so it was reporting that packets are sent to the gateway
when they were not.
Signed-off-by: Joe Hershberger <joe.hershberger@ni.com>
With driver model, we were not checking if the state of the device was
marked as active before calling the halt function. Check that the device
is probed and also marked as active. This avoids the case where we were
calling halt on the first device in net_init() and the driver would
operate on bogus data structures causing problems. In this case, the
priv was all 0, so halt() would close STDIN.
Signed-off-by: Joe Hershberger <joe.hershberger@ni.com>
Reviewed-by: Simon Glass <sjg@chromium.org>