This patch mitigates the vulnerability identified via CVE-2019-14196.
The previous patch was bypassed/ineffective, and now the vulnerability
is identified via CVE-2022-30767. The patch removes the sanity check
introduced to mitigate CVE-2019-14196 since it's ineffective.
filefh3_length is changed to unsigned type integer, preventing negative
numbers from being used during comparison with positive values during
size sanity checks.
Signed-off-by: Andrea zi0Black Cappa <zi0Black@protonmail.com>
These global variables are quite short and generic. In fact the same name
is more often used locally for struct members and function arguments.
Add a image_ prefix to make them easier to distinguish.
Signed-off-by: Simon Glass <sjg@chromium.org>
This function belongs more in flash.h than common.h so move it.
Also remove the space before the bracket in some calls.
Signed-off-by: Simon Glass <sjg@chromium.org>
This function belongs in time.h so move it over and add a comment.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Tom Rini <trini@konsulko.com>
rpc_pkt.u.call.data is an array of uint32_t. There is no need to convert
it to uint32_t *.
memcpy() expects void * as it 1st and 2nd argument. There is no point in
converting pointers to char * before passing them to memcpy().
In ntohl(data[1]) != 0 calling ntohl() is superfluous. If the value is
zero, does not depend on the byte order.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
Acked-by: Joe Hershberger <joe.hershberger@ni.com>
This patch adds a check to rpc_pkt.u.reply.data at nfs_lookup_reply.
Signed-off-by: Cheng Liu <liucheng32@huawei.com>
Reported-by: Fermín Serna <fermin@semmle.com>
Acked-by: Joe Hershberger <joe.hershberger@ni.com>
This patch adds a check to rpc_pkt.u.reply.data at nfs_readlink_reply.
Signed-off-by: Cheng Liu <liucheng32@huawei.com>
Reported-by: Fermín Serna <fermin@semmle.com>
Acked-by: Joe Hershberger <joe.hershberger@ni.com>
This patch adds a check to rpc_pkt.u.reply.data at nfs_read_reply.
Signed-off-by: Cheng Liu <liucheng32@huawei.com>
Reported-by: Fermín Serna <fermin@semmle.com>
Acked-by: Joe Hershberger <joe.hershberger@ni.com>
This patch adds a check to nfs_handler to fix buffer overflow for CVE-2019-14197,
CVE-2019-14200, CVE-2019-14201, CVE-2019-14202, CVE-2019-14203 and CVE-2019-14204.
Signed-off-by: Cheng Liu <liucheng32@huawei.com>
Reported-by: Fermín Serna <fermin@semmle.com>
Acked-by: Joe Hershberger <joe.hershberger@ni.com>
The same basic parsing was implemented in tftp and nfs, so add a helper
function to do the work once.
Signed-off-by: Joe Hershberger <joe.hershberger@ni.com>
nfs was only printing basic info about the transfer in the case of a
DEBUG build. Print the same level of detail as tftp always.
Signed-off-by: Joe Hershberger <joe.hershberger@ni.com>
The check for sending to the gateway was not using the correct variable
for comparison, so it was reporting that packets are sent to the gateway
when they were not.
Signed-off-by: Joe Hershberger <joe.hershberger@ni.com>
That can happen if duplicate UDP packet arrived, and that's not uncommon.
Anyway, we ignore packets with rpc_id lower than last we sent for other
requests, so it makes sense to do that for read request as well.
Signed-off-by: Vasily Khoruzhick <anarsoul@gmail.com>
Acked-by: Joe Hershberger <joe.hershberger@ni.com>
This reverts commit 998372b479.
This caused a data abort on some platform.
Signed-off-by: Joe Hershberger <joe.hershberger@ni.com>
Reported-by: Guillaume GARDET <guillaume.gardet@free.fr>
We use an empty hostname, so remove all the "processing" of the
known-to-be-empty hostname and just write 0's where needed.
Signed-off-by: Joe Hershberger <joe.hershberger@ni.com>
Instead of always allocating a huge temporary buffer on the stack and
then memcpy()ing the result into the transmit buffer, simply figure out
where in the transmit buffer the bytes will belong and write them there
directly as each message is built.
Signed-off-by: Joe Hershberger <joe.hershberger@ni.com>
Much of the information is verbose and derived directly from the
environment. Only output in debug mode. This also saves about 300 bytes
from the code size.
Signed-off-by: Joe Hershberger <joe.hershberger@ni.com>
Instead of repeating the same large snippet for dealing with attributes
it should be shared with a helper function.
Signed-off-by: Joe Hershberger <joe.hershberger@ni.com>
The v3 handles can be larger than v2, but that doesn't mean we need a
separate buffer. Reuse the same (larger) buffer for both.
Signed-off-by: Joe Hershberger <joe.hershberger@ni.com>
This patch enables NFSv3 support.
If NFSv2 is available use it as usual.
If NFSv2 is not available, but NFSv3 is available, use NFSv3.
If NFSv2 and NFSv3 are not available, print an error message since NFSv4 is not supported.
Tested on iMX6 sabrelite with 4 Linux NFS servers:
* NFSv2 + NFSv3 + NFSv4 server: use NFSv2 protocol
* NFSv2 + NFSv3 server: use NFSv2 protocol
* NFSv3 + NFSv4 server: use NFSv3 protocol
* NFSv3 server: use NFSv3 protocol
Signed-off-by: Guillaume GARDET <guillaume.gardet@free.fr>
Cc: Tom Rini <trini@konsulko.com>
Cc: joe.hershberger@ni.com
Acked-by: Joe Hershberger <joe.hershberger@ni.com>
There is no reason to store the default filename in a separate buffer
only to immediately copy it to the main name buffer. Just write it there
directly and remove the other buffer.
Signed-off-by: Joe Hershberger <joe.hershberger@ni.com>
This patch fixes incorrect RPC packet layout caused by
'long' type size difference on 64 and 32-bit architectures.
Signed-off-by: Ralf Hubert <r.hubert@technisat.de>
Acked-by: Joe Hershberger <joe.hershberger@ni.com>
Finish eliminating CamelCase from net.c and other failures
Signed-off-by: Joe Hershberger <joe.hershberger@ni.com>
Acked-by: Simon Glass <sjg@chromium.org>
Make a thorough pass through all variables and function names contained
within nfs.c and remove CamelCase and improve naming.
Signed-off-by: Joe Hershberger <joe.hershberger@ni.com>
Acked-by: Simon Glass <sjg@chromium.org>
This patch cleans up the names of internal packet buffer names that are
used within the network stack and the functions that use them.
Signed-off-by: Joe Hershberger <joe.hershberger@ni.com>
Use "_ethaddr" at the end of variables and drop CamelCase.
Make constant values actually 'const'.
Signed-off-by: Joe Hershberger <joe.hershberger@ni.com>
Acked-by: Simon Glass <sjg@chromium.org>
The variables around the bootfile were inconsistent and used CamelCase.
Update them to make the code more readable.
Signed-off-by: Joe Hershberger <joe.hershberger@ni.com>
Acked-by: Simon Glass <sjg@chromium.org>
This patch is simply clean-up to make the IPv4 type that is used match
what Linux uses. It also attempts to move all variables that are IP
addresses use good naming instead of CamelCase. No functional change.
Signed-off-by: Joe Hershberger <joe.hershberger@ni.com>
Acked-by: Simon Glass <sjg@chromium.org>
Previously the net functions would access memory assuming physmem did
not need to be mapped. In sandbox, that's not the case.
Now we map the physmem specified by the user in loadaddr to the buffer
that represents that space.
Signed-off-by: Joe Hershberger <joe.hershberger@ni.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
This patch tackles the time out problem which leads to break the
boot process, when loading file over nfs. The patch does two things.
First of all, we just ignore messages that arrive with a rpc_id smaller
then the client id. We just interpret this messages as answers to
formaly timed out messages.
Second, when a time out occurs we double the time to wait, so that we
do not stress the server resending the last message.
Signed-off-by: Matthias Brugger <matthias.bgg@gmail.com>
Tested-by: Enric Balletbo i Serra <eballetbo@gmail.com>
NFS_TIMEOUT is constant value defined in net/nfs.c. But sometimes it needs to adjust.
This patch enables to override NFS_TIMEOUT by defining CONFIG_NFS_TIMEOUT in a board specific config file.
Signed-off-by: Tetsuyuki Kobayashi <koba@kmckk.co.jp>
Call a built-in dummy if none is registered... don't require
protocols to register a handler (eliminating dummies)
NetConsole now uses the ARP handler when waiting on arp
(instead of needing a #define hack in arp.c)
Clear handlers at the end of net loop
Signed-off-by: Joe Hershberger <joe.hershberger@ni.com>
Acked-by: Simon Glass <sjg@chromium.org>
Rename IP header related things to IP_UDP. The existing definition
of IP_t includes UDP header, so name it to accurately describe the
structure.
Signed-off-by: Joe Hershberger <joe.hershberger@ni.com>
When building u-boot as 64 bit application (e.g. sandbox) ulong might be
64 bits in size. This breaks network code as IPaddr_t is 64 bytes in
size then and an IPv4 address is 32 bits in size. This patch makes sure
that IPaddr_t is always 32 bits in size. Also some warnings introduced
by this patch are fixed.
Signed-off-by: Matthias Weisser <weisserm@arcor.de>
Acked-by: Mike Frysinger <vapier@gentoo.org>
This is long over due. All but two net drivers have been converted, but
those have now been dropped.
The only thing left to do is actually delete all references to NET_MULTI
and code that is compiled when that is not defined. So here we scrub the
core code.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
This is needed for the upcoming TFTP server implementation.
This also simplifies PingHandler() and fixes rxhand_f documentation.
Signed-off-by: Luca Ceresoli <luca.ceresoli@comelit.it>
Cc: Wolfgang Denk <wd@denx.de>
Acked-by: Detlev Zundel <dzu@denx.de>
- NfsTimeout() does not correctly update the NFS timeout value which
results in NfsTimeout() only being called once in certain situations.
This can result in the 'nfs' command hanging indefinetly. For
example, the command:
nfs 192.168.0.1:/home/user/file
will not exit until ctrl-c is pressed if 192.168.0.1 does not have an
NFS server running.
This issue is resolved by reinitializting the NFS timeout value inside
NfsTimeout() when a timeout occurs.
- Make the 'nfs' command print the 'T' character when a timeout occurs.
Previously there was no indication that timeouts were occuring.
- Mimic the 'tftpboot' command and when a download fails print "Retry
count exceeded; starting again", and restart the download taking the
'netretry' environment variable into account.
Signed-off-by: Evan Samanas <esamanas@xes-inc.com>
Signed-off-by: Peter Tyser <ptyser@xes-inc.com>
Tested on TQM8xxL.
Tested by: Wolfgang Denk <wd@denx.de>
Tested on MPC8527DS.
Tested by: Ed Swarthout <Ed.Swarthout@freescale.com>
An off by one error may cause nfs readlink lookup fail if
nfs_path_buff has non-zero data from a previous use.
Loading: *** ERROR: File lookup fail
Signed-off-by: Ed Swarthout <Ed.Swarthout@freescale.com>
Minor ./net cleanups - no functional changes
- change #ifdef DEBUG printf(); #endif to just debug()
- changed __FUNCTION__ to __func__
- got rid of extra whitespace between function and opening brace
- removed unnecessary braces on if statements
gcc dead code elimination should make this functionally/size equivalent
when DEBUG is not defined. (confirmed on Blackfin, with gcc 4.3.3).
Signed-off-by: Robin Getz <rgetz@blackfin.uclinux.org>
Signed-off-by: Ben Warren <biggerbadderben@gmail.com>
Now that our printf functions support the %pI4 modifier like the kernel,
let's drop the inflexible print_IPaddr() function and covert over to the
%pI4 modifier.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
CC: Ben Warren <biggerbadderben@gmail.com>