Commit graph

68 commits

Author SHA1 Message Date
Andrea zi0Black Cappa
bdbf7a05e2 net: nfs: Fix CVE-2022-30767 (old CVE-2019-14196)
This patch mitigates the vulnerability identified via CVE-2019-14196.

The previous patch was bypassed/ineffective, and now the vulnerability
is identified via CVE-2022-30767. The patch removes the sanity check
introduced to mitigate CVE-2019-14196 since it's ineffective.
filefh3_length is changed to unsigned type integer, preventing negative
numbers from being used during comparison with positive values during
size sanity checks.

Signed-off-by: Andrea zi0Black Cappa <zi0Black@protonmail.com>
2022-05-26 10:32:06 -04:00
Tom Rini
eeda762af3 Convert CONFIG_NFS_TIMEOUT to Kconfig
This converts the following to Kconfig:
   CONFIG_NFS_TIMEOUT

Cc: Ramon Fried <rfried.dev@gmail.com>
Signed-off-by: Tom Rini <trini@konsulko.com>
2022-03-18 12:48:17 -04:00
Simon Glass
f7ae49fc4f common: Drop log.h from common header
Move this header out of the common header.

Signed-off-by: Simon Glass <sjg@chromium.org>
2020-05-18 21:19:18 -04:00
Simon Glass
8e8ccfe1aa common: Move the image globals into image.h
These three globals relate to image handling. Move them to the image
header file.

Signed-off-by: Simon Glass <sjg@chromium.org>
2020-01-17 14:02:35 -05:00
Simon Glass
bb872dd930 image: Rename load_addr, save_addr, save_size
These global variables are quite short and generic. In fact the same name
is more often used locally for struct members and function arguments.

Add a image_ prefix to make them easier to distinguish.

Signed-off-by: Simon Glass <sjg@chromium.org>
2020-01-17 14:02:35 -05:00
Simon Glass
0ee48252b4 common: Move flash_perror() to flash.h
This function belongs more in flash.h than common.h so move it.

Also remove the space before the bracket in some calls.

Signed-off-by: Simon Glass <sjg@chromium.org>
2020-01-17 13:26:48 -05:00
Simon Glass
1045315df0 common: Move get_ticks() function out of common.h
This function belongs in time.h so move it over and add a comment.

Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Tom Rini <trini@konsulko.com>
2019-12-02 18:23:13 -05:00
Heinrich Schuchardt
15eea9a1a8 net: nfs: remove superfluous conversions
rpc_pkt.u.call.data is an array of uint32_t. There is no need to convert
it to uint32_t *.

memcpy() expects void * as it 1st and 2nd argument. There is no point in
converting pointers to char * before passing them to memcpy().

In ntohl(data[1]) != 0 calling ntohl() is superfluous. If the value is
zero, does not depend on the byte order.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
Acked-by: Joe Hershberger <joe.hershberger@ni.com>
2019-09-04 11:37:19 -05:00
liucheng (G)
5d14ee4e53 CVE-2019-14196: nfs: fix unbounded memcpy with a failed length check at nfs_lookup_reply
This patch adds a check to rpc_pkt.u.reply.data at nfs_lookup_reply.

Signed-off-by: Cheng Liu <liucheng32@huawei.com>
Reported-by: Fermín Serna <fermin@semmle.com>
Acked-by: Joe Hershberger <joe.hershberger@ni.com>
2019-09-04 11:37:19 -05:00
liucheng (G)
cf3a4f1e86 CVE-2019-14195: nfs: fix unbounded memcpy with unvalidated length at nfs_readlink_reply
This patch adds a check to rpc_pkt.u.reply.data at nfs_readlink_reply.

Signed-off-by: Cheng Liu <liucheng32@huawei.com>
Reported-by: Fermín Serna <fermin@semmle.com>
Acked-by: Joe Hershberger <joe.hershberger@ni.com>
2019-09-04 11:37:19 -05:00
liucheng (G)
aa207cf3a6 CVE-2019-14194/CVE-2019-14198: nfs: fix unbounded memcpy with a failed length check at nfs_read_reply
This patch adds a check to rpc_pkt.u.reply.data at nfs_read_reply.

Signed-off-by: Cheng Liu <liucheng32@huawei.com>
Reported-by: Fermín Serna <fermin@semmle.com>
Acked-by: Joe Hershberger <joe.hershberger@ni.com>
2019-09-04 11:37:19 -05:00
liucheng (G)
741a8a08eb CVE: nfs: fix stack-based buffer overflow in some nfs_handler reply helper functions
This patch adds a check to nfs_handler to fix buffer overflow for CVE-2019-14197,
CVE-2019-14200, CVE-2019-14201, CVE-2019-14202, CVE-2019-14203 and CVE-2019-14204.

Signed-off-by: Cheng Liu <liucheng32@huawei.com>
Reported-by: Fermín Serna <fermin@semmle.com>
Acked-by: Joe Hershberger <joe.hershberger@ni.com>
2019-09-04 11:37:19 -05:00
Joe Hershberger
6ab1283092 net: Consolidate the parsing of bootfile
The same basic parsing was implemented in tftp and nfs, so add a helper
function to do the work once.

Signed-off-by: Joe Hershberger <joe.hershberger@ni.com>
2018-07-26 14:08:20 -05:00
Joe Hershberger
faecf84ab1 net: Always print basic info for nfs, just like tftp
nfs was only printing basic info about the transfer in the case of a
DEBUG build. Print the same level of detail as tftp always.

Signed-off-by: Joe Hershberger <joe.hershberger@ni.com>
2018-07-26 14:08:19 -05:00
Joe Hershberger
347e32b01d net: Check subnet against the actual ip address in use for nfs
The check for sending to the gateway was not using the correct variable
for comparison, so it was reporting that packets are sent to the gateway
when they were not.

Signed-off-by: Joe Hershberger <joe.hershberger@ni.com>
2018-07-26 14:08:19 -05:00
Vasily Khoruzhick
d48d40a091 net: nfs: don't fail when nfs_read_reply returns -NFS_RPC_DROP
That can happen if duplicate UDP packet arrived, and that's not uncommon.
Anyway, we ignore packets with rpc_id lower than last we sent for other
requests, so it makes sense to do that for read request as well.

Signed-off-by: Vasily Khoruzhick <anarsoul@gmail.com>
Acked-by: Joe Hershberger <joe.hershberger@ni.com>
2018-06-13 13:54:16 -05:00
Joe Hershberger
a73588fe48 Revert "net: nfs: Use the tx buffer to construct rpc msgs"
This reverts commit 998372b479.

This caused a data abort on some platform.

Signed-off-by: Joe Hershberger <joe.hershberger@ni.com>
Reported-by: Guillaume GARDET <guillaume.gardet@free.fr>
2016-09-09 13:13:41 -05:00
Joe Hershberger
1ff65d440d net: nfs: Simplify rpc_add_credentials()
We use an empty hostname, so remove all the "processing" of the
known-to-be-empty hostname and just write 0's where needed.

Signed-off-by: Joe Hershberger <joe.hershberger@ni.com>
2016-08-22 14:21:02 -05:00
Joe Hershberger
998372b479 net: nfs: Use the tx buffer to construct rpc msgs
Instead of always allocating a huge temporary buffer on the stack and
then memcpy()ing the result into the transmit buffer, simply figure out
where in the transmit buffer the bytes will belong and write them there
directly as each message is built.

Signed-off-by: Joe Hershberger <joe.hershberger@ni.com>
2016-08-22 14:20:58 -05:00
Joe Hershberger
d89ff2df33 net: nfs: Move some prints to debug statements
Much of the information is verbose and derived directly from the
environment. Only output in debug mode. This also saves about 300 bytes
from the code size.

Signed-off-by: Joe Hershberger <joe.hershberger@ni.com>
2016-08-22 14:20:54 -05:00
Joe Hershberger
0517cc45e5 net: nfs: Use consistent names for the rpc_pkt
Use the same name throughout the nfs code and use the same member of the
union to avoid casts.

Signed-off-by: Joe Hershberger <joe.hershberger@ni.com>
2016-08-22 14:20:51 -05:00
Joe Hershberger
c629c45f30 net: nfs: Correct a comment
The buffer is of 32-bit elements, not bytes.

Signed-off-by: Joe Hershberger <joe.hershberger@ni.com>
2016-08-22 14:20:47 -05:00
Joe Hershberger
051ed9af8c net: nfs: Consolidate handling of NFSv3 attributes
Instead of repeating the same large snippet for dealing with attributes
it should be shared with a helper function.

Signed-off-by: Joe Hershberger <joe.hershberger@ni.com>
2016-08-22 14:20:43 -05:00
Joe Hershberger
347a901597 net: nfs: Fix lines that are too long
Fix complaints from checkpatch.pl.

Signed-off-by: Joe Hershberger <joe.hershberger@ni.com>
2016-08-22 14:20:40 -05:00
Joe Hershberger
5280c76915 net: nfs: Share the file handle buffer for v2 / v3
The v3 handles can be larger than v2, but that doesn't mean we need a
separate buffer. Reuse the same (larger) buffer for both.

Signed-off-by: Joe Hershberger <joe.hershberger@ni.com>
2016-08-22 14:20:32 -05:00
Guillaume GARDET
b0baca9820 net: NFS: Add NFSv3 support
This patch enables NFSv3 support.
If NFSv2 is available use it as usual.
If NFSv2 is not available, but NFSv3 is available, use NFSv3.
If NFSv2 and NFSv3 are not available, print an error message since NFSv4 is not supported.

Tested on iMX6 sabrelite with 4 Linux NFS servers:
  * NFSv2 + NFSv3 + NFSv4 server: use NFSv2 protocol
  * NFSv2 + NFSv3 server: use NFSv2 protocol
  * NFSv3 + NFSv4 server: use NFSv3 protocol
  * NFSv3 server: use NFSv3 protocol

Signed-off-by: Guillaume GARDET <guillaume.gardet@free.fr>
Cc: Tom Rini <trini@konsulko.com>
Cc: joe.hershberger@ni.com
Acked-by: Joe Hershberger <joe.hershberger@ni.com>
2016-08-22 14:20:20 -05:00
Joe Hershberger
f8b26c7adf net: nfs: Remove separate buffer for default name
There is no reason to store the default filename in a separate buffer
only to immediately copy it to the main name buffer. Just write it there
directly and remove the other buffer.

Signed-off-by: Joe Hershberger <joe.hershberger@ni.com>
2016-08-22 14:20:11 -05:00
Ralf Hubert
e4ead4a21d net: Fix incorrect RPC packets on 64-bit systems
This patch fixes incorrect RPC packet layout caused by
'long' type size difference on 64 and 32-bit architectures.

Signed-off-by: Ralf Hubert <r.hubert@technisat.de>
Acked-by: Joe Hershberger <joe.hershberger@ni.com>
2016-07-06 10:45:07 -05:00
Guillaume GARDET
69fd0d4131 NFS: Add error message when U-Boot NFS version (V2) is not supported by NFS server
Signed-off-by: Guillaume GARDET <guillaume.gardet@free.fr>
Cc: joe.hershberger@ni.com
Acked-by: Joe Hershberger <joe.hershberger@ni.com>
2016-06-21 17:01:52 -05:00
Joe Hershberger
bc0571fc10 net: cosmetic: Fix checkpatch.pl failures in net.c
Finish eliminating CamelCase from net.c and other failures

Signed-off-by: Joe Hershberger <joe.hershberger@ni.com>
Acked-by: Simon Glass <sjg@chromium.org>
2015-04-18 11:11:35 -06:00
Joe Hershberger
68c76a3a38 net: cosmetic: Clean up NFS variables and functions
Make a thorough pass through all variables and function names contained
within nfs.c and remove CamelCase and improve naming.

Signed-off-by: Joe Hershberger <joe.hershberger@ni.com>
Acked-by: Simon Glass <sjg@chromium.org>
2015-04-18 11:11:33 -06:00
Joe Hershberger
1203fcceec net: cosmetic: Cleanup internal packet buffer names
This patch cleans up the names of internal packet buffer names that are
used within the network stack and the functions that use them.

Signed-off-by: Joe Hershberger <joe.hershberger@ni.com>
2015-04-18 11:11:32 -06:00
Joe Hershberger
0adb5b761f net: cosmetic: Name ethaddr variables consistently
Use "_ethaddr" at the end of variables and drop CamelCase.
Make constant values actually 'const'.

Signed-off-by: Joe Hershberger <joe.hershberger@ni.com>
Acked-by: Simon Glass <sjg@chromium.org>
2015-04-18 11:11:32 -06:00
Joe Hershberger
1411157d85 net: cosmetic: Fixup var names related to boot file
The variables around the bootfile were inconsistent and used CamelCase.
Update them to make the code more readable.

Signed-off-by: Joe Hershberger <joe.hershberger@ni.com>
Acked-by: Simon Glass <sjg@chromium.org>
2015-04-18 11:11:32 -06:00
Joe Hershberger
049a95a775 net: cosmetic: Change IPaddr_t to struct in_addr
This patch is simply clean-up to make the IPv4 type that is used match
what Linux uses. It also attempts to move all variables that are IP
addresses use good naming instead of CamelCase. No functional change.

Signed-off-by: Joe Hershberger <joe.hershberger@ni.com>
Acked-by: Simon Glass <sjg@chromium.org>
2015-04-18 11:11:32 -06:00
Joe Hershberger
55d5fd9a84 net: Access mapped physmem in net functions
Previously the net functions would access memory assuming physmem did
not need to be mapped.  In sandbox, that's not the case.

Now we map the physmem specified by the user in loadaddr to the buffer
that represents that space.

Signed-off-by: Joe Hershberger <joe.hershberger@ni.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
2015-04-18 11:11:11 -06:00
Matthias Brugger
fa84fa708c net: nfs: add dynamic wait period
This patch tackles the time out problem which leads to break the
boot process, when loading file over nfs. The patch does two things.

First of all, we just ignore messages that arrive with a rpc_id smaller
then the client id. We just interpret this messages as answers to
formaly timed out messages.

Second, when a time out occurs we double the time to wait, so that we
do not stress the server resending the last message.

Signed-off-by: Matthias Brugger <matthias.bgg@gmail.com>
Tested-by: Enric Balletbo i Serra <eballetbo@gmail.com>
2013-06-24 19:10:15 -05:00
Tetsuyuki Kobayashi
48a3e999c8 net: nfs: make NFS_TIMEOUT configurable
NFS_TIMEOUT is constant value defined in net/nfs.c. But sometimes it needs to adjust.
This patch enables to override NFS_TIMEOUT by defining CONFIG_NFS_TIMEOUT in a board specific config file.

Signed-off-by: Tetsuyuki Kobayashi <koba@kmckk.co.jp>
2012-07-12 14:13:24 -05:00
Joe Hershberger
ece223b52a net: Refactor to separate the UDP handler from the ARP handler
Call a built-in dummy if none is registered... don't require
protocols to register a handler (eliminating dummies)
NetConsole now uses the ARP handler when waiting on arp
(instead of needing a #define hack in arp.c)
Clear handlers at the end of net loop

Signed-off-by: Joe Hershberger <joe.hershberger@ni.com>
Acked-by: Simon Glass <sjg@chromium.org>
2012-05-23 17:52:53 -05:00
Joe Hershberger
22f6e99d5b net: Refactor to protect access to the NetState variable
Changes to NetState now go through an accessor function called
net_set_state()

Signed-off-by: Joe Hershberger <joe.hershberger@ni.com>
2012-05-23 17:46:21 -05:00
Joe Hershberger
594c26f8a7 net: cosmetic: Un-typedef IP_t
Rename IP header related things to IP_UDP. The existing definition
of IP_t includes UDP header, so name it to accurately describe the
structure.

Signed-off-by: Joe Hershberger <joe.hershberger@ni.com>
2012-05-23 17:46:00 -05:00
Joe Hershberger
c9f6c91b48 net: cosmetic: nfs.* checkpatch compliance
Signed-off-by: Joe Hershberger <joe.hershberger@ni.com>
Acked-by: Simon Glass <sjg@chromium.org>
2012-05-15 17:16:27 -05:00
Matthias Weisser
ea45cb0adc net: Make sure IPaddr_t is 32 bits in size
When building u-boot as 64 bit application (e.g. sandbox) ulong might be
64 bits in size. This breaks network code as IPaddr_t is 64 bytes in
size then and an IPv4 address is 32 bits in size. This patch makes sure
that IPaddr_t is always 32 bits in size. Also some warnings introduced
by this patch are fixed.

Signed-off-by: Matthias Weisser <weisserm@arcor.de>
Acked-by: Mike Frysinger <vapier@gentoo.org>
2011-12-06 22:15:32 +01:00
Mike Frysinger
e2a53458a7 net: drop !NET_MULTI code
This is long over due.  All but two net drivers have been converted, but
those have now been dropped.

The only thing left to do is actually delete all references to NET_MULTI
and code that is compiled when that is not defined.  So here we scrub the
core code.

Signed-off-by: Mike Frysinger <vapier@gentoo.org>
2011-10-05 22:22:16 +02:00
Luca Ceresoli
03eb129f8a NET: pass source IP address to packet handlers
This is needed for the upcoming TFTP server implementation.

This also simplifies PingHandler() and fixes rxhand_f documentation.

Signed-off-by: Luca Ceresoli <luca.ceresoli@comelit.it>
Cc: Wolfgang Denk <wd@denx.de>
Acked-by: Detlev Zundel <dzu@denx.de>
2011-05-12 19:38:19 +02:00
Mike Frysinger
6ac59c5518 net: pull CONFIG checks out of source and into makefile
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Signed-off-by: Ben Warren <biggerbadderben@gmail.com>
2009-12-13 21:31:26 -08:00
Evan Samanas
aabb8cb081 nfs: NfsTimeout() updates
- NfsTimeout() does not correctly update the NFS timeout value which
  results in NfsTimeout() only being called once in certain situations.
  This can result in the 'nfs' command hanging indefinetly.  For
  example, the command:

    nfs 192.168.0.1:/home/user/file

  will not exit until ctrl-c is pressed if 192.168.0.1 does not have an
  NFS server running.

  This issue is resolved by reinitializting the NFS timeout value inside
  NfsTimeout() when a timeout occurs.

- Make the 'nfs' command print the 'T' character when a timeout occurs.
  Previously there was no indication that timeouts were occuring.

- Mimic the 'tftpboot' command and when a download fails print "Retry
  count exceeded; starting again", and restart the download taking the
  'netretry' environment variable into account.

Signed-off-by: Evan Samanas <esamanas@xes-inc.com>
Signed-off-by: Peter Tyser <ptyser@xes-inc.com>

Tested on TQM8xxL.

Tested by: Wolfgang Denk <wd@denx.de>

Tested on MPC8527DS.

Tested by: Ed Swarthout <Ed.Swarthout@freescale.com>
2009-12-07 22:35:47 +01:00
Ed Swarthout
f64ef9bb99 fix nfs symlink name corruption
An off by one error may cause nfs readlink lookup fail if
nfs_path_buff has non-zero data from a previous use.

Loading: *** ERROR: File lookup fail

Signed-off-by: Ed Swarthout <Ed.Swarthout@freescale.com>
2009-12-07 21:50:19 +01:00
Robin Getz
0ebf04c607 minor debug cleanups in ./net
Minor ./net cleanups - no functional changes
  - change #ifdef DEBUG printf(); #endif to just debug()
  - changed __FUNCTION__ to __func__
  - got rid of extra whitespace between function and opening brace
  - removed unnecessary braces on if statements

 gcc dead code elimination should make this functionally/size equivalent
 when DEBUG is not defined. (confirmed on Blackfin, with gcc 4.3.3).

 Signed-off-by: Robin Getz <rgetz@blackfin.uclinux.org>

Signed-off-by: Ben Warren <biggerbadderben@gmail.com>
2009-08-07 17:32:16 -07:00
Mike Frysinger
b6446b6775 convert print_IPaddr() to %pI4
Now that our printf functions support the %pI4 modifier like the kernel,
let's drop the inflexible print_IPaddr() function and covert over to the
%pI4 modifier.

Signed-off-by: Mike Frysinger <vapier@gentoo.org>
CC: Ben Warren <biggerbadderben@gmail.com>
2009-03-20 22:39:09 +01:00