From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <u-boot-bounces@lists.denx.de>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from phobos.denx.de (phobos.denx.de [85.214.62.61])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id 42D7AC77B7D
	for <u-boot@archiver.kernel.org>; Thu, 18 May 2023 19:36:04 +0000 (UTC)
Received: from h2850616.stratoserver.net (localhost [IPv6:::1])
	by phobos.denx.de (Postfix) with ESMTP id 1A7C484773;
	Thu, 18 May 2023 21:35:52 +0200 (CEST)
Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linux.microsoft.com
Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de
Authentication-Results: phobos.denx.de;
	dkim=pass (1024-bit key; unprotected) header.d=linux.microsoft.com header.i=@linux.microsoft.com header.b="FpXP+7XM";
	dkim-atps=neutral
Received: by phobos.denx.de (Postfix, from userid 109)
 id 7AC368473E; Thu, 18 May 2023 21:35:47 +0200 (CEST)
Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182])
 by phobos.denx.de (Postfix) with ESMTP id 9A5A084768
 for <u-boot@lists.denx.de>; Thu, 18 May 2023 21:35:43 +0200 (CEST)
Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none)
 header.from=linux.microsoft.com
Authentication-Results: phobos.denx.de;
 spf=pass smtp.mailfrom=seanedmond@linux.microsoft.com
Received: from ovlvm106.redmond.corp.microsoft.com (unknown [131.107.147.185])
 by linux.microsoft.com (Postfix) with ESMTPSA id 3D45920FB1B4;
 Thu, 18 May 2023 12:35:42 -0700 (PDT)
DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 3D45920FB1B4
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com;
 s=default; t=1684438542;
 bh=5kmxBo62B29/RDcWu5fzkSqs4w2IZTp//HQ7DZisbWA=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
 b=FpXP+7XMDvuZNt4snSpOrYNu+nXx6JDQ2ZuWwXx92kACMqutTU5qmErG2UUsstjP9
 TrqDuuW7DL+g//1GLdyR6yOoHSAKZYdl5E+g/ieTEjw16vWTAoPxLmMWEwoNON3V/J
 SEA+cuPNW9mnqtj9SHVEs0yRLtW+0Q16k+3QtnOY=
From: seanedmond@linux.microsoft.com
To: u-boot@lists.denx.de
Cc: trini@konsulko.com,
	xypron.glpk@gmx.de,
	rfried.dev@gmail.com
Subject: [PATCH 1/2] net: ipv6: Fix CID 453851 and CID 436278
Date: Thu, 18 May 2023 12:35:40 -0700
Message-Id: <20230518193541.69606-2-seanedmond@linux.microsoft.com>
X-Mailer: git-send-email 2.40.0
In-Reply-To: <20230518193541.69606-1-seanedmond@linux.microsoft.com>
References: <20230518193541.69606-1-seanedmond@linux.microsoft.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: U-Boot discussion <u-boot.lists.denx.de>
List-Unsubscribe: <https://lists.denx.de/options/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
List-Archive: <https://lists.denx.de/pipermail/u-boot/>
List-Post: <mailto:u-boot@lists.denx.de>
List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
List-Subscribe: <https://lists.denx.de/listinfo/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=subscribe>
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de
X-Virus-Status: Clean

From: Sean Edmond <seanedmond@microsoft.com>

CID 453851 : sprintf() shouldn't copy from/to tmp
CID 436278 : DHCP6 option_len should be checked before use

Signed-off-by: Sean Edmond <seanedmond@microsoft.com>
---
 cmd/net.c    | 12 ++++++------
 net/dhcpv6.c |  5 +++++
 2 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/cmd/net.c b/cmd/net.c
index 68d406291e..9e1f40a56e 100644
--- a/cmd/net.c
+++ b/cmd/net.c
@@ -209,7 +209,7 @@ U_BOOT_CMD(
 
 static void netboot_update_env(void)
 {
-	char tmp[44];
+	char tmp[46];
 
 	if (net_gateway.s_addr) {
 		ip_to_string(net_gateway, tmp);
@@ -274,20 +274,20 @@ static void netboot_update_env(void)
 	if (IS_ENABLED(CONFIG_IPV6)) {
 		if (!ip6_is_unspecified_addr(&net_ip6) ||
 		    net_prefix_length != 0) {
-			sprintf(tmp, "%pI6c", &net_ip6);
 			if (net_prefix_length != 0)
-				sprintf(tmp, "%s/%d", tmp, net_prefix_length);
-
+				snprintf(tmp, sizeof(tmp), "%pI6c/%d", &net_ip6, net_prefix_length);
+			else
+				snprintf(tmp, sizeof(tmp), "%pI6c", &net_ip6);
 			env_set("ip6addr", tmp);
 		}
 
 		if (!ip6_is_unspecified_addr(&net_server_ip6)) {
-			sprintf(tmp, "%pI6c", &net_server_ip6);
+			snprintf(tmp, sizeof(tmp), "%pI6c", &net_server_ip6);
 			env_set("serverip6", tmp);
 		}
 
 		if (!ip6_is_unspecified_addr(&net_gateway6)) {
-			sprintf(tmp, "%pI6c", &net_gateway6);
+			snprintf(tmp, sizeof(tmp), "%pI6c", &net_gateway6);
 			env_set("gatewayip6", tmp);
 		}
 	}
diff --git a/net/dhcpv6.c b/net/dhcpv6.c
index 0d1c600632..73a1067877 100644
--- a/net/dhcpv6.c
+++ b/net/dhcpv6.c
@@ -316,6 +316,11 @@ static void dhcp6_parse_options(uchar *rx_pkt, unsigned int len)
 		option_ptr = ((uchar *)option_hdr) + sizeof(struct dhcp6_hdr);
 		option_len = ntohs(option_hdr->option_len);
 
+		if (option_ptr + option_len > rx_pkt + len) {
+			debug("Invalid option length\n");
+			return;
+		}
+
 		switch (ntohs(option_hdr->option_id)) {
 		case DHCP6_OPTION_CLIENTID:
 			if (memcmp(option_ptr, sm_params.duid, option_len)
-- 
2.40.0