From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <u-boot-bounces@lists.denx.de>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from phobos.denx.de (phobos.denx.de [85.214.62.61])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id 4C1B1EB64DD
	for <u-boot@archiver.kernel.org>; Tue, 25 Jul 2023 23:13:37 +0000 (UTC)
Received: from h2850616.stratoserver.net (localhost [IPv6:::1])
	by phobos.denx.de (Postfix) with ESMTP id 1580F86857;
	Wed, 26 Jul 2023 01:13:35 +0200 (CEST)
Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linux.microsoft.com
Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de
Authentication-Results: phobos.denx.de;
	dkim=pass (1024-bit key; unprotected) header.d=linux.microsoft.com header.i=@linux.microsoft.com header.b="bOm4PNtX";
	dkim-atps=neutral
Received: by phobos.denx.de (Postfix, from userid 109)
 id 6BF1886851; Wed, 26 Jul 2023 01:13:33 +0200 (CEST)
Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182])
 by phobos.denx.de (Postfix) with ESMTP id 194E386679
 for <u-boot@lists.denx.de>; Wed, 26 Jul 2023 01:13:31 +0200 (CEST)
Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none)
 header.from=linux.microsoft.com
Authentication-Results: phobos.denx.de;
 spf=pass smtp.mailfrom=seanedmond@linux.microsoft.com
Received: from ovlvm106.redmond.corp.microsoft.com (unknown [131.107.147.185])
 by linux.microsoft.com (Postfix) with ESMTPSA id 039322380B12;
 Tue, 25 Jul 2023 16:13:30 -0700 (PDT)
DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 039322380B12
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com;
 s=default; t=1690326810;
 bh=ltpfii5BjmwM5+DXH3JIeNW4LQ7aQ0AdlT+Waf2PnxY=;
 h=From:To:Cc:Subject:Date:From;
 b=bOm4PNtX+PtQ5G84yVOV3Y5WWWROs/IEuhB8WXJgrZzvZiFNogrmMEITj3iAtXj/+
 3EcypH6gdOUwia9WV8o3kcnMhWWMxJtZErwqCiH0LVmqDLZcVIbrpWnBfobwHtgrMT
 haSuXhFdoIEA0Y2oTwPgj98beEnUbwYPSIHNM058=
From: seanedmond@linux.microsoft.com
To: u-boot@lists.denx.de
Cc: joe.hershberger@ni.com,
	rfried.dev@gmail.com
Subject: [PATCH] net: dhcp6: Fix OPT_BOOTFILE_PARAM parsing
Date: Tue, 25 Jul 2023 16:13:29 -0700
Message-Id: <20230725231329.5653-1-seanedmond@linux.microsoft.com>
X-Mailer: git-send-email 2.40.0
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: U-Boot discussion <u-boot.lists.denx.de>
List-Unsubscribe: <https://lists.denx.de/options/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
List-Archive: <https://lists.denx.de/pipermail/u-boot/>
List-Post: <mailto:u-boot@lists.denx.de>
List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
List-Subscribe: <https://lists.denx.de/listinfo/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=subscribe>
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de
X-Virus-Status: Clean

From: Sean Edmond <seanedmond@microsoft.com>

RFC 5970 states that OPT_BOOTFILE_PARAM (option 60) can be
multiple parameters that start with a 16-bit length field followed
by the parameter. For example:
[ param-len 1 (16-bits) ] [ parameter 1 (variable length) ]

This fix ensure we're considering "param-len 1" in the parsing.

Signed-off-by: Sean Edmond <seanedmond@microsoft.com>
---
 net/dhcpv6.c | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/net/dhcpv6.c b/net/dhcpv6.c
index 73a1067877..4aea779f6f 100644
--- a/net/dhcpv6.c
+++ b/net/dhcpv6.c
@@ -304,7 +304,7 @@ static void dhcp6_parse_ia_options(struct dhcp6_option_hdr *ia_ptr, uchar *ia_op
 static void dhcp6_parse_options(uchar *rx_pkt, unsigned int len)
 {
 	uchar *option_ptr;
-	int sol_max_rt_sec, option_len;
+	int sol_max_rt_sec, option_len, param_len_1;
 	char *s, *e;
 	struct dhcp6_option_hdr *option_hdr;
 
@@ -390,14 +390,23 @@ static void dhcp6_parse_options(uchar *rx_pkt, unsigned int len)
 		case DHCP6_OPTION_OPT_BOOTFILE_PARAM:
 			if (IS_ENABLED(CONFIG_DHCP6_PXE_DHCP_OPTION)) {
 				debug("DHCP6_OPTION_OPT_BOOTFILE_PARAM FOUND\n");
+				/* if CONFIG_DHCP6_PXE_DHCP_OPTION is set the PXE config file path
+				 * is contained in the first OPT_BOOTFILE_PARAM argument
+				 */
+				param_len_1 = ntohs(*((u16 *)option_ptr));
+				option_ptr += sizeof(u16);
+				if (param_len_1 + sizeof(u16) > option_len) {
+					debug("Invalid BOOTFILE_PARAM param_len_1. Skipping\n");
+					break;
+				}
 
 				if (pxelinux_configfile)
 					free(pxelinux_configfile);
 
-				pxelinux_configfile = (char *)malloc((option_len + 1) *
+				pxelinux_configfile = (char *)malloc((param_len_1 + 1) *
 						      sizeof(char));
 				if (pxelinux_configfile)
-					strlcpy(pxelinux_configfile, option_ptr, option_len + 1);
+					strlcpy(pxelinux_configfile, option_ptr, param_len_1 + 1);
 				else
 					printf("Error: Failed to allocate pxelinux_configfile\n");
 
-- 
2.40.0