On Mon, 27 May 2024 14:57:25 +0200, Sascha Hauer wrote:
> The software BCH ECC support merged into barebox was a preliminary
> version. Sync this with the code that was merged to the kernel.
> This hasn't hit Linus' tree yet, but is merged into next:
> https://lore.kernel.org/all/20240527121848.1
When accessing argv[optind + i], the whole array index must stay below
argc, not only i. Also val is only 4 bytes long, so when indexed with i
(which was initialised to optind, which is at least 3) will overflow
after reading one data argument from the command line. Add a guard
against the latter c
On Mon, May 27, 2024 at 02:57:25PM +0200, Sascha Hauer wrote:
> The software BCH ECC support merged into barebox was a preliminary
> version. Sync this with the code that was merged to the kernel.
> This hasn't hit Linus' tree yet, but is merged into next:
> https://lore.kernel.org/all/202405271218
The software BCH ECC support merged into barebox was a preliminary
version. Sync this with the code that was merged to the kernel.
This hasn't hit Linus' tree yet, but is merged into next:
https://lore.kernel.org/all/20240527121848.178542-1-miquel.ray...@bootlin.com/
The version first merged into
a bit unrelated, also a nitpick:
On Mon May 27, 2024 at 12:27 PM CEST, Sascha Hauer wrote:
> The driver already discards packets bigger than 2048 bytes, but that is
> already larger than the buffer we read the data into. Limit packet size
> to PKTSIZE instead which matches our receive buffer size.
On Mon May 27, 2024 at 12:27 PM CEST, Sascha Hauer wrote:
> The hardware may report a packet longer than our receive buffer. Instead
> of reading past the read buffer, discard too long packets.
>
> Signed-off-by: Sascha Hauer
> ---
> drivers/net/smc911x.c | 11 ---
> 1 file changed, 8 ins
The hardware may report a packet longer than our receive buffer. Instead
of reading past the read buffer, discard too long packets.
Signed-off-by: Sascha Hauer
---
drivers/net/smc911x.c | 11 ---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/drivers/net/smc911x.c b/driver
The return value of the net rx hook is quite inconsistent over the
different drivers. Some return the length of the received packet,
some return the number of packets and others just return 0. Nobody
checks the return value anyway, so just change the hook to return void.
Signed-off-by: Sascha Haue
the hardware may report a packet longer than our receive buffer. Instead
of reading past the receive buffer, discard too long packets.
Signed-off-by: Sascha Hauer
---
drivers/net/ks8851_mll.c | 36 ++--
1 file changed, 30 insertions(+), 6 deletions(-)
diff --git
the hardware may report a packet longer than our receive buffer. Instead
of reading past the read buffer, discard too long packets.
Signed-off-by: Sascha Hauer
---
drivers/net/cs8900.c | 12
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/drivers/net/cs8900.c b/drivers
Instead of doing an extra read after the buffer read loop when the
packet length is odd, add another iteration to the loop if necessary.
Signed-off-by: Sascha Hauer
---
drivers/net/cs8900.c | 7 ++-
1 file changed, 2 insertions(+), 5 deletions(-)
diff --git a/drivers/net/cs8900.c b/drivers/
Signed-off-by: Sascha Hauer
---
drivers/net/ks8851_mll.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/net/ks8851_mll.c b/drivers/net/ks8851_mll.c
index 936191597a..4e2a05158e 100644
--- a/drivers/net/ks8851_mll.c
+++ b/drivers/net/ks8851_mll.c
@@ -672,7 +672,7
The driver already discards packets bigger than 2048 bytes, but that is
already larger than the buffer we read the data into. Limit packet size
to PKTSIZE instead which matches our receive buffer size.
Signed-off-by: Sascha Hauer
---
drivers/net/liteeth.c | 2 +-
1 file changed, 1 insertion(+),
Several network drivers read overlong packets without checking if the
buffer they read into is large enough. Discard the packets instead
of writing past the buffer.
Changes since v1:
- Do not call net_receive() when we decided to discard a packet
- Add patch to let network device receive hook retu
When the watchdog autoping feature is enabled it will ping the watchdog
every 0.5s. This becomes a problem when the fallback restart handler is
called to reset the CPU. It will then set the watchdog to trigger in one
second and waits for CPU reset using mdelay(). During the mdelay() the
autoping po
The designware watchdog driver doesn't have a special reset function,
instead it only uses the regular watchdog to reset the SoC. Since
0ed7bb09f2ef7b ("watchdog: add option to provide fall-back restart handler")
the watchdog core provides the same functionality, so just drop the
restart functional
Hi Sascha,
Thanks for your work. I noticed that if the device does not use DMA,
it will probably have this problem. Yes, what you mentioned the
smc9 driver has the same vulnerability. However, I didn't check
them carefully for each device driver.
Best
Sascha Hauer 于2024年5月27日周一 09:41写道:
>
Hi Jules,
On Mon, May 27, 2024 at 10:58:55AM +0200, Jules Maselbas wrote:
> Hi Sascha,
>
> Just a quick remark:
>
> On Mon May 27, 2024 at 9:29 AM CEST, Sascha Hauer wrote:
> > the hardware may report a packet longer than our receive buffer. Instead
> > of reading past the read buffer, discard t
Hi Sascha,
Just a quick remark:
On Mon May 27, 2024 at 9:29 AM CEST, Sascha Hauer wrote:
> the hardware may report a packet longer than our receive buffer. Instead
> of reading past the read buffer, discard too long packets.
>
> Signed-off-by: Sascha Hauer
> ---
> drivers/net/cs8900.c | 9 +
Hi,
On Thu, May 23, 2024 at 06:51:01PM +0200, jianqiang wang wrote:
> Dear Barebox devlopers,
>
> I found several heap overflow vulnerabilities in Barebox.
>
> The Barebox implementation assumes that the network packet received is
> less than PKTSIZE, that is 1536 bytes. For example, the /net/ne
Instead of doing an extra read after the buffer read loop when the
packet length is odd, add another iteration to the loop if necessary.
Signed-off-by: Sascha Hauer
---
drivers/net/cs8900.c | 7 ++-
1 file changed, 2 insertions(+), 5 deletions(-)
diff --git a/drivers/net/cs8900.c b/drivers/
the hardware may report a packet longer than our receive buffer. Instead
of reading past the receive buffer, discard too long packets.
Signed-off-by: Sascha Hauer
---
drivers/net/ks8851_mll.c | 28 +---
1 file changed, 25 insertions(+), 3 deletions(-)
diff --git a/driver
The driver already discards packets bigger than 2048 bytes, but that is
already larger than the buffer we read the data into. Limit packet size
to PKTSIZE instead which matches our receive buffer size.
Signed-off-by: Sascha Hauer
---
drivers/net/liteeth.c | 2 +-
1 file changed, 1 insertion(+),
The hardware may report a packet longer than our receive buffer. Instead
of reading past the read buffer, discard too long packets.
Signed-off-by: Sascha Hauer
---
drivers/net/smc911x.c | 9 +++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/drivers/net/smc911x.c b/drivers/n
the hardware may report a packet longer than our receive buffer. Instead
of reading past the read buffer, discard too long packets.
Signed-off-by: Sascha Hauer
---
drivers/net/cs8900.c | 9 +++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/drivers/net/cs8900.c b/drivers/net
25 matches
Mail list logo
