[PATHv11,17/43] net: sandbox: fix NULL pointer derefences

Message ID	20231127125726.3735-18-maxim.uvarov@linaro.org
State	New
Headers	show Delivered-To: patch@linaro.org Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; From: Maxim Uvarov <maxim.uvarov@linaro.org> To: u-boot@lists.denx.de Cc: pbrobinson@gmail.com, ilias.apalodimas@linaro.org, trini@konsulko.com, goldsimon@gmx.de, Maxim Uvarov <maxim.uvarov@linaro.org> Subject: [PATHv11 17/43] net: sandbox: fix NULL pointer derefences Date: Mon, 27 Nov 2023 18:57:00 +0600 Message-Id: <20231127125726.3735-18-maxim.uvarov@linaro.org> In-Reply-To: <20231127125726.3735-1-maxim.uvarov@linaro.org> References: <20231127125726.3735-1-maxim.uvarov@linaro.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: list Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
Series	net/lwip: add lwip library for the network stack \| expand [PATHv11,00/43] net/lwip: add lwip library for the network stack [PATHv11,01/43] submodule: add lwIP as git submodule [PATHv11,02/43] net/lwip: add doc/develop/net_lwip.rst [PATHv11,03/43] net/lwip: integrate lwIP library [PATHv11,04/43] net/lwip: implement dns cmd [PATHv11,05/43] net/lwip: implement dhcp cmd [PATHv11,06/43] net/lwip: implement tftp cmd [PATHv11,07/43] net/lwip: implement wget cmd [PATHv11,08/43] net/lwip: implement ping cmd [PATHv11,09/43] net/lwip: add lwIP configuration [PATHv11,10/43] net/lwip: implement lwIP port to U-Boot [PATHv11,11/43] net/lwip: update .gitignore with lwIP [PATHv11,12/43] net/lwip: connection between cmd and lwip apps [PATHv11,13/43] net/lwip: replace original net commands with lwip [PATHv11,14/43] net/lwip: split net.h to net.h, arp.h and eth.h [PATHv11,15/43] test_efi_loader.py: use $filesize var [PATHv11,16/43] test_net: print out net list [PATHv11,17/43] net: sandbox: fix NULL pointer derefences [PATHv11,18/43] net/smc911x: fix return from smc911x_send [PATHv11,19/43] sandbox: eth-raw-os: successful return code is 0 [PATHv11,20/43] driver/net/rtl8139: remove debug print [PATHv11,21/43] mach-socfpga: do not overlap defines with lwip [PATHv11,22/43] bcm_ns3: fix overlap define with lwip [PATHv11,23/43] rcar3_salvator-x_defconfig: increase binary size limit [PATHv11,24/43] lwip: omap3: rename mem_init [PATHv11,25/43] configs/turris_omnia_defconfig set limit to 0xf6000 [PATHv11,26/43] configs/tbs2910_defconfig inc limit [PATHv11,27/43] configs/socfpga_secu1_defconfig: enable LTO [PATHv11,28/43] configs/turris_omnia_defconfig: enable LTO [PATHv11,29/43] configs/am335x_boneblack_vboot_defconfig: enable LTO and increase SPL size [PATHv11,30/43] configs/sheevaplug_defconfig: enable LTO and inc size [PATHv11,31/43] configs/lschlv2_defconfig: enable LTO and inc size [PATHv11,32/43] configs/lsxhl_defconfig: LTO + size [PATHv11,33/43] configs/am335x_evm_defconfig: inc SPL size [PATHv11,34/43] configs/bk4r1_defconfig: inc size [PATHv11,35/43] configs/linkit-smart-7688_defconfig: increse size [PATHv11,36/43] configs/gardena-smart-gateway-mt7688_defconfig: increase size [PATHv11,37/43] configs/rcar3_ulcb_defconfig: increase size [PATHv11,38/43] configs/qemu-x86_64_defconfig: increase ROM size [PATHv11,39/43] Makefile: add dtbs to clean [PATHv11,40/43] .azure-pipelines: init submodules [PATHv11,41/43] mach-mtmips: inc SPL size limit [PATHv11,42/43] configs/linkit-smart-7688_defconfig: increase board limit [PATHv11,43/43] .gitlab-ci.yml: change ownership of the git files

Message ID

20231127125726.3735-18-maxim.uvarov@linaro.org

State

New

Headers

Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de
 designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender)
 client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01;
From: Maxim Uvarov <maxim.uvarov@linaro.org>
To: u-boot@lists.denx.de
Cc: pbrobinson@gmail.com, ilias.apalodimas@linaro.org, trini@konsulko.com,
 goldsimon@gmx.de, Maxim Uvarov <maxim.uvarov@linaro.org>
Subject: [PATHv11 17/43] net: sandbox: fix NULL pointer derefences
Date: Mon, 27 Nov 2023 18:57:00 +0600
Message-Id: <20231127125726.3735-18-maxim.uvarov@linaro.org>
In-Reply-To: <20231127125726.3735-1-maxim.uvarov@linaro.org>
References: <20231127125726.3735-1-maxim.uvarov@linaro.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: list
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>

Series

net/lwip: add lwip library for the network stack | expand

Comments

Tom Rini Nov. 27, 2023, 6:19 p.m. UTC | #1

On Mon, Nov 27, 2023 at 06:57:00PM +0600, Maxim Uvarov wrote:
> Add additional checks for NULL pointers.
> 
> Signed-off-by: Maxim Uvarov <maxim.uvarov@linaro.org>
> ---
>  drivers/net/sandbox.c | 5 +++++
>  1 file changed, 5 insertions(+)
> 
> diff --git a/drivers/net/sandbox.c b/drivers/net/sandbox.c
> index 13022addb6..75d32db3a9 100644
> --- a/drivers/net/sandbox.c
> +++ b/drivers/net/sandbox.c
> @@ -65,6 +65,9 @@ int sandbox_eth_arp_req_to_reply(struct udevice *dev, void *packet,
>  	struct ethernet_hdr *eth_recv;
>  	struct arp_hdr *arp_recv;
>  
> +	if (!priv)
> +		return -EAGAIN;
> +
>  	if (ntohs(eth->et_protlen) != PROT_ARP)
>  		return -EAGAIN;

This part seems fine.

> @@ -82,6 +85,8 @@ int sandbox_eth_arp_req_to_reply(struct udevice *dev, void *packet,
>  
>  	/* Formulate a fake response */
>  	eth_recv = (void *)priv->recv_packet_buffer[priv->recv_packets];
> +	if (!eth_recv)
> +		return -EAGAIN;
>  	memcpy(eth_recv->et_dest, eth->et_src, ARP_HLEN);
>  	memcpy(eth_recv->et_src, priv->fake_host_hwaddr, ARP_HLEN);
>  	eth_recv->et_protlen = htons(PROT_ARP);

How do we get to this dereference, and is that not a bug in the caller?

Simon Glass Dec. 2, 2023, 6:33 p.m. UTC | #2

Hi Maxim,

On Mon, 27 Nov 2023 at 11:20, Tom Rini <trini@konsulko.com> wrote:
>
> On Mon, Nov 27, 2023 at 06:57:00PM +0600, Maxim Uvarov wrote:
> > Add additional checks for NULL pointers.
> >
> > Signed-off-by: Maxim Uvarov <maxim.uvarov@linaro.org>
> > ---
> >  drivers/net/sandbox.c | 5 +++++
> >  1 file changed, 5 insertions(+)
> >
> > diff --git a/drivers/net/sandbox.c b/drivers/net/sandbox.c
> > index 13022addb6..75d32db3a9 100644
> > --- a/drivers/net/sandbox.c
> > +++ b/drivers/net/sandbox.c
> > @@ -65,6 +65,9 @@ int sandbox_eth_arp_req_to_reply(struct udevice *dev, void *packet,
> >       struct ethernet_hdr *eth_recv;
> >       struct arp_hdr *arp_recv;
> >
> > +     if (!priv)
> > +             return -EAGAIN;
> > +
> >       if (ntohs(eth->et_protlen) != PROT_ARP)
> >               return -EAGAIN;
>
> This part seems fine.
>
> > @@ -82,6 +85,8 @@ int sandbox_eth_arp_req_to_reply(struct udevice *dev, void *packet,
> >
> >       /* Formulate a fake response */
> >       eth_recv = (void *)priv->recv_packet_buffer[priv->recv_packets];
> > +     if (!eth_recv)
> > +             return -EAGAIN;
> >       memcpy(eth_recv->et_dest, eth->et_src, ARP_HLEN);
> >       memcpy(eth_recv->et_src, priv->fake_host_hwaddr, ARP_HLEN);
> >       eth_recv->et_protlen = htons(PROT_ARP);
>
> How do we get to this dereference, and is that not a bug in the caller?

I wonder if somehow the device has not been probed yet?

Regards,
Simon

Tom Rini Dec. 2, 2023, 7:04 p.m. UTC | #3

On Sat, Dec 02, 2023 at 11:33:14AM -0700, Simon Glass wrote:
> Hi Maxim,
> 
> On Mon, 27 Nov 2023 at 11:20, Tom Rini <trini@konsulko.com> wrote:
> >
> > On Mon, Nov 27, 2023 at 06:57:00PM +0600, Maxim Uvarov wrote:
> > > Add additional checks for NULL pointers.
> > >
> > > Signed-off-by: Maxim Uvarov <maxim.uvarov@linaro.org>
> > > ---
> > >  drivers/net/sandbox.c | 5 +++++
> > >  1 file changed, 5 insertions(+)
> > >
> > > diff --git a/drivers/net/sandbox.c b/drivers/net/sandbox.c
> > > index 13022addb6..75d32db3a9 100644
> > > --- a/drivers/net/sandbox.c
> > > +++ b/drivers/net/sandbox.c
> > > @@ -65,6 +65,9 @@ int sandbox_eth_arp_req_to_reply(struct udevice *dev, void *packet,
> > >       struct ethernet_hdr *eth_recv;
> > >       struct arp_hdr *arp_recv;
> > >
> > > +     if (!priv)
> > > +             return -EAGAIN;
> > > +
> > >       if (ntohs(eth->et_protlen) != PROT_ARP)
> > >               return -EAGAIN;
> >
> > This part seems fine.
> >
> > > @@ -82,6 +85,8 @@ int sandbox_eth_arp_req_to_reply(struct udevice *dev, void *packet,
> > >
> > >       /* Formulate a fake response */
> > >       eth_recv = (void *)priv->recv_packet_buffer[priv->recv_packets];
> > > +     if (!eth_recv)
> > > +             return -EAGAIN;
> > >       memcpy(eth_recv->et_dest, eth->et_src, ARP_HLEN);
> > >       memcpy(eth_recv->et_src, priv->fake_host_hwaddr, ARP_HLEN);
> > >       eth_recv->et_protlen = htons(PROT_ARP);
> >
> > How do we get to this dereference, and is that not a bug in the caller?
> 
> I wonder if somehow the device has not been probed yet?

Given the failures on a number of real hardware platforms in v11 as well
(which I didn't see until after my review), I wonder if you've not
spotted the cause of all of those other failures?

diff --git a/drivers/net/sandbox.c b/drivers/net/sandbox.c
index 13022addb6..75d32db3a9 100644
--- a/drivers/net/sandbox.c
+++ b/drivers/net/sandbox.c
@@ -65,6 +65,9 @@  int sandbox_eth_arp_req_to_reply(struct udevice *dev, void *packet,
 	struct ethernet_hdr *eth_recv;
 	struct arp_hdr *arp_recv;
 
+	if (!priv)
+		return -EAGAIN;
+
 	if (ntohs(eth->et_protlen) != PROT_ARP)
 		return -EAGAIN;
 
@@ -82,6 +85,8 @@  int sandbox_eth_arp_req_to_reply(struct udevice *dev, void *packet,
 
 	/* Formulate a fake response */
 	eth_recv = (void *)priv->recv_packet_buffer[priv->recv_packets];
+	if (!eth_recv)
+		return -EAGAIN;
 	memcpy(eth_recv->et_dest, eth->et_src, ARP_HLEN);
 	memcpy(eth_recv->et_src, priv->fake_host_hwaddr, ARP_HLEN);
 	eth_recv->et_protlen = htons(PROT_ARP);

[PATHv11,17/43] net: sandbox: fix NULL pointer derefences

Commit Message

Comments

Patch