[U-Boot] [PATCH] net: Fix potential tx packet corruption by response to ARP request

[Bin Meng]

At present the response to ARP request is copied to the transmit
packet buffer ('net_tx_packet') and sent out. This won't fail on
most cases, but unfortunately is potentially broken under certain
circumstances.

For example, considering the following packet sequence:

1: placed an ARP request to the other end, initiated by 'ping'
2: received an ARP request from the other end
3: received the ARP reply from the other end

The ICMP echo request packet was created in step #1, stored in the
transmit packet buffer, but was corrupted in step #2 when handling
the response to ARP request using the same buffer, and finally the
same buffer was sent out in step #3 as the follow-up on ARP reply.
This leads to 'ping' timeout since the ICMP echo request was never
sent out to the other end, instead a duplicated ARP reply packet
was sent out and ignored by the other end.

Similar corruption can happen with other protocols like TFTP, which
leads to TFTP transfer timeout.

Use the dedicated ARP transmit packet buffer ('arp_tx_packet') to
avoid such issue.

Signed-off-by: Bin Meng <bmeng.cn at gmail.com>
---

 net/arp.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/arp.c b/net/arp.c
index b8a7168..e625c59 100644
--- a/net/arp.c
+++ b/net/arp.c
@@ -182,8 +182,8 @@ void arp_receive(struct ethernet_hdr *et, struct ip_udp_hdr *ip, int len)
 		    (net_read_ip(&arp->ar_spa).s_addr & net_netmask.s_addr))
 			udelay(5000);
 #endif
-		memcpy(net_tx_packet, et, eth_hdr_size + ARP_HDR_SIZE);
-		net_send_packet(net_tx_packet, eth_hdr_size + ARP_HDR_SIZE);
+		memcpy(arp_tx_packet, et, eth_hdr_size + ARP_HDR_SIZE);
+		net_send_packet(arp_tx_packet, eth_hdr_size + ARP_HDR_SIZE);
 		return;
 
 	case ARPOP_REPLY:		/* arp reply */
-- 
2.7.4