[PATCH 3/3] net: use strnstr() for lwip_strnstr()
Tom Rini
trini at konsulko.com
Tue Jan 21 03:33:41 CET 2025
On Tue, Jan 21, 2025 at 03:18:11AM +0100, Heinrich Schuchardt wrote:
> On 21.01.25 02:05, Tom Rini wrote:
> > On Sat, Jan 04, 2025 at 12:21:18AM +0100, Heinrich Schuchardt wrote:
> >
> > > Using strstr() instead of strnstr() creates a security concern.
> > >
> > > Fixes: 1c41a7afaa15 ("net: lwip: build lwIP")
> > > Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt at canonical.com>
> > > Reviewed-by: Jerome Forissier <jerome.forissier at linaro.org>
> > > ---
> > > lib/lwip/u-boot/arch/cc.h | 2 +-
> > > 1 file changed, 1 insertion(+), 1 deletion(-)
> > >
> > > diff --git a/lib/lwip/u-boot/arch/cc.h b/lib/lwip/u-boot/arch/cc.h
> > > index de138846358..6104c296f6f 100644
> > > --- a/lib/lwip/u-boot/arch/cc.h
> > > +++ b/lib/lwip/u-boot/arch/cc.h
> > > @@ -34,7 +34,7 @@
> > > x, __LINE__, __FILE__); } while (0)
> > > #define atoi(str) (int)dectoul(str, NULL)
> > > -#define lwip_strnstr(a, b, c) strstr(a, b)
> > > +#define lwip_strnstr(a, b, c) strnstr(a, b, c)
> > > #define LWIP_ERR_T int
> > > #define LWIP_CONST_CAST(target_type, val) ((target_type)((uintptr_t)val))
> >
> > This leads to:
> > https://dev.azure.com/u-boot/u-boot/_build/results?buildId=10370&view=logs&j=45c0c132-56cd-504a-56c7-1b8a534aa92b&t=f95d3367-9db2-5f2a-d3ed-8901d714dd66
> > as a failure, that I only end up seeing in Azure (I didn't track down if
> > there's some good reason we don't see this in Gitlab).
> >
>
> Hello Tom,
>
> It is not really clear how
>
> Lab failure: Timeout executing 'tftpboot 40400000 u-boot.bin
>
> could be related to this patch series.
>
> git grep -ni strstr net/
>
> only shows usage in wget but not in tftp.
Agreed.
> Is this test result reproducible in Azure?
Yes, every time. And 1/3 + 2/3 pass, with 3/3 is when it fails.
--
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20250120/8519a1ab/attachment.sig>
More information about the U-Boot
mailing list