[PATCH] net: clear IP defragmentation state after returning a complete packet

Simon Glass sjg at chromium.org
Wed Jun 3 19:04:32 CEST 2026 

Hi Mateusz,

On 2026-06-01T22:48:21, Mateusz Furdyna <mateusz.furdyna at nokia.com> wrote:
> net: clear IP defragmentation state after returning a complete packet
>
> During the IP defragmentation process, after the reassembly is finished
> with the last packet arriving with MF=0, the reassembly state wrt.
> static counters is not cleared. In case this last arriving packet with
> MF=0 gets duplicated, payload bytes are mistakingly treated as hole data.
>
> A malicious actor who can deliver fragmented IP traffic to a U-Boot
> instance with CONFIG_IP_DEFRAG=y can corrupt memory via out-of-bound
> writes and redirect control flow into attacker-supplied payload bytes
> that already sit in pkt_buff[].
>
> Publicly available AI models are able to generate a reproducer based
> on the provided information.
>
> Fix: once the assembled packet has been handed back to the caller, mark
> the reassembly state empty so that any further fragment (duplicate,
> replay, or a brand-new datagram that happens to reuse the ip_id) goes
> through the normal re-init path and rebuilds a clean hole list instead
> of dereferencing payload bytes as struct hole.
> [...]
>
> net/net.c | 8 ++++++++
>  1 file changed, 8 insertions(+)

Reviewed-by: Simon Glass <sjg at chromium.org>

with nits below

> diff --git a/net/net.c b/net/net.c
> @@ -1103,6 +1103,14 @@ static struct ip_udp_hdr *__net_defragment(struct ip_udp_hdr *ip, int *lenp)
>
>       *lenp = total_len + IP_HDR_SIZE;
>       localip->ip_len = htons(*lenp);
> +
> +     /* Mark the reassembly state empty so that any further
> +      * fragment goes through the normal re-init path and
> +      * rebuilds a clean hole list
> +      */

Please use the standard U-Boot multi-line comment style with /* on its
own line, to match the rest of this file (see lines 962 and 1016):

   /*
    * Mark the reassembly state empty so that any further
    * fragment goes through the normal re-init path and
    * rebuilds a clean hole list.
    */

> diff --git a/net/net.c b/
> @@ -1103,6 +1103,14 @@ static struct ip_udp_hdr *__net_defragment(struct ip_udp_hdr *ip, int *lenp)
> +     total_len = 0;
> +     first_hole = 0;
> +
>       return localip;
>  }

Only total_len = 0 is actually needed, since the re-init path at line
1007 already resets first_hole (and payload[0]) whenever !total_len is
true. Still, this doesn't hurt.

Any chance of adding a test? Probably this is a little tricky...

BTW, 'mistakingly' in the commit message should be 'mistakenly'.

Regards,
Simon

More information about the U-Boot mailing list