[PATCH] net: sntp: Check packet length in sntp_handler
Francois Berder
fberder at outlook.fr
Mon May 11 15:37:58 CEST 2026
Currently, the sntp_handler uses data in the UDP packet
regardless of the actual packet size. A OOB read can occur
if the packet is too small.
Fix it by checking the packet length before extracting
seconds from a SNTP packet.
Signed-off-by: Francois Berder <fberder at outlook.fr>
---
net/sntp.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/sntp.c b/net/sntp.c
index 77cee0046bd..4b3dc675bab 100644
--- a/net/sntp.c
+++ b/net/sntp.c
@@ -64,6 +64,9 @@ static void sntp_handler(uchar *pkt, unsigned dest, struct in_addr sip,
if (dest != sntp_our_port)
return;
+ if (len < SNTP_PACKET_LEN)
+ return;
+
/*
* As the RTC's used in U-Boot support second resolution only
* we simply ignore the sub-second field.
--
2.43.0
More information about the U-Boot
mailing list