[PATCH] net: sntp: Check packet length in sntp_handler
Jerome Forissier
jerome.forissier at arm.com
Tue May 19 11:27:03 CEST 2026
On 11/05/2026 15:37, Francois Berder wrote:
> Currently, the sntp_handler uses data in the UDP packet
> regardless of the actual packet size. A OOB read can occur
> if the packet is too small.
> Fix it by checking the packet length before extracting
> seconds from a SNTP packet.
>
> Signed-off-by: Francois Berder <fberder at outlook.fr>
> ---
> net/sntp.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/net/sntp.c b/net/sntp.c
> index 77cee0046bd..4b3dc675bab 100644
> --- a/net/sntp.c
> +++ b/net/sntp.c
> @@ -64,6 +64,9 @@ static void sntp_handler(uchar *pkt, unsigned dest, struct in_addr sip,
> if (dest != sntp_our_port)
> return;
>
> + if (len < SNTP_PACKET_LEN)
> + return;
> +
> /*
> * As the RTC's used in U-Boot support second resolution only
> * we simply ignore the sub-second field.
Reviewed-by: Jerome Forissier <jerome.forissier at arm.com>
...and added the the next queue. Thanks!
--
Jerome
More information about the U-Boot
mailing list