[PATCH] net: dhcpv6: Prevent buffer overflow during BOOTFILE_URL parsing
Jerome Forissier
jerome.forissier at arm.com
Tue May 19 11:28:27 CEST 2026
On 11/05/2026 21:55, Francois Berder wrote:
> The net_boot_file_name is a 1024 byte buffer.
> However, based on DHCPv6 RFC, bootfile-url length is
> specified by option_len, a 16-bit unsigned integer
> (valid range: 0-65535).
> Hence, one needs to make sure that option_len is less
> than the size of net_boot_file_name array before copying
> bootfile-url to net_boot_file_name.
>
> Signed-off-by: Francois Berder <fberder at outlook.fr>
> ---
> net/dhcpv6.c | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/net/dhcpv6.c b/net/dhcpv6.c
> index 5bf935cb6a3..51f44979f8e 100644
> --- a/net/dhcpv6.c
> +++ b/net/dhcpv6.c
> @@ -377,6 +377,11 @@ static void dhcp6_parse_options(uchar *rx_pkt, unsigned int len)
> break;
> case DHCP6_OPTION_OPT_BOOTFILE_URL:
> debug("DHCP6_OPTION_OPT_BOOTFILE_URL FOUND\n");
> + if (option_len >= sizeof(net_boot_file_name)) {
> + debug("Option length for BOOTFILE_URL is greater or equal than %zu. Skipping\n",
> + sizeof(net_boot_file_name));
> + break;
> + }
> copy_filename(net_boot_file_name, option_ptr, option_len + 1);
> debug("net_boot_file_name: %s\n", net_boot_file_name);
>
Reviewed-by: Jerome Forissier <jerome.forissier at arm.com>
...and added to the net queue. Thanks!
--
Jerome
More information about the U-Boot
mailing list