U-Boot TFTP packet parser reads past short datagrams

[Lee, Brian J]

Hello U-Boot Security Team,

My name is Brian Lee, and I am a PhD Security Researcher in SSLab at Georgia Tech. I'd like to privately report a potential denial-of-service issue due to Out-of-bounds read in packer parser in TFTP. This pattern is identified in both ACK packet and ERROR packet parser, and a malicious attacker can craft a packet with missing blocks, leading to python error and potentially DoS.

Target:

  *
Project: u-boot
  *
Repo: https://github.com/u-boot/u-boot
  *
Pinned ref: 215496fec59b3fa09256b4fb62f92af46e2ec7f9

Threat model:

The TFTP handler's only pre-dispatch length check is len < 2, which is sufficient to read the opcode but doesn't validate that opcode-specific fields are present. Two opcodes have unvalidated reads after that gate: ACK (reads 2 bytes for the block number, reachable during TFTPPUT) and ERROR (reads a 2-byte error code and walks a NUL-terminated string from the payload, reachable during any TFTP operation). A 2-byte UDP datagram from any peer that can reach the TFTP client port during a transfer triggers the bug.

Attached:
PoC for each of the two paths. Both have the same format

  *
README.md : full writeup.
  *
poc/run.sh :   script for reproduction
  *
poc/inputs: the relevant files for running poc

I would like to get help from your expertise to clarify whether this is a valid security threat or not. Thank you.

Best Regards,
Brian Lee

-------------- next part --------------
A non-text attachment was scrubbed...
Name: poc.zip
Type: application/x-zip-compressed
Size: 44456 bytes
Desc: poc.zip
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20260527/7ca6cbff/attachment-0001.bin>