U-Boot TFTP OACK option parser reads past unterminated values

[Lee, Brian J]

Hello U-Boot Security Team,

My name is Brian Lee, and I am a PhD Security Researcher in SSLab at Georgia Tech. I'd like to privately report a potential denial-of-service issue due to insufficient scan termination in OACK option parser in TFTP. A remote unauthenticated TFTP server selected by the U-Boot client, or an attacker able to spoof the expected server's first OACK to the client's TFTP source port, can send a single malformed OACK during an ordinary TFTP get, boot, or update flow.

Target:

  *
Project: u-boot
  *
Repo: https://github.com/u-boot/u-boot
  *
Pinned ref: 215496fec59b3fa09256b4fb62f92af46e2ec7f9

Threat model:

U-Boot documents TFTP boot/download commands and optional automatic TFTP update; a selected or spoofed TFTP server can send the first OACK without authentication. The required packet is a single malformed OACK during an ordinary TFTP RRQ flow, with no credentials or multi-step race beyond being the selected/spoofed server response.

Attached:

  *
README.md : full writeup.
  *
poc/run.sh :  allocates an exact-length TFTP packet containing opcode 0x0006 (OACK), option name blksize, a NUL after the option name, and one value byte (5) without the required value-terminating NUL. It then calls the modeled tftp_handler() as the first server response to a client RRQ, with destination port 1069 and source port 69, matching the guard state that accepts an initial OACK before the remote port is pinned.
  *
poc/inputs: the relevant files for running poc

I would like to get help from your expertise to clarify whether this is a valid security threat or not. Thank you.

Best Regards,
Brian Lee

-------------- next part --------------
A non-text attachment was scrubbed...
Name: poc.zip
Type: application/x-zip-compressed
Size: 18853 bytes
Desc: poc.zip
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20260527/f2adc090/attachment.bin>