From: Ahmad Fatoum <a.fatoum@pengutronix.de>
To: barebox@lists.infradead.org
Cc: Sohaib Mohamed <sohaib.amhmd@gmail.com>,
Ahmad Fatoum <a.fatoum@pengutronix.de>
Subject: [PATCH 2/2] net: reset pending ARP state when request is done
Date: Thu, 27 Nov 2025 13:38:38 +0100 [thread overview]
Message-ID: <20251127123841.2225218-2-a.fatoum@pengutronix.de> (raw)
In-Reply-To: <20251127123841.2225218-1-a.fatoum@pengutronix.de>
net_new() creates a struct net_connection and calls arp_request()
to resolve unicast addresses. On success, arp_request() will
populate a buffer within the net_connection with the destination MAC
address.
If arp_request() aborts due to an error, it will leave the global
pending_arp.ether pointing at the buffer, which is promptly freed
leading to a dangling pointer and a use-after-free if we happen to get
an ARP response just after the error occurred.
Fix this memory safety issue by always clearing all of pending_arp once
we are done with it, including error cases.
Reported-by: Sohaib Mohamed <sohaib.amhmd@gmail.com>
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
net/net.c | 22 +++++++++++++++-------
1 file changed, 15 insertions(+), 7 deletions(-)
diff --git a/net/net.c b/net/net.c
index d00d942b514c..5e0ddd2d335d 100644
--- a/net/net.c
+++ b/net/net.c
@@ -220,24 +220,28 @@ static int arp_request(struct eth_device *edev, IPaddr_t dest, unsigned char *et
ret = eth_send(edev, arp_packet, ETHER_HDR_SIZE + ARP_HDR_SIZE);
if (ret)
- return ret;
+ goto out;
arp_start = get_time_ns();
while (arp_wait_ip) {
- if (ctrlc())
- return -EINTR;
+ if (ctrlc()) {
+ ret = -EINTR;
+ goto out;
+ }
if (is_timeout(arp_start, 3 * SECOND)) {
printf("T ");
arp_start = get_time_ns();
ret = eth_send(edev, arp_packet, ETHER_HDR_SIZE + ARP_HDR_SIZE);
if (ret)
- return ret;
+ goto out;
retries++;
}
- if (retries > PKT_NUM_RETRIES)
- return -ETIMEDOUT;
+ if (retries > PKT_NUM_RETRIES) {
+ ret = -ETIMEDOUT;
+ goto out;
+ }
net_poll();
}
@@ -245,7 +249,11 @@ static int arp_request(struct eth_device *edev, IPaddr_t dest, unsigned char *et
pr_debug("Got ARP REPLY for %pI4: %02x:%02x:%02x:%02x:%02x:%02x\n",
&dest, ether[0], ether[1], ether[2], ether[3], ether[4],
ether[5]);
- return 0;
+
+out:
+ pending_arp.ip = 0;
+ pending_arp.ether = NULL;
+ return ret;
}
void net_poll(void)
--
2.47.3
prev parent reply other threads:[~2025-11-27 12:39 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-27 12:38 [PATCH 1/2] net: arp: collect context into new struct pending_arp Ahmad Fatoum
2025-11-27 12:38 ` Ahmad Fatoum [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251127123841.2225218-2-a.fatoum@pengutronix.de \
--to=a.fatoum@pengutronix.de \
--cc=barebox@lists.infradead.org \
--cc=sohaib.amhmd@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox