[PATCH 00/10] net: prevent buffer overflows in UDP packets

[PATCH 00/10] net: prevent buffer overflows in UDP packets

[Sascha Hauer]

Our UDP handlers all use a UDP packets length without checking if it
fits into the incoming ethernet frame. Create a net_eth_to_udp() helper
which does the bounds checking and use it throughout the code.

Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
---
Sascha Hauer (10):
      net: add net_eth_to_udp() helper for validated UDP extraction
      fs: tftp: use net_eth_to_udp() for packet parsing
      net: dhcp: use net_eth_to_udp() for packet parsing
      fs: nfs: use net_eth_to_udp() for packet parsing
      net: dns: use net_eth_to_udp() for packet parsing
      net: sntp: use net_eth_to_udp() for packet parsing
      net: netconsole: use net_eth_to_udp() for packet parsing
      net: fastboot: use net_eth_to_udp() for packet parsing
      net: fastboot: stop using net_eth_to_udp_payload() for PACKET_SIZE
      net: remove unused net_eth_to_udp{hdr,_payload,len}() helpers

 fs/nfs.c         | 11 +++++++----
 fs/tftp.c        |  9 +++++----
 include/net.h    | 21 +++++++--------------
 net/dhcp.c       | 16 +++++++++-------
 net/dns.c        |  9 ++++++---
 net/fastboot.c   | 25 ++++++++++++++++---------
 net/net.c        | 40 ++++++++++++++++++++++++++++++++++++++++
 net/netconsole.c |  7 +++++--
 net/sntp.c       | 14 +++++++++-----
 9 files changed, 104 insertions(+), 48 deletions(-)
---
base-commit: 0933e8f2ebf0d91dfcf177a4e4292b02921a53f1
change-id: 20260402-net-eth-do-udp-327f4e65ddd5

Best regards,
-- 
Sascha Hauer <s.hauer@pengutronix.de>

[PATCH 01/10] net: add net_eth_to_udp() helper for validated UDP extraction

[Sascha Hauer]

The existing net_eth_to_udp_payload(), net_eth_to_udphdr() and
net_eth_to_udplen() helpers parse protocol headers by offset arithmetic
without checking the actual packet length. A short or malformed packet
can cause out-of-bounds reads.

Introduce net_eth_to_udp() which takes the frame pointer and the
NIC-reported length, validates that the packet is large enough to
contain ethernet + IP + UDP headers, cross-checks the UDP length field
against available bytes, and returns all three pieces of information
(udp header, payload pointer, payload length) callers typically need.

The old helpers are kept for now; callers will be converted in subsequent
commits.

Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 include/net.h |  9 +++++++++
 net/net.c     | 40 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 49 insertions(+)

diff --git a/include/net.h b/include/net.h
index 43d718353a..bdf39bc531 100644
--- a/include/net.h
+++ b/include/net.h
@@ -308,6 +308,15 @@ static inline int net_eth_to_udplen(char *pkt)
 	return ntohs(udp->uh_ulen) - 8;
 }
 
+struct net_udp_pkt {
+	struct udphdr *udp;
+	void *payload;
+	unsigned int len;
+};
+
+int net_eth_to_udp(char *pkt, unsigned int framelen,
+		   struct net_udp_pkt *udp_pkt);
+
 int net_checksum_ok(unsigned char *, int);	/* Return true if cksum OK	*/
 uint16_t net_checksum(unsigned char *, int);	/* Calculate the checksum	*/
 
diff --git a/net/net.c b/net/net.c
index fc32c4562b..67c0eeb2ae 100644
--- a/net/net.c
+++ b/net/net.c
@@ -60,6 +60,46 @@ const char *net_get_domainname(void)
 	return net_domainname;
 }
 
+/**
+ * net_eth_to_udp - extract and validate UDP payload from an ethernet frame
+ * @pkt:	pointer to start of ethernet frame
+ * @framelen:	total frame length as reported by the NIC
+ * @udp_pkt:	output struct, filled on success
+ *
+ * Validates that the frame is large enough to contain the ethernet, IP and
+ * UDP headers and clamps the reported UDP payload length to what is actually
+ * available in the frame.
+ *
+ * Return: 0 on success, negative error code on malformed/short packets.
+ */
+int net_eth_to_udp(char *pkt, unsigned int framelen,
+		   struct net_udp_pkt *udp_pkt)
+{
+	unsigned int hdr_len = ETHER_HDR_SIZE + sizeof(struct iphdr) +
+			       sizeof(struct udphdr);
+	struct udphdr *udp;
+	unsigned int payload_len;
+
+	if (framelen < hdr_len)
+		return -EINVAL;
+
+	udp = (struct udphdr *)((struct iphdr *)(pkt + ETHER_HDR_SIZE) + 1);
+
+	if (ntohs(udp->uh_ulen) < sizeof(struct udphdr))
+		return -EINVAL;
+
+	payload_len = ntohs(udp->uh_ulen) - sizeof(struct udphdr);
+
+	if (payload_len > framelen - hdr_len)
+		return -EINVAL;
+
+	udp_pkt->udp = udp;
+	udp_pkt->payload = (char *)(udp + 1);
+	udp_pkt->len = payload_len;
+
+	return 0;
+}
+
 int net_checksum_ok(unsigned char *ptr, int len)
 {
 	return net_checksum(ptr, len) == 0xffff;

-- 
2.47.3

[PATCH 02/10] fs: tftp: use net_eth_to_udp() for packet parsing

[Sascha Hauer]

Replace the separate net_eth_to_udp_payload(), net_eth_to_udphdr() and
net_eth_to_udplen() calls with the new consolidated net_eth_to_udp()
helper.  This validates the packet length before accessing any headers
and removes the need to cast away the unused len parameter.

Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 fs/tftp.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/fs/tftp.c b/fs/tftp.c
index a454306b4b..fe6f42b073 100644
--- a/fs/tftp.c
+++ b/fs/tftp.c
@@ -628,11 +628,12 @@ static void tftp_recv(struct file_priv *priv,
 static void tftp_handler(void *ctx, char *packet, unsigned len)
 {
 	struct file_priv *priv = ctx;
-	char *pkt = net_eth_to_udp_payload(packet);
-	struct udphdr *udp = net_eth_to_udphdr(packet);
+	struct net_udp_pkt udp;
 
-	(void)len;
-	tftp_recv(priv, pkt, net_eth_to_udplen(packet), udp->uh_sport);
+	if (net_eth_to_udp(packet, len, &udp))
+		return;
+
+	tftp_recv(priv, udp.payload, udp.len, udp.udp->uh_sport);
 }
 
 static int tftp_start_transfer(struct file_priv *priv)

-- 
2.47.3

[PATCH 03/10] net: dhcp: use net_eth_to_udp() for packet parsing

[Sascha Hauer]

Replace the separate net_eth_to_udp_payload(), net_eth_to_udphdr() and
net_eth_to_udplen() calls with the new consolidated net_eth_to_udp()
helper.  This validates the packet length before accessing any headers.

Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 net/dhcp.c | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/net/dhcp.c b/net/dhcp.c
index e25b64842d..39168a2d53 100644
--- a/net/dhcp.c
+++ b/net/dhcp.c
@@ -391,16 +391,18 @@ static void dhcp_send_request_packet(struct bootp *bp_offer)
  */
 static void dhcp_handler(void *ctx, char *packet, unsigned int len)
 {
-	char *pkt = net_eth_to_udp_payload(packet);
-	struct udphdr *udp = net_eth_to_udphdr(packet);
-	struct bootp *bp = (struct bootp *)pkt;
+	struct net_udp_pkt udp;
+	struct bootp *bp;
+
+	if (net_eth_to_udp(packet, len, &udp))
+		return;
 
-	len = net_eth_to_udplen(packet);
+	bp = udp.payload;
 
-	debug("DHCPHandler: got packet: (len=%d) state: %d\n",
-		len, dhcp_state);
+	debug("DHCPHandler: got packet: (len=%u) state: %d\n",
+		udp.len, dhcp_state);
 
-	if (bootp_check_packet(pkt, ntohs(udp->uh_sport), len)) /* Filter out pkts we don't want */
+	if (bootp_check_packet(udp.payload, ntohs(udp.udp->uh_sport), udp.len))
 		return;
 
 	switch (dhcp_state) {

-- 
2.47.3

[PATCH 04/10] fs: nfs: use net_eth_to_udp() for packet parsing

[Sascha Hauer]

Replace net_eth_to_udp_payload() with the new consolidated
net_eth_to_udp() helper.

This also fixes a bug where the old code used the NIC-level frame
length (which includes ethernet, IP, and UDP headers) instead of the
UDP payload length when copying packet data.

Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 fs/nfs.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/fs/nfs.c b/fs/nfs.c
index 0b40c56ff3..39c92e4736 100644
--- a/fs/nfs.c
+++ b/fs/nfs.c
@@ -1193,13 +1193,16 @@ static int nfs_read_req(struct file_priv *priv, uint64_t offset,
 
 static void nfs_handler(void *ctx, char *p, unsigned len)
 {
-	char *pkt = net_eth_to_udp_payload(p);
 	struct nfs_priv *npriv = ctx;
+	struct net_udp_pkt udp;
 	struct packet *packet;
 
-	packet = xmalloc(sizeof(*packet) + len);
-	memcpy(packet->data, pkt, len);
-	packet->len = len;
+	if (net_eth_to_udp(p, len, &udp))
+		return;
+
+	packet = xmalloc(sizeof(*packet) + udp.len);
+	memcpy(packet->data, udp.payload, udp.len);
+	packet->len = udp.len;
 	packet->pos = 0;
 
 	list_add_tail(&packet->list, &npriv->packets);

-- 
2.47.3

[PATCH 05/10] net: dns: use net_eth_to_udp() for packet parsing

[Sascha Hauer]

Replace the separate net_eth_to_udp_payload() and net_eth_to_udplen()
calls with the new consolidated net_eth_to_udp() helper.

Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 net/dns.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/net/dns.c b/net/dns.c
index 8fbd13cdc3..8616e353c1 100644
--- a/net/dns.c
+++ b/net/dns.c
@@ -206,9 +206,12 @@ static void dns_recv(struct header *header, unsigned len)
 
 static void dns_handler(void *ctx, char *packet, unsigned len)
 {
-	(void)ctx;
-	dns_recv((struct header *)net_eth_to_udp_payload(packet),
-		net_eth_to_udplen(packet));
+	struct net_udp_pkt udp;
+
+	if (net_eth_to_udp(packet, len, &udp))
+		return;
+
+	dns_recv(udp.payload, udp.len);
 }
 
 int resolv(const char *host, IPaddr_t *ip)

-- 
2.47.3

[PATCH 06/10] net: sntp: use net_eth_to_udp() for packet parsing

[Sascha Hauer]

Replace the separate net_eth_to_udp_payload() and net_eth_to_udplen()
calls with the new consolidated net_eth_to_udp() helper.

The direct net_eth_to_iphdr() call is kept because SNTP needs to check
the source IP address before processing the UDP payload.

Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 net/sntp.c | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/net/sntp.c b/net/sntp.c
index be361f625d..c7441bc312 100644
--- a/net/sntp.c
+++ b/net/sntp.c
@@ -75,19 +75,23 @@ static int sntp_send(void)
 
 static void sntp_handler(void *ctx, char *pkt, unsigned len)
 {
-	IPaddr_t ip_addr;
 	struct iphdr *ip = net_eth_to_iphdr(pkt);
-	struct ntp_packet *ntp =
-	    (struct ntp_packet *)net_eth_to_udp_payload(pkt);
+	struct net_udp_pkt udp;
+	struct ntp_packet *ntp;
+	IPaddr_t ip_addr;
 
 	ip_addr = net_read_ip((void *)&ip->saddr);
 	if (ip_addr != net_sntp_ip)
 		return;
 
-	len = net_eth_to_udplen(pkt);
-	if (len < sizeof(struct ntp_packet))
+	if (net_eth_to_udp(pkt, len, &udp))
 		return;
 
+	if (udp.len < sizeof(struct ntp_packet))
+		return;
+
+	ntp = udp.payload;
+
 	pr_debug("received SNTP response\n");
 
 	if (ntp->version != VERSION)

-- 
2.47.3

[PATCH 07/10] net: netconsole: use net_eth_to_udp() for packet parsing

[Sascha Hauer]

Replace the separate net_eth_to_udp_payload() and net_eth_to_udplen()
calls with the new consolidated net_eth_to_udp() helper.

Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 net/netconsole.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/net/netconsole.c b/net/netconsole.c
index 28fd0e98ec..859cfe8e6f 100644
--- a/net/netconsole.c
+++ b/net/netconsole.c
@@ -33,9 +33,12 @@ static struct nc_priv *g_priv;
 static void nc_handler(void *ctx, char *pkt, unsigned len)
 {
 	struct nc_priv *priv = g_priv;
-	unsigned char *packet = net_eth_to_udp_payload(pkt);
+	struct net_udp_pkt udp;
 
-	kfifo_put(priv->fifo, packet, net_eth_to_udplen(pkt));
+	if (net_eth_to_udp(pkt, len, &udp))
+		return;
+
+	kfifo_put(priv->fifo, udp.payload, udp.len);
 }
 
 static int nc_getc(struct console_device *cdev)

-- 
2.47.3

[PATCH 08/10] net: fastboot: use net_eth_to_udp() for packet parsing

[Sascha Hauer]

Replace the separate net_eth_to_udplen(), net_eth_to_udphdr() and
net_eth_to_udp_payload() calls with the new consolidated
net_eth_to_udp() helper.

The direct net_eth_to_iphdr() call is kept because fastboot needs
access to the IP header for source address handling and tot_len based
fragment detection.

Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 net/fastboot.c | 21 ++++++++++++++-------
 1 file changed, 14 insertions(+), 7 deletions(-)

diff --git a/net/fastboot.c b/net/fastboot.c
index 263d8abaa2..506af00cb8 100644
--- a/net/fastboot.c
+++ b/net/fastboot.c
@@ -351,17 +351,24 @@ static void fastboot_check_retransmit(struct fastboot_net *fbn,
 
 static void fastboot_handler(void *ctx, char *packet, unsigned int raw_len)
 {
-	unsigned int len = net_eth_to_udplen(packet);
 	struct ethernet *eth_header = (struct ethernet *)packet;
 	struct iphdr *ip_header = net_eth_to_iphdr(packet);
-	struct udphdr *udp_header = net_eth_to_udphdr(packet);
-	char *payload = net_eth_to_udp_payload(packet);
 	struct fastboot_net *fbn = ctx;
+	struct net_udp_pkt udp;
 	struct fastboot_header header;
-	char *fastboot_data = payload + sizeof(header);
-	u16 tot_len = ntohs(ip_header->tot_len);
+	char *payload, *fastboot_data;
+	unsigned int len;
+	u16 tot_len;
 	int ret;
 
+	if (net_eth_to_udp(packet, raw_len, &udp))
+		return;
+
+	payload = udp.payload;
+	len = udp.len;
+	fastboot_data = payload + sizeof(header);
+	tot_len = ntohs(ip_header->tot_len);
+
 	/* catch bogus tot_len values */
 	if ((char *)ip_header - packet + tot_len > raw_len)
 		return;
@@ -392,7 +399,7 @@ static void fastboot_handler(void *ctx, char *packet, unsigned int raw_len)
 
 	memcpy(fbn->net_con->et->et_dest, eth_header->et_src, ETH_ALEN);
 	net_copy_ip(&fbn->net_con->ip->daddr, &ip_header->saddr);
-	fbn->net_con->udp->uh_dport = udp_header->uh_sport;
+	fbn->net_con->udp->uh_dport = udp.udp->uh_sport;
 
 	switch (header.id) {
 	case FASTBOOT_QUERY:
@@ -404,7 +411,7 @@ static void fastboot_handler(void *ctx, char *packet, unsigned int raw_len)
 			break;
 		}
 		fbn->host_addr = net_read_ip(&ip_header->saddr);
-		fbn->host_port = udp_header->uh_sport;
+		fbn->host_port = udp.udp->uh_sport;
 		memcpy(fbn->host_mac, eth_header->et_src, ETH_ALEN);
 		fastboot_net_abort(fbn);
 		/* poller just unregistered in fastboot_net_abort() */

-- 
2.47.3

[PATCH 09/10] net: fastboot: stop using net_eth_to_udp_payload() for PACKET_SIZE

[Sascha Hauer]

The PACKET_SIZE macro used net_eth_to_udp_payload(0) as a trick to
compute the combined ethernet + IP + UDP header size at compile time.
Replace this with an explicit constant, removing the last user of the
old helpers outside of the header itself.

Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 net/fastboot.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/fastboot.c b/net/fastboot.c
index 506af00cb8..b1cb8c8bf6 100644
--- a/net/fastboot.c
+++ b/net/fastboot.c
@@ -23,8 +23,8 @@
 
 #define FASTBOOT_PORT 5554
 #define MAX_MTU 1500
-#define PACKET_SIZE (min(PKTSIZE, MAX_MTU + ETHER_HDR_SIZE) \
-		      - (net_eth_to_udp_payload(0) - (char *)0))
+#define NET_UDP_HDR_SIZE (ETHER_HDR_SIZE + sizeof(struct iphdr) + sizeof(struct udphdr))
+#define PACKET_SIZE (min(PKTSIZE, MAX_MTU + ETHER_HDR_SIZE) - NET_UDP_HDR_SIZE)
 
 enum {
 	FASTBOOT_ERROR = 0,

-- 
2.47.3

[PATCH 10/10] net: remove unused net_eth_to_udp{hdr,_payload,len}() helpers

[Sascha Hauer]

All callers have been converted to net_eth_to_udp() which validates
the packet length before accessing headers.  Remove the old helpers.

Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 include/net.h | 16 ----------------
 1 file changed, 16 deletions(-)

diff --git a/include/net.h b/include/net.h
index bdf39bc531..4d443135c1 100644
--- a/include/net.h
+++ b/include/net.h
@@ -282,11 +282,6 @@ static inline struct iphdr *net_eth_to_iphdr(char *pkt)
 	return (struct iphdr *)(pkt + ETHER_HDR_SIZE);
 }
 
-static inline struct udphdr *net_eth_to_udphdr(char *pkt)
-{
-	return (struct udphdr *)(net_eth_to_iphdr(pkt) + 1);
-}
-
 static inline struct icmphdr *net_eth_to_icmphdr(char *pkt)
 {
 	return (struct icmphdr *)(net_eth_to_iphdr(pkt) + 1);
@@ -297,17 +292,6 @@ static inline char *net_eth_to_icmp_payload(char *pkt)
 	return (char *)(net_eth_to_icmphdr(pkt) + 1);
 }
 
-static inline char *net_eth_to_udp_payload(char *pkt)
-{
-	return (char *)(net_eth_to_udphdr(pkt) + 1);
-}
-
-static inline int net_eth_to_udplen(char *pkt)
-{
-	struct udphdr *udp = net_eth_to_udphdr(pkt);
-	return ntohs(udp->uh_ulen) - 8;
-}
-
 struct net_udp_pkt {
 	struct udphdr *udp;
 	void *payload;

-- 
2.47.3