On 11/05/2026 15:37, Francois Berder wrote: > Currently, the sntp_handler uses data in the UDP packet > regardless of the actual packet size. A OOB read can occur > if the packet is too small. > Fix it by checking the packet length before extracting > seconds from a SNTP packet. > > Signed-off-by: Francois Berder <[email protected]> > --- > net/sntp.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/net/sntp.c b/net/sntp.c > index 77cee0046bd..4b3dc675bab 100644 > --- a/net/sntp.c > +++ b/net/sntp.c > @@ -64,6 +64,9 @@ static void sntp_handler(uchar *pkt, unsigned dest, struct > in_addr sip, > if (dest != sntp_our_port) > return; > > + if (len < SNTP_PACKET_LEN) > + return; > + > /* > * As the RTC's used in U-Boot support second resolution only > * we simply ignore the sub-second field.
Reviewed-by: Jerome Forissier <[email protected]> ...and added the the next queue. Thanks! -- Jerome
