From: Andrew Goodbody Date: Wed, 14 Jan 2026 15:12:10 +0000 (+0000) Subject: net: lwip: dhcp: Do not write past end of buffer X-Git-Tag: v2026.04-rc2~23^2~8 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=72d4e94b2ec3099a312c85c4b8f5cdbc920416ff;p=thirdparty%2Fu-boot.git net: lwip: dhcp: Do not write past end of buffer sprintf will write a trailing \0 at the end of the string so when writing into a buffer, that buffer must be sized to allow for that trailing zero. In the DHCP code when the index is a number needing two digits to express the index would use up the two \0 bytes in the buffer and the trailing \0 from sprintf would be beyond the end of the allocation. Fix this by adding a third \0 in the buffer. This was found by code inspection when looking for an issue reported by Michal Simek, but I do not have the hardware to reproduce, so cannot confirm if this addresses that issue or not. Fixes: 98ad145db61a ("net: lwip: add DHCP support and dhcp commmand") Signed-off-by: Andrew Goodbody Reviewed-by: Jerome Forissier --- diff --git a/net/lwip/dhcp.c b/net/lwip/dhcp.c index b798014ebcb..731b57de3ba 100644 --- a/net/lwip/dhcp.c +++ b/net/lwip/dhcp.c @@ -30,9 +30,9 @@ static void call_lwip_dhcp_fine_tmr(void *ctx) static int dhcp_loop(struct udevice *udev) { - char ipstr[] = "ipaddr\0\0"; - char maskstr[] = "netmask\0\0"; - char gwstr[] = "gatewayip\0\0"; + char ipstr[] = "ipaddr\0\0\0"; + char maskstr[] = "netmask\0\0\0"; + char gwstr[] = "gatewayip\0\0\0"; const ip_addr_t *ntpserverip; unsigned long start; struct netif *netif; diff --git a/net/lwip/net-lwip.c b/net/lwip/net-lwip.c index c325e923d20..0c83c004cab 100644 --- a/net/lwip/net-lwip.c +++ b/net/lwip/net-lwip.c @@ -103,9 +103,9 @@ struct netif *net_lwip_get_netif(void) static int get_udev_ipv4_info(struct udevice *dev, ip4_addr_t *ip, ip4_addr_t *mask, ip4_addr_t *gw) { - char ipstr[] = "ipaddr\0\0"; - char maskstr[] = "netmask\0\0"; - char gwstr[] = "gatewayip\0\0"; + char ipstr[] = "ipaddr\0\0\0"; + char maskstr[] = "netmask\0\0\0"; + char gwstr[] = "gatewayip\0\0\0"; int idx = dev_seq(dev); char *env;