From: Francois Berder <fberder@outlook.fr>
Date: Mon, 11 May 2026 13:37:58 +0000 (+0200)
Subject: net: sntp: Check packet length in sntp_handler
X-Git-Tag: v2026.07-rc4~8^2~4
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a38bf2121a398538730cd42a0cf3db8f80119c62;p=thirdparty%2Fu-boot.git

net: sntp: Check packet length in sntp_handler

Currently, the sntp_handler uses data in the UDP packet
regardless of the actual packet size. A OOB read can occur
if the packet is too small.
Fix it by checking the packet length before extracting
seconds from a SNTP packet.

Signed-off-by: Francois Berder <fberder@outlook.fr>
Reviewed-by: Jerome Forissier <jerome.forissier@arm.com>
---

diff --git a/net/sntp.c b/net/sntp.c
index 77cee0046bd..4b3dc675bab 100644
--- a/net/sntp.c
+++ b/net/sntp.c
@@ -64,6 +64,9 @@ static void sntp_handler(uchar *pkt, unsigned dest, struct in_addr sip,
 	if (dest != sntp_our_port)
 		return;
 
+	if (len < SNTP_PACKET_LEN)
+		return;
+
 	/*
 	 * As the RTC's used in U-Boot support second resolution only
 	 * we simply ignore the sub-second field.