From: Francois Berder <fberder@outlook.fr>
Date: Mon, 11 May 2026 19:55:31 +0000 (+0200)
Subject: net: dhcpv6: Prevent buffer overflow during BOOTFILE_URL parsing
X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=4ba29d709419a567832276f80592d28f42e965b2;p=thirdparty%2Fu-boot.git

net: dhcpv6: Prevent buffer overflow during BOOTFILE_URL parsing

The net_boot_file_name is a 1024 byte buffer.
However, based on DHCPv6 RFC, bootfile-url length is
specified by option_len, a 16-bit unsigned integer
(valid range: 0-65535).
Hence, one needs to make sure that option_len is less
than the size of net_boot_file_name array before copying
bootfile-url to net_boot_file_name.

Signed-off-by: Francois Berder <fberder@outlook.fr>
Reviewed-by: Jerome Forissier <jerome.forissier@arm.com>
---

diff --git a/net/dhcpv6.c b/net/dhcpv6.c
index 5bf935cb6a3..51f44979f8e 100644
--- a/net/dhcpv6.c
+++ b/net/dhcpv6.c
@@ -377,6 +377,11 @@ static void dhcp6_parse_options(uchar *rx_pkt, unsigned int len)
 			break;
 		case DHCP6_OPTION_OPT_BOOTFILE_URL:
 			debug("DHCP6_OPTION_OPT_BOOTFILE_URL FOUND\n");
+			if (option_len >= sizeof(net_boot_file_name)) {
+				debug("Option length for BOOTFILE_URL is greater or equal than %zu. Skipping\n",
+				      sizeof(net_boot_file_name));
+				break;
+			}
 			copy_filename(net_boot_file_name, option_ptr, option_len + 1);
 			debug("net_boot_file_name: %s\n", net_boot_file_name);