2 files changed, 59 insertions, 1 deletions
diff --git a/meta/recipes-bsp/u-boot/files/CVE-2024-42040.patch b/meta/recipes-bsp/u-boot/files/CVE-2024-42040.patch
new file mode 100644
index 0000000000..2d250e51b7
--- /dev/null
+++ b/meta/recipes-bsp/u-boot/files/CVE-2024-42040.patch
@@ -0,0 +1,56 @@
+From 1406fc918977bba4dac0af5e22e63a5553aa6aff Mon Sep 17 00:00:00 2001
+From: Paul HENRYS <paul.henrys_ext@softathome.com>
+Date: Thu, 9 Oct 2025 17:43:28 +0200
+Subject: [PATCH] net: bootp: Prevent buffer overflow to avoid leaking the RAM
+ content
+CVE-2024-42040 describes a possible buffer overflow when calling
+bootp_process_vendor() in bootp_handler() since the total length
+of the packet is passed to bootp_process_vendor() without being
+reduced to len-(offsetof(struct bootp_hdr,bp_vend)+4).
+The packet length is also checked against its minimum size to avoid
+reading data from struct bootp_hdr outside of the packet length.
+Signed-off-by: Paul HENRYS <paul.henrys_ext@softathome.com>
+Signed-off-by: Philippe Reynes <philippe.reynes@softathome.com>
+CVE: CVE-2024-42040
+Upstream-Status: Backport [https://source.denx.de/u-boot/u-boot/-/commit/81e5708cc2c865df606e49aed5415adb2a662171]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ net/bootp.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+diff --git a/net/bootp.c b/net/bootp.c
+index 68002909634..843180d296c 100644
+--- a/net/bootp.c
+++ b/net/bootp.c
+@@ -362,6 +362,14 @@ static void bootp_handler(uchar *pkt, unsigned dest, struct in_addr sip,
+        debug("got BOOTP packet (src=%d, dst=%d, len=%d want_len=%zu)\n",
+              src, dest, len, sizeof(struct bootp_hdr));
+ 
+       /* Check the minimum size of a BOOTP packet is respected.
+        * A BOOTP packet is between 300 bytes and 576 bytes big
+        */
+       if (len < offsetof(struct bootp_hdr, bp_vend) + 64) {
+               printf("Error: got an invalid BOOTP packet (len=%u)\n", len);
+               return;
+       }
+
+        bp = (struct bootp_hdr *)pkt;
+ 
+        /* Filter out pkts we don't want */
+@@ -379,7 +387,8 @@ static void bootp_handler(uchar *pkt, unsigned dest, struct in_addr sip,
+ 
+        /* Retrieve extended information (we must parse the vendor area) */
+        if (net_read_u32((u32 *)&bp->bp_vend[0]) == htonl(BOOTP_VENDOR_MAGIC))
+-               bootp_process_vendor((uchar *)&bp->bp_vend[4], len);
+               bootp_process_vendor((uchar *)&bp->bp_vend[4], len -
+                                    (offsetof(struct bootp_hdr, bp_vend) + 4));
+ 
+        net_set_timeout_handler(0, (thand_f *)0);
+        bootstage_mark_name(BOOTSTAGE_ID_BOOTP_STOP, "bootp_stop");
+-- 
+2.49.0
diff --git a/meta/recipes-bsp/u-boot/u-boot-common.inc b/meta/recipes-bsp/u-boot/u-boot-common.inc
index d366f10398..7a63420642 100644
--- a/meta/recipes-bsp/u-boot/u-boot-common.inc
+++ b/meta/recipes-bsp/u-boot/u-boot-common.inc
@@ -14,7 +14,9 @@ PE = "1"
 # repo during parse
 SRCREV = "d637294e264adfeb29f390dfc393106fd4d41b17"
-SRC_URI = "git://source.denx.de/u-boot/u-boot.git;protocol=https;branch=master"
+SRC_URI = "git://source.denx.de/u-boot/u-boot.git;protocol=https;branch=master \
+           file://CVE-2024-42040.patch \
+"
 S = "${WORKDIR}/git"
 B = "${WORKDIR}/build"

diff --git a/meta/recipes-bsp/u-boot/files/CVE-2024-42040.patch b/meta/recipes-bsp/u-boot/files/CVE-2024-42040.patch new file mode 100644 index 0000000000..2d250e51b7 --- /dev/null +++ b/meta/recipes-bsp/u-boot/files/CVE-2024-42040.patch
@@ -0,0 +1,56 @@
		1	From 1406fc918977bba4dac0af5e22e63a5553aa6aff Mon Sep 17 00:00:00 2001
		2	From: Paul HENRYS <paul.henrys_ext@softathome.com>
		3	Date: Thu, 9 Oct 2025 17:43:28 +0200
		4	Subject: [PATCH] net: bootp: Prevent buffer overflow to avoid leaking the RAM
		5	content
		6
		7	CVE-2024-42040 describes a possible buffer overflow when calling
		8	bootp_process_vendor() in bootp_handler() since the total length
		9	of the packet is passed to bootp_process_vendor() without being
		10	reduced to len-(offsetof(struct bootp_hdr,bp_vend)+4).
		11
		12	The packet length is also checked against its minimum size to avoid
		13	reading data from struct bootp_hdr outside of the packet length.
		14
		15	Signed-off-by: Paul HENRYS <paul.henrys_ext@softathome.com>
		16	Signed-off-by: Philippe Reynes <philippe.reynes@softathome.com>
		17
		18	CVE: CVE-2024-42040
		19	Upstream-Status: Backport [https://source.denx.de/u-boot/u-boot/-/commit/81e5708cc2c865df606e49aed5415adb2a662171]
		20	Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
		21	---
		22	net/bootp.c \| 11 ++++++++++-
		23	1 file changed, 10 insertions(+), 1 deletion(-)
		24
		25	diff --git a/net/bootp.c b/net/bootp.c
		26	index 68002909634..843180d296c 100644
		27	--- a/net/bootp.c
		28	+++ b/net/bootp.c
		29	@@ -362,6 +362,14 @@ static void bootp_handler(uchar *pkt, unsigned dest, struct in_addr sip,
		30	debug("got BOOTP packet (src=%d, dst=%d, len=%d want_len=%zu)\n",
		31	src, dest, len, sizeof(struct bootp_hdr));
		32
		33	+ /* Check the minimum size of a BOOTP packet is respected.
		34	+ * A BOOTP packet is between 300 bytes and 576 bytes big
		35	+ */
		36	+ if (len < offsetof(struct bootp_hdr, bp_vend) + 64) {
		37	+ printf("Error: got an invalid BOOTP packet (len=%u)\n", len);
		38	+ return;
		39	+ }
		40	+
		41	bp = (struct bootp_hdr *)pkt;
		42
		43	/* Filter out pkts we don't want */
		44	@@ -379,7 +387,8 @@ static void bootp_handler(uchar *pkt, unsigned dest, struct in_addr sip,
		45
		46	/* Retrieve extended information (we must parse the vendor area) */
		47	if (net_read_u32((u32 *)&bp->bp_vend[0]) == htonl(BOOTP_VENDOR_MAGIC))
		48	- bootp_process_vendor((uchar *)&bp->bp_vend[4], len);
		49	+ bootp_process_vendor((uchar *)&bp->bp_vend[4], len -
		50	+ (offsetof(struct bootp_hdr, bp_vend) + 4));
		51
		52	net_set_timeout_handler(0, (thand_f *)0);
		53	bootstage_mark_name(BOOTSTAGE_ID_BOOTP_STOP, "bootp_stop");
		54	--
		55	2.49.0
		56


diff --git a/meta/recipes-bsp/u-boot/u-boot-common.inc b/meta/recipes-bsp/u-boot/u-boot-common.inc index d366f10398..7a63420642 100644 --- a/meta/recipes-bsp/u-boot/u-boot-common.inc +++ b/meta/recipes-bsp/u-boot/u-boot-common.inc
@@ -14,7 +14,9 @@ PE = "1"
14	# repo during parse	14	# repo during parse
15	SRCREV = "d637294e264adfeb29f390dfc393106fd4d41b17"	15	SRCREV = "d637294e264adfeb29f390dfc393106fd4d41b17"
16		16
17	SRC_URI = "git://source.denx.de/u-boot/u-boot.git;protocol=https;branch=master"	17	SRC_URI = "git://source.denx.de/u-boot/u-boot.git;protocol=https;branch=master \
		18	file://CVE-2024-42040.patch \
		19	"
18		20
19	S = "${WORKDIR}/git"	21	S = "${WORKDIR}/git"
20	B = "${WORKDIR}/build"	22	B = "${WORKDIR}/build"