Clarify in the public API and Kconfig help that server mode can send
Version Negotiation and enforce anti-amplification, but Retry and
NEW_TOKEN-based address-validation tokens are not yet implemented.
Also warn when an Initial packet carries a token that the current
implementation does not process.
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
Initial packet DCID must be >= 8 bytes long. Enforce that
and test it too.
Assisted-by: Copilot:gpt-5.4
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
Make sure we send proper version negotiation packet if
we receive a Quic version packet that we do not support.
Add tests that make sure version negotiation works ok.
Assisted-by: Copilot:gpt-5.4
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
Enforce RFC 9000 Section 8.1 by limiting server transmission to
three times the bytes received from an unvalidated client address.
Gate the behavior behind CONFIG_QUIC_SERVER_ANTI_AMPLIFICATION_LIMIT
to preserve feature-testing scenarios that intentionally bypass the
limit.
Add tests that verify the anti-amplification budget handling.
Assisted-by: Copilot:gpt-5.4
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
NET_IF_MAX_CONFIGS is always 1, therefore the NET_IF_INIT and
NET_IF_OFFLOAD_INIT macros can be simplified by removing the array and
using a single struct net_if and struct net_if_dev instead.
This also removes the use of designated initializers with ranges, which
is a GNU extension.
https://gcc.gnu.org/onlinedocs/gcc/Designated-Inits.html
Signed-off-by: Fin Maaß <f.maass@vogl-electronic.com>
as the ethernet api already includes
struct net_if as a argument for its
functions also add it to struct wifi_mgmt_ops.
Signed-off-by: Fin Maaß <f.maass@vogl-electronic.com>
If a user created an observe request, that is kept alive, it's not easy to
notify the server to stop the observe.
Add a function that sends a GET with the observer option set to 1 prior
to internal cleanup.
Signed-off-by: Pieter De Gendt <pieter.degendt@basalte.be>
Fix `sntp_close_async` closing the socket while the socket service is
still polling it by deferring the close operation to the socket service.
Signed-off-by: Jordan Yates <jordan@embeint.com>
Closing a socket while it is being polled by another thread is
discouraged and should be avoided. This results in a problem when
attempting to unregister a service via `net_socket_service_unregister`,
the caller has no way of knowing when the socket service has stopped
polling on the socket and it is safe to close.
Solve this issue by introducing `net_socket_service_close`, which
signals the socket service to automatically close the sockets associated
with the service when it stops polling them.
Signed-off-by: Jordan Yates <jordan@embeint.com>
In #90652 we removed phy related config from eth api,
unfortunatly ETHERNET_CONFIG_TYPE_T1S_PARAM was forgotten
to be removed.
Signed-off-by: Fin Maaß <f.maass@vogl-electronic.com>
The two reference counts in the net_buf library -- the per-header
`buf->ref` and the per-data-block `*ref_count` byte at the start of
each variable-data allocation -- were manipulated with plain non-atomic
C operators (`++`, `--`, `if (--rc)`, `if (!rc)`).
The documented contract says otherwise. The Network Buffers chapter of
the Zephyr docs (`doc/services/net_buf/index.rst`) states:
"The buffers have native support for being passed through k_fifo
kernel objects. Use k_fifo_put and k_fifo_get to pass buffer from
one thread to another."
"The reference count can be incremented with net_buf_ref() or
decremented with net_buf_unref(). When the count drops to zero the
buffer is automatically placed back to the free buffers pool."
There is no requirement for callers to hold a higher-level lock around
ref/unref. The API is documented as self-synchronizing, and existing
users (notably zbus's msg-subscriber path) rely on exactly that:
a producer clones a buffer N times and hands the clones off to N
subscriber threads via their FIFOs, after which the N+1 holders
independently call `net_buf_unref()` with no surrounding lock.
With non-atomic decrement-and-test, two CPUs can concurrently observe
the same prior value (e.g. 1), both decrement, and both conclude they
were the last reference. Concrete failure modes:
* `mem_pool_data_unref`: both CPUs call `k_heap_free(pool, ref_count)`
on the same block. `k_heap_free` is internally serialized, so the
duplicate free typically corrupts heap metadata silently.
* `heap_data_unref`: both CPUs call `k_free(ref_count)` on the same
block. `k_free` reads the owning `struct k_heap *` from the 8 bytes
immediately preceding `ref_count`. The first call frees the block
and the heap-hardening fill replaces those 8 bytes with the poison
pattern (0xcfdfdfdfdfdfdfcf). The second call then dereferences a
poisoned pointer and faults inside `k_spin_lock` (translation
fault on the bogus heap address).
* `net_buf_unref`: two CPUs racing the per-header decrement-and-test
can both decide "I am the last reference," both proceed to
`net_buf_destroy()`, and the buffer is returned to the pool's LIFO
twice -- silently corrupting the free list.
Fix: use atomic operations on both reference counts.
The per-data-block refcount changes from `uint8_t` to `atomic_t`. This
fits inside the existing `GET_ALIGN(pool)` reservation (>= sizeof(void
*)) at no memory cost.
The per-header `buf->ref` is overlaid in a union with three small
adjacent uint8_t fields (`flags`, `pool_id`, `user_data_size`) and an
`atomic_t ref_word` view of the same storage:
union {
atomic_t ref_word;
struct {
uint8_t ref;
uint8_t flags;
uint8_t pool_id;
uint8_t user_data_size;
};
};
(Byte order conditional on endianness so `ref` is always the LSB of
`ref_word`; on big-endian 64-bit, the byte struct is shifted by 4
bytes of padding for the same reason.)
Net_buf internals issue `atomic_inc(&buf->ref_word)` /
`atomic_dec(&buf->ref_word)` and narrow the returned word value to
`uint8_t` to extract the ref byte. Because the ref count is bounded
to 254 (already implicit in its uint8_t domain), atomic_inc/dec
adjusts only the LSB; the other three bytes are untouched. Plain
uint8_t reads of `buf->ref` from non-atomic call sites continue to
work, so the change is transparent to the dozens of consumers that
read it for diagnostics.
`flags`, `pool_id` and `user_data_size` are written exactly once at
allocation time on a single thread (or, for `flags`, from a context
that owns the buf exclusively such as bt_buf_make_view on a fresh
view), so there are no concurrent byte writes that could conflict
with the atomic word update. struct net_buf does not grow on either
32-bit or 64-bit: on 32-bit the four bytes are exactly `sizeof(long)`,
on 64-bit they fit in alignment padding the next field already
required.
A BUILD_ASSERT in lib/net_buf/buf.c documents the
`atomic_t == long` assumption that the conditional padding relies on.
In `net_buf_unref`, the per-header refcount and the fields needed for
the debug log (`buf->pool_id`) are captured into local variables
*before* the atomic decrement -- once the reference is dropped, another
CPU may immediately free the buffer, so the buffer must not be read
again. The post-decrement diagnostic log uses the value returned by
`atomic_dec` rather than re-reading `buf->ref`. The `pool->avail_count`
sanity check uses the value returned by `atomic_inc` to avoid a
follow-up `atomic_get` of memory another CPU may have changed.
`net_pkt_frag_unref()` previously had the racy
`if (frag->ref == 1U) alloc_del(); net_buf_unref();` pattern; it is
restructured to do the atomic decrement here and slot the tracker call
in atomically with the "I'm the last reference" decision, with
`net_pkt_frag_del()` routed through it.
This bug had been latent. On real SMP hardware the race window is very
small and the typical net_buf consumers (Bluetooth, networking) tend
to use fixed-data pools (`fixed_data_unref` is a no-op). The race
manifests reliably under FVP, where the FastModel's quantum-based
execution model can schedule N threads to all reach the unref point in
the same simulated moment. We discovered it through the zbus
`msg_subscriber_dynamic_isolated` sample, which exchanges shared data
buffers among 16+ subscribers running on 4 SMP cores.
Signed-off-by: Nicolas Pitre <npitre@baylibre.com>
Replace CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN with the new
CONFIG_MBEDTLS_SSL_IN_CONTENT_LEN and CONFIG_MBEDTLS_SSL_OUT_CONTENT_LEN
options across all in-tree .conf files, hostap Kconfig defaults, and
socket subsystem help text.
This completes the deprecation of MBEDTLS_SSL_MAX_CONTENT_LEN in favor
of independent incoming/outgoing buffer size control.
Signed-off-by: Rithic Chellaram Hariharan <gr8rithic@gmail.com>
Handle NewSessionTicket in poll() syscall (via tls_update_pollin() and
tls_data_check()) similar as it is handled in recv() / read() syscall (via
recv_tls()).
This event is semantically the same as "want read" and "want write", since
it does not contain any application data or error. This means that we just
want to proceed with reading and not treat that as error.
Fixes: 6be57aaedf ("net: sockets_tls: add support for TLS 1.3")
Signed-off-by: Marcin Niestroj <m.niestroj@emb.dev>
The lwm2m registry time series elements were previously stored in a
ring buffer which added complexity to the code when adding and removing
elements from the buffer. This commit changes the implementation to use
the sys_ringq instead, simplifying the code and making it easier to
maintain over time.
Signed-off-by: Måns Ansgariusson <mansgariusson@gmail.com>
When building MQTT with MQTT_LIB_WEBSOCKET,
compilation fails due to implicit declaration of function 'NET_ERR'.
Add include for zephyr/net/net_log.h to pull in declaration.
Signed-off-by: Jacob Schloss <jacob.schloss@suburbanmarine.io>
Fixes a few occurrences of "maybe uninitialized" variables that are
flagged when -Wmaybe-uninitialized is enabled. Seen when running e.g.
./scripts/twister -p mps2/an385 -T tests/net/lib/coap_server/common
in "--coverage" mode.
Signed-off-by: Benjamin Cabé <benjamin@zephyrproject.org>
Give the PTP transport protocol choice a symbol name so tests and
application fragments can override its default through Kconfig.
Signed-off-by: Philipp Steiner <philipp.steiner1987@gmail.com>
dns_unpack_answer() validated only the fixed RR header size and
accepted any rdlength, even one extending past the end of the packet.
TXT and SRV consumers in resolve.c then read up to rdlength bytes from
the message buffer, causing an out-of-bounds read on a truncated or
crafted response.
Reject any RR whose declared rdata extends past dns_msg->msg_size at
the single chokepoint in dns_unpack_answer(), so all current and
future RR consumers are covered.
Signed-off-by: Flavio Ceolin <flavio@hubblenetwork.com>
The checks validating RA, NS and NA packets content on input were not
correct - packets should be dropped in case any of those checks failed,
however current logic was invalid, causing other checks to be ignored as
long as the ICMPv6 code was correct (i. e. 0).
Apart from fixing the logic, split the single convoluted if condition
into separate if checks for better readability.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
The first issue is that the query offset was not properly updated.
The second issue is more complex and relates to the use of message
compression in domain names
(https://datatracker.ietf.org/doc/html/rfc1035#section-4.1.4). The
pointers can be nested (i.e. a first pointer pointing to a label with
another pointer)
For example: _http._tcp.local can be represented via:
'_http' + (pointer to a '_tcp' label + (pointer to a 'local' label).
This was not properly implemented, only single-pointers were supported.
Signed-off-by: Sebastiaan Merckx <sebastiaan.merckx@verhaert.com>
Add NULL checks for iface and addr in IPv4/IPv6 maddr add/rm
to prevent potential dereferences.
Signed-off-by: Muhammad Waleed Badar <walid.badar@gmail.com>
Display raw packet socket statistics (recv, sent, drop, bytes) in the
"net stats" shell command output. This follows the same display format
as the existing UDP and TCP statistics sections.
Signed-off-by: Chaitanya Tata <Chaitanya.Tata@nordicsemi.no>
Assisted-by: Cursor:opus-4.6
Add statistics tracking for raw/packet sockets (AF_PACKET), following
the same pattern as existing UDP and TCP statistics. This tracks packet
counts (sent, received, dropped) and byte counts for raw socket traffic.
The new CONFIG_NET_STATISTICS_RAW Kconfig option is enabled by default
when CONFIG_NET_SOCKETS_PACKET is active. Statistics are updated in the
AF_PACKET send path (net_context.c) and the packet socket delivery path
(connection.c).
Includes NET_MGMT user API support, periodic output, and Prometheus
metrics integration.
Signed-off-by: Chaitanya Tata <Chaitanya.Tata@nordicsemi.no>
Assisted-by: Cursor:opus-4.6
Without this we can have scenarios where PSA Crypto headers are not
found under certain configurations.
Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no>
set iface in data during build. So we don't have to set it later in
the iface init. Due to the fact that we already set the id of the data
structure during build, it is already in the data section of the linker
and not the bss section, so that it doesn't increase the size of the
binary. At the same time we save some code and instructions to set the
iface in the data structure during init.
Signed-off-by: Fin Maaß <f.maass@vogl-electronic.com>
Definining the functions counterpart for cabled ethernet to operate on
the list of interfaces and differentiate them from the 802.11 based ones
Signed-off-by: Andrea Gilardoni <a.gilardoni@arduino.cc>
There are situations where internal DNS resolver will reject the packet,
and in this case, query index is not calculated.
This may break forwarding mechanism;
If DNS packet forwarding is enabled, and internal validation fails, some
checks are done and an attempt to calculate query index is performed, so
the packet can be forwarded and used.
Signed-off-by: Cristian Bulacu <cristian.bulacu@nxp.com>
Remove the hardcoded setsockopt(TLS_HOSTNAME, "localhost") which
prevents server-side peer certificate verification from working: the
hostname check compares "localhost" against the client cert's CN/SAN,
which will never match a real client certificate.
Signed-off-by: Steven Friedman <friedman@ionq.co>
net_virtual_set_name already makes sure,
that the string ends with 0, therefore
we can directly provide the constant string.
Signed-off-by: Fin Maaß <f.maass@vogl-electronic.com>
because these 2 bools are after a uint16_t, that itself is after
a pointer, there should be space for 16 bit, so we can have the
bools regular instead of bit-fields.
Signed-off-by: Fin Maaß <f.maass@vogl-electronic.com>
`MBEDTLS_SSL_PROTO_DTLS` depends on `MBEDTLS_SSL_PROTO_TLS1_2`, so if
we are selecting the former, we must also select the later.
Signed-off-by: Jordan Yates <jordan@embeint.com>
Cancellation can run on timeout paths where a context-based buffer
allocation timeout can expire immediately.
- allocate the temporary packed-name net_buf with K_FOREVER
- keep existing ENOMEM handling for pool exhaustion
Assisted-by: Codex:gpt-5.3-codex
Signed-off-by: Adam Szewczyk <a.szewczyk@cthings.co>
Treat resolver-side -EAGAIN as a temporary DNS condition and return
DNS_EAI_AGAIN instead of DNS_EAI_SYSTEM so callers can handle retries
consistently.
Assisted-by: Codex:gpt-5.3-Codex
Signed-off-by: Adam Szewczyk <a.szewczyk@cthings.co>
Cancel each timed-out DNS request before retrying and reset the local
semaphore state between attempts. This prevents stale delayed callbacks
from touching stack-backed getaddrinfo state after timeout progression.
Assisted-by: Codex:gpt-5.3-Codex
Signed-off-by: Adam Szewczyk <a.szewczyk@cthings.co>
Decouple NET_HOSTNAME_MAX_LEN from NET_HOSTNAME_DYNAMIC to resolve
Kconfig conflict when using POSIX networking with unique hostname
updates. This restores functionality that worked in Zephyr 3.6.
- Remove forced selection of NET_HOSTNAME_DYNAMIC from POSIX_NETWORKING
- Make NET_HOSTNAME_MAX_LEN available independently
- Add build assertions for hostname length validation
- Update test configurations for new dependency structure
Fixes: zephyrproject-rtos#95811
Signed-off-by: Pragati Garg <pragatigarg@eaton.com>
Add ZSOCK_QUIC_SO_CERT_CHAIN_DEL socket option that can be used
to delete the CA cert chain from the connection socket.
Add a test to verify that the deletion works as expected.
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
Change the code so that user does not set intermediate cert chain
directly by ZSOCK_QUIC_SO_CERT_CHAIN_ADD, but the setsockopt() is
given a sec_tag_t type value. Then when building the certificate
message, we resolve the actual cert from certificate storage using
the given security tag value.
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
Add support for STOP_SENDING frame. This is sent to tell
peer to stop sending data to the stream.
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
Try to send 8kb buffer multiple times, make sure that there
are dropped packets and verify that all the data is received
correctly.
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
