Reject empty TLS Certificate messages when peer verification is
required, instead of accepting them and continuing without a captured
peer certificate.
Also add a defensive check in the Finished path so a peer cannot
complete the handshake without ever providing a certificate when the
effective verify policy requires one.
Add focused regression coverage for both cases: an empty Certificate
message and a Finished message received without any peer certificate.
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
Rename the per-stream RX flow-control counter to fc_bytes_received
to make it clear that the value tracks consumed flow-control credit,
not only contiguous payload bytes delivered to the application.
Document in quic_stream_receive_data() that Quic RX flow control is
based on absolute byte offsets. When a newly received frame advances
the highest received offset on a stream, any gap up to that offset
also consumes flow-control credit, while duplicate data must not be
counted twice.
Add regression coverage for gap accounting. The new test verifies
that out-of-order data consumes stream and connection flow-control
credit up to the new highest offset, that later filling the gap does
not double-count, and that further extension past the limit is
rejected.
Assisted-by: Copilot:gpt-5.4
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
When quic_stream_receive_data() cannot buffer a new out-of-order
STREAM segment, it currently returns -EAGAIN. The packet is then
treated as valid and ACKable even though the data was dropped and
not counted toward stream or connection flow control.
Treat queue-full and oversized out-of-order segments as
FLOW_CONTROL_ERROR instead. Keep duplicate already-buffered segments
non-fatal, but stop ACKing new data that could not be retained.
Add regression coverage for duplicate, queue-full, and oversized
out-of-order receive cases.
Assisted-by: Copilot:gpt-5.4
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
Reload TLS credentials when ZSOCK_TLS_SEC_TAG_LIST is updated on an
already initialized Quic TLS context, and make the Quic test helper
apply the configured security tags through setsockopt().
This keeps certificate configuration consistent between server and
client paths and avoids stale credential state when TLS options are
set after endpoint creation.
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
Compare overlapping CRYPTO data against buffered bytes and fail
closed on mismatches.
Map CRYPTO reassembly overflow to CRYPTO_BUFFER_EXCEEDED, stop
silently ignoring out-of-order reassembly bookkeeping failures, and
add compile-time guards for the current metadata widths.
Add tests for duplicate overlap, conflicting overlap, and buffer
overflow handling.
Assisted-by: Copilot:gpt-5.4
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
Recovery state is now serialized with a per-endpoint mutex.
PTO runs on a private QUIC recovery workqueue instead of
k_sys_work_q, and endpoint teardown / connection close now use
synchronous PTO cancellation.
The PTO handler no longer drops the endpoint reference from inside
the running work item. On excessive PTO it marks recovery closed,
notifies streams, and defers final unref through separate work so
the embedded delayable is not freed while active.
Recovery tracking is also gated once shutdown begins, and a new test
verifies that shutdown suppresses new in-flight tracking.
Assisted-by: Copilot:gpt-5.4
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
Make quic_put_varint() return an error when the destination buffer
is too small and update callers to validate the result.
Validate frame types by packet number space so forbidden frames
close with PROTOCOL_VIOLATION and unknown or malformed frames close
with FRAME_ENCODING_ERROR.
Also harden malformed CONNECTION_CLOSE parsing and add direct tests
for the new parser behavior.
Assisted-by: Copilot:gpt-5.4
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
Peer certificate verification follows the same default policy as
Zephyr TLS sockets: clients require successful peer verification
by default, while servers default to not verifying client
certificates unless ZSOCK_TLS_PEER_VERIFY is explicitly enabled.
A client that does not load a CA certificate therefore fails the
handshake by default; applications that deliberately skip server
authentication must opt out by setting
ZSOCK_TLS_PEER_VERIFY = MBEDTLS_SSL_VERIFY_NONE.
Assisted-by: Copilot:gpt-5.4
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
Wake any client-side stream_open() waiters that are still blocked on
the handshake outcome.
Assisted-by: Copilot:gpt-5.4
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
A receiver advertises two credits, per-stream
(initial_max_stream_data_*, updated by MAX_STREAM_DATA) and
per-connection (initial_max_data, updated by MAX_DATA). An
endpoint MUST NOT allow the largest received byte offset on a
stream to exceed the stream limit (§4.1), MUST NOT allow the sum of
received offsets across streams to exceed the connection limit (§4.1),
and MUST close with FLOW_CONTROL_ERROR (0x03, §11.2) on
violation. The check is on wire offsets, not on what fits locally.
The code did not do the checks properly for RX data.
Assisted-by: Copilot:gpt-5.4
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
Clarify in the public API and Kconfig help that server mode can send
Version Negotiation and enforce anti-amplification, but Retry and
NEW_TOKEN-based address-validation tokens are not yet implemented.
Also warn when an Initial packet carries a token that the current
implementation does not process.
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
Initial packet DCID must be >= 8 bytes long. Enforce that
and test it too.
Assisted-by: Copilot:gpt-5.4
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
Make sure we send proper version negotiation packet if
we receive a Quic version packet that we do not support.
Add tests that make sure version negotiation works ok.
Assisted-by: Copilot:gpt-5.4
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
Enforce RFC 9000 Section 8.1 by limiting server transmission to
three times the bytes received from an unvalidated client address.
Gate the behavior behind CONFIG_QUIC_SERVER_ANTI_AMPLIFICATION_LIMIT
to preserve feature-testing scenarios that intentionally bypass the
limit.
Add tests that verify the anti-amplification budget handling.
Assisted-by: Copilot:gpt-5.4
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
NET_IF_MAX_CONFIGS is always 1, therefore the NET_IF_INIT and
NET_IF_OFFLOAD_INIT macros can be simplified by removing the array and
using a single struct net_if and struct net_if_dev instead.
This also removes the use of designated initializers with ranges, which
is a GNU extension.
https://gcc.gnu.org/onlinedocs/gcc/Designated-Inits.html
Signed-off-by: Fin Maaß <f.maass@vogl-electronic.com>
as the ethernet api already includes
struct net_if as a argument for its
functions also add it to struct wifi_mgmt_ops.
Signed-off-by: Fin Maaß <f.maass@vogl-electronic.com>
Introduce CONFIG_RISCV_S_MODE to select Supervisor-mode execution.
Add depends on !RISCV_S_MODE to RISCV_PMP since PMP CSRs are
inaccessible from S-mode.
Add an M-mode SBI shim (reset.S + sbi.S) that configures exception
delegation, PMP, and counter access before dropping to S-mode via mret.
The shim handles SBI_SET_TIMER ecalls from S-mode and forwards MTIP to
STIP so the supervisor timer driver works without a full SBI firmware.
Introduce privilege-level abstractions in isr.S (RV_CAUSE, RV_EPC,
RV_STATUS, RV_TVAL, etc.) and update all runtime code that previously
accessed M-mode-only CSRs (mcause, mtval, mstatus, mie, mip) to use the
S-mode equivalents when CONFIG_RISCV_S_MODE is set.
ARCH_EXCEPT in kernel context uses ebreak (cause=3, Breakpoint) instead
of a direct z_riscv_fatal_error() call. In S-mode, ecall (cause=9) is
kept in M-mode for SBI and never reaches the S-mode exception handler;
a direct call with NULL esf caused the stack unwinder to crash into an
infinite fault loop. ebreak is delegated to S-mode by our medeleg
configuration; isr.S treats ebreak with t0=RV_ECALL_RUNTIME_EXCEPT the
same way M-mode treats ecall-based ARCH_EXCEPT.
Signed-off-by: Alexios Lyrakis <alexios.lyrakis@gmail.com>
If a user created an observe request, that is kept alive, it's not easy to
notify the server to stop the observe.
Add a function that sends a GET with the observer option set to 1 prior
to internal cleanup.
Signed-off-by: Pieter De Gendt <pieter.degendt@basalte.be>
Adds IRK update call to internal bt_le_adv_start_ext. And rename it to
adv_start_ext to prevent confusion with public functions.
There are two paths to start ext advertising:
- bt_le_adv_start can start extended advertising if enabled by calling
internal bt_le_adv_start_ext else it starts legacy advertisements.
- bt_le_ext_adv_start specifically starts extended advertisements.
This commit misses the first path for ext advertisement:
6d137ae015
Signed-off-by: Alperen Sener <alperen.sener@nordicsemi.no>
Add a command to select the USB host context, similar to the select
command in device support. Set the USB host context used by the shell to
the first entry in the section by default. The USB host context defined
in the shell is not necessary anymore and is moved to the sample code.
This has a very small impact on the user. The way the host shell
commands are used has not changed.
Signed-off-by: Johann Fischer <johann.fischer@nordicsemi.no>
Introduce an architecture API that reports the calling CPU's current
interrupt-enable state without modifying it. Unlike arch_irq_unlocked()
which inspects a saved key, this one probes the live CPU register, which
lets callers avoid the lock/unlock dance when all they need is to test
whether IRQs are currently masked.
Most arches can serve this from a single register read (DAIF on arm64,
PRIMASK/BASEPRI/CPSR on arm, mstatus on riscv, PS on xtensa, STATUS32
on arc, c0_status on mips, SPR_SR on openrisc, PSW on rx, EFLAGS on
x86). SPARC, POSIX, and riscv with custom SoC IRQ-lock ops have no
direct probe and fall back to a brief arch_irq_lock()/unlock() pair.
Signed-off-by: Nicolas Pitre <npitre@baylibre.com>
Fix `sntp_close_async` closing the socket while the socket service is
still polling it by deferring the close operation to the socket service.
Signed-off-by: Jordan Yates <jordan@embeint.com>
Closing a socket while it is being polled by another thread is
discouraged and should be avoided. This results in a problem when
attempting to unregister a service via `net_socket_service_unregister`,
the caller has no way of knowing when the socket service has stopped
polling on the socket and it is safe to close.
Solve this issue by introducing `net_socket_service_close`, which
signals the socket service to automatically close the sockets associated
with the service when it stops polling them.
Signed-off-by: Jordan Yates <jordan@embeint.com>
In #90652 we removed phy related config from eth api,
unfortunatly ETHERNET_CONFIG_TYPE_T1S_PARAM was forgotten
to be removed.
Signed-off-by: Fin Maaß <f.maass@vogl-electronic.com>
Fix copy and paste mistakes in shell outputs. Remove unnecessary
shell_error() in device descriptor command.
Signed-off-by: Johann Fischer <johann.fischer@nordicsemi.no>
Add mount_flags to zms_fs structure to be able to control the mount
operation.
If ZMS_MOUNT_FLAG_NO_FORMAT flag is enabled, no header will be added to
an erased memory and it will return -ENOTSUP error.
Signed-off-by: Riadh Ghaddab <riadh.ghaddab@nordicsemi.no>
Fix a race condition in RFCOMM session disconnection when both local
and peer devices initiate disconnection simultaneously.
Add state check in `rfcomm_session_disconnected()` to only transition
to `DISCONNECTED` state if the session is not already in
`DISCONNECTING` state. This prevents the race condition where both
sides set the session to disconnected, causing the disconnection
process to not complete properly and leaving the L2CAP connection
unreleased.
Without this check, subsequent RFCOMM channel connection requests
would fail due to the invalid session state (the expected state is
`IDLE`, while the actual state is `DISCONNECTED`).
Signed-off-by: Lyle Zhu <lyle.zhu@nxp.com>
The technology values defined in tbs.h are actually defined
in assigned numbers under the HFP. They have been moved to
the assigned_numbers.h file, and name to match the placement
in Assigned Numbers. They have been defined in an enum instead
of multiple #define's, to more easily refer to them.
The callback for reading technology was likewise updated to use
the new enum.
Signed-off-by: Emil Gydesen <emil.gydesen@nordicsemi.no>
Add SPP test shell commands, support client and server features.
include register, connect, send and disconnect.
Signed-off-by: Kai Cheng <chengkai@xiaomi.com>
The two reference counts in the net_buf library -- the per-header
`buf->ref` and the per-data-block `*ref_count` byte at the start of
each variable-data allocation -- were manipulated with plain non-atomic
C operators (`++`, `--`, `if (--rc)`, `if (!rc)`).
The documented contract says otherwise. The Network Buffers chapter of
the Zephyr docs (`doc/services/net_buf/index.rst`) states:
"The buffers have native support for being passed through k_fifo
kernel objects. Use k_fifo_put and k_fifo_get to pass buffer from
one thread to another."
"The reference count can be incremented with net_buf_ref() or
decremented with net_buf_unref(). When the count drops to zero the
buffer is automatically placed back to the free buffers pool."
There is no requirement for callers to hold a higher-level lock around
ref/unref. The API is documented as self-synchronizing, and existing
users (notably zbus's msg-subscriber path) rely on exactly that:
a producer clones a buffer N times and hands the clones off to N
subscriber threads via their FIFOs, after which the N+1 holders
independently call `net_buf_unref()` with no surrounding lock.
With non-atomic decrement-and-test, two CPUs can concurrently observe
the same prior value (e.g. 1), both decrement, and both conclude they
were the last reference. Concrete failure modes:
* `mem_pool_data_unref`: both CPUs call `k_heap_free(pool, ref_count)`
on the same block. `k_heap_free` is internally serialized, so the
duplicate free typically corrupts heap metadata silently.
* `heap_data_unref`: both CPUs call `k_free(ref_count)` on the same
block. `k_free` reads the owning `struct k_heap *` from the 8 bytes
immediately preceding `ref_count`. The first call frees the block
and the heap-hardening fill replaces those 8 bytes with the poison
pattern (0xcfdfdfdfdfdfdfcf). The second call then dereferences a
poisoned pointer and faults inside `k_spin_lock` (translation
fault on the bogus heap address).
* `net_buf_unref`: two CPUs racing the per-header decrement-and-test
can both decide "I am the last reference," both proceed to
`net_buf_destroy()`, and the buffer is returned to the pool's LIFO
twice -- silently corrupting the free list.
Fix: use atomic operations on both reference counts.
The per-data-block refcount changes from `uint8_t` to `atomic_t`. This
fits inside the existing `GET_ALIGN(pool)` reservation (>= sizeof(void
*)) at no memory cost.
The per-header `buf->ref` is overlaid in a union with three small
adjacent uint8_t fields (`flags`, `pool_id`, `user_data_size`) and an
`atomic_t ref_word` view of the same storage:
union {
atomic_t ref_word;
struct {
uint8_t ref;
uint8_t flags;
uint8_t pool_id;
uint8_t user_data_size;
};
};
(Byte order conditional on endianness so `ref` is always the LSB of
`ref_word`; on big-endian 64-bit, the byte struct is shifted by 4
bytes of padding for the same reason.)
Net_buf internals issue `atomic_inc(&buf->ref_word)` /
`atomic_dec(&buf->ref_word)` and narrow the returned word value to
`uint8_t` to extract the ref byte. Because the ref count is bounded
to 254 (already implicit in its uint8_t domain), atomic_inc/dec
adjusts only the LSB; the other three bytes are untouched. Plain
uint8_t reads of `buf->ref` from non-atomic call sites continue to
work, so the change is transparent to the dozens of consumers that
read it for diagnostics.
`flags`, `pool_id` and `user_data_size` are written exactly once at
allocation time on a single thread (or, for `flags`, from a context
that owns the buf exclusively such as bt_buf_make_view on a fresh
view), so there are no concurrent byte writes that could conflict
with the atomic word update. struct net_buf does not grow on either
32-bit or 64-bit: on 32-bit the four bytes are exactly `sizeof(long)`,
on 64-bit they fit in alignment padding the next field already
required.
A BUILD_ASSERT in lib/net_buf/buf.c documents the
`atomic_t == long` assumption that the conditional padding relies on.
In `net_buf_unref`, the per-header refcount and the fields needed for
the debug log (`buf->pool_id`) are captured into local variables
*before* the atomic decrement -- once the reference is dropped, another
CPU may immediately free the buffer, so the buffer must not be read
again. The post-decrement diagnostic log uses the value returned by
`atomic_dec` rather than re-reading `buf->ref`. The `pool->avail_count`
sanity check uses the value returned by `atomic_inc` to avoid a
follow-up `atomic_get` of memory another CPU may have changed.
`net_pkt_frag_unref()` previously had the racy
`if (frag->ref == 1U) alloc_del(); net_buf_unref();` pattern; it is
restructured to do the atomic decrement here and slot the tracker call
in atomically with the "I'm the last reference" decision, with
`net_pkt_frag_del()` routed through it.
This bug had been latent. On real SMP hardware the race window is very
small and the typical net_buf consumers (Bluetooth, networking) tend
to use fixed-data pools (`fixed_data_unref` is a no-op). The race
manifests reliably under FVP, where the FastModel's quantum-based
execution model can schedule N threads to all reach the unref point in
the same simulated moment. We discovered it through the zbus
`msg_subscriber_dynamic_isolated` sample, which exchanges shared data
buffers among 16+ subscribers running on 4 SMP cores.
Signed-off-by: Nicolas Pitre <npitre@baylibre.com>
Replace CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN with the new
CONFIG_MBEDTLS_SSL_IN_CONTENT_LEN and CONFIG_MBEDTLS_SSL_OUT_CONTENT_LEN
options across all in-tree .conf files, hostap Kconfig defaults, and
socket subsystem help text.
This completes the deprecation of MBEDTLS_SSL_MAX_CONTENT_LEN in favor
of independent incoming/outgoing buffer size control.
Signed-off-by: Rithic Chellaram Hariharan <gr8rithic@gmail.com>
Add bt_conn_br_set_sniff_subrating() API to configure sniff subrating
parameters for BR/EDR connections. Sniff subrating allows further
power savings by reducing the number of sniff anchor points the
device needs to listen on.
Signed-off-by: Kai Cheng <chengkai@xiaomi.com>
Handle NewSessionTicket in poll() syscall (via tls_update_pollin() and
tls_data_check()) similar as it is handled in recv() / read() syscall (via
recv_tls()).
This event is semantically the same as "want read" and "want write", since
it does not contain any application data or error. This means that we just
want to proceed with reading and not treat that as error.
Fixes: 6be57aaedf ("net: sockets_tls: add support for TLS 1.3")
Signed-off-by: Marcin Niestroj <m.niestroj@emb.dev>
Introduce struct bt_conn_br_cb to group all BR/EDR specific connection
callbacks (role_changed, mode_changed) into a dedicated sub-struct
within bt_conn_cb. This replaces the previously scattered callbacks
that were individually guarded by CONFIG_BT_CLASSIC or
CONFIG_BT_POWER_MODE_CONTROL.
Application code now uses the .br. accessor:
.br.role_changed = my_role_changed_cb,
.br.mode_changed = my_mode_changed_cb,
The br_ prefix is dropped from callback names since the struct
hierarchy already conveys the BR/EDR scope, aligning with the
pattern suggested during review.
Also fix bt_conn_notify_mode_changed() to use
BT_CONN_CB_DYNAMIC_FOREACH instead of SYS_SLIST_FOR_EACH_CONTAINER
for consistency with other callback notification functions.
Signed-off-by: Kai Cheng <chengkai@xiaomi.com>
The per-session channel table size is a spec-mandated property of
the region (EU868: 16, US915/AU915: 72, CN470: 96, ...) and is
not a user preference: a region needs exactly as many slots as its
channel plan defines, no more, no less.
Replace the hardcoded #define with a hidden Kconfig in the region
subdirectory.
Signed-off-by: Carlo Caione <ccaione@baylibre.com>
Refactor mac_build_data_frame() so uplink frames can carry MAC
commands in the FOpts region between FHDR and FPort, and set the
FCtrl.ADR bit when lorawan_enable_adr() has been called.
Signed-off-by: Carlo Caione <ccaione@baylibre.com>
Widen the get_tx_params() region op to accept a TX power index and
compute the effective dBm from it.
Signed-off-by: Carlo Caione <ccaione@baylibre.com>
Add three region-ops function pointers needed by the upcoming MAC
command framework to validate and apply parameters from LinkADRReq:
- validate_dr: is a datarate index defined in this region?
- validate_tx_power: is a TX power index defined in this region?
- apply_channel_mask: apply a ChMaskCntl + ChMask pair to the
channel table, atomically (no partial mutation on failure).
Implement them for EU868.
Signed-off-by: Carlo Caione <ccaione@baylibre.com>
The lwm2m registry time series elements were previously stored in a
ring buffer which added complexity to the code when adding and removing
elements from the buffer. This commit changes the implementation to use
the sys_ringq instead, simplifying the code and making it easier to
maintain over time.
Signed-off-by: Måns Ansgariusson <mansgariusson@gmail.com>
When building MQTT with MQTT_LIB_WEBSOCKET,
compilation fails due to implicit declaration of function 'NET_ERR'.
Add include for zephyr/net/net_log.h to pull in declaration.
Signed-off-by: Jacob Schloss <jacob.schloss@suburbanmarine.io>
Fixes a few occurrences of "maybe uninitialized" variables that are
flagged when -Wmaybe-uninitialized is enabled. Seen when running e.g.
./scripts/twister -p mps2/an385 -T tests/net/lib/coap_server/common
in "--coverage" mode.
Signed-off-by: Benjamin Cabé <benjamin@zephyrproject.org>
Give the PTP transport protocol choice a symbol name so tests and
application fragments can override its default through Kconfig.
Signed-off-by: Philipp Steiner <philipp.steiner1987@gmail.com>
dns_unpack_answer() validated only the fixed RR header size and
accepted any rdlength, even one extending past the end of the packet.
TXT and SRV consumers in resolve.c then read up to rdlength bytes from
the message buffer, causing an out-of-bounds read on a truncated or
crafted response.
Reject any RR whose declared rdata extends past dns_msg->msg_size at
the single chokepoint in dns_unpack_answer(), so all current and
future RR consumers are covered.
Signed-off-by: Flavio Ceolin <flavio@hubblenetwork.com>
The VOCS discover callback may call vcp_vol_ctlr_discover_complete()
with a NULL vol_ctlr when lookup_vcp_by_vocs() fails.
This leads to a potential NULL pointer dereference as
vcp_vol_ctlr_discover_complete() unconditionally accesses
vol_ctlr->flags.
Fix this by returning early when vol_ctlr is NULL.
Signed-off-by: Gaetan Perrot <gaetan.perrot@spacecubics.com>
Add option for remote shell client. Remote shell client is an
implementation of shell on the client core which supports
IPC communication with host shell implementation. It allows
to use host shell backends to execute commands on the remote
client. The remote client implementation takes much less
memory than the normal shell implementation.
Signed-off-by: Krzysztof Chruściński <krzysztof.chruscinski@nordicsemi.no>
