V4.3.3

.github/workflows/ci.yml

@@ -129,16 +129,16 @@
           exclude-dirs: source/portable/NetworkInterface/STM32
 
   formatting:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
       - name: Check formatting
         uses: FreeRTOS/CI-CD-Github-Actions/formatting@main
         with:
           path: ./
           exclude-dirs: source/portable/NetworkInterface/STM32
 
   doxygen:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4

.github/workflows/release-candidate.yml

@@ -10,6 +10,10 @@ on:
         description: 'Release Version Number (Eg, v1.0.0-rc1)'
         required: true
 
+# Workflow permissions block
+permissions:
+  contents: write # This grants write access to repository content, including pushing commits/tags and creating releases.
+
 jobs:
   tag-commit:
     name: Tag commit
@@ -32,4 +36,4 @@ jobs:
           git tag -d ${{ github.event.inputs.version_number }}
           git remote update
           git checkout tags/${{ github.event.inputs.version_number }}
-          git diff ${{ github.event.inputs.commit_id }} tags/${{ github.event.inputs.version_number }}
+          git diff ${{ github.event.inputs.commit_id }} tags/${{ github.event.inputs.version_number }}

.github/workflows/release.yml

@@ -10,6 +10,10 @@ on:
         description: 'Release Version Number (Eg, v1.0.0)'
         required: true
 
+# Workflow permissions block
+permissions:
+  contents: write # This grants write access to repository content, including pushing commits/tags and creating releases.
+
 jobs:
   tag-commit:
     name: Tag commit
@@ -140,6 +144,9 @@ jobs:
           ref: ${{ github.event.inputs.version_number }}
           add_release: "true"
   create-release:
+    permissions:
+      contents: write
+      id-token: write
     needs:
       - create-zip
       - deploy-doxygen
@@ -171,6 +178,11 @@ jobs:
           asset_path: ./FreeRTOS-Plus-TCP-${{ github.event.inputs.version_number }}.zip
           asset_name: FreeRTOS-Plus-TCP-${{ github.event.inputs.version_number }}.zip
           asset_content_type: application/zip
+      - name: Backup Release Asset
+        uses: FreeRTOS/CI-CD-Github-Actions/artifact-backup@main
+        with:
+          artifact_path: ./FreeRTOS-Plus-TCP-${{ github.event.inputs.version_number }}.zip
+          release_tag: ${{ github.event.inputs.version_number }}
   cleanup:
     needs:
       - create-release

History.txt

@@ -1,5 +1,45 @@
 Documentation and download available at https://www.FreeRTOS.org/
 
+Changes between FreeRTOS-plus-TCP V4.3.4 and V4.3.3 released October 10, 2025:
+    + The implementation lacked sufficient checks to ensure that received packets
+      meet the minimum size requirements for certain ICMPv6 message types, leading to
+      out-of-bounds read operations when processing packets smaller than the expected
+      size. This issue has been fixed by adding checks to prevent out-of-bounds reads.
+      The implementation lacked sufficient checks to prevent null pointer dereference
+      when an IPv6 multicast packet is received on a device not configured with a
+      link-local endpoint. This issue has been fixed by adding checks to prevent
+      null pointer dereference.
+    + The implementation lacked sufficient checks to validate the payload length field
+      in the IPv6 packet header. This allowed malicious packets with incorrect payload
+      lengths to cause integer wraparound, resulting in erroneously large calculated
+      payload length. This inflated payload length bypassed the existing
+      bounds-checking mechanisms, leading to out-of-bounds read operations. This issue
+      has been fixed by adding checks to validate the payload length field in the IPv6
+      packet header.
+    + The implementation lacked sufficient checks to validate the IP version field
+      when a UDP/IPv6 packet is received with ipconfigDRIVER_INCLUDED_RX_IP_CHECKSUM
+      disabled. This allowed the processing of packets with an incorrect IP version
+      field instead of rejecting them early. Subsequent attempts to extract network
+      buffers from these invalid UDP packets could result in dereferencing of an
+      invalid pointer due to incorrect pointer arithmetic.
+      We would like to thank Ivan Gotovchits of Mayhem Security for collaborating on
+      this issue through the coordinated vulnerability disclosure process.
+
+Changes between FreeRTOS-plus-TCP V4.3.3 and V4.3.2 released June 10, 2025:
+	+ Fixed maximum network buffer allocation size check when buffer
+	  allocation scheme 1 is used which caused allocation failure on
+	  some network interfaces.
+
+Changes between FreeRTOS-plus-TCP V4.3.2 and V4.3.1 released June 03, 2025:
+	+ It was possible to cause an out-of-bounds write when processing LLMNR
+	  or mDNS queries with very long DNS names. This issue only affects systems
+	  using Buffer Allocation Scheme 1 with LLMNR or mDNS enabled.
+	  This issue has been fixed by adding checks to prevent out of bounds write.
+	  We would like to thank Paschal Amusuo (@AmPaschal),
+	  James C Davis (@davisjam), Taylor Le Lievre (@tlelievre26), and
+	  Aravind Kumar Machiry (@machiry) of Purdue University for collaborating
+	  on this issue through the coordinated vulnerability disclosure process.
+
 Changes between FreeRTOS-plus-TCP V4.3.1 and V4.3.0 released December 16, 2024:
 	+ Update README.md with information related to migrating to V4.3.0 and above
 	  for users utilising the STM32 network interface.

docs/doxygen/config.doxyfile

@@ -48,7 +48,7 @@ PROJECT_NAME           = FreeRTOS-Plus-TCP
 # could be handy for archiving the generated documentation or if some version
 # control system is used.
 
-PROJECT_NUMBER         = V4.3.0
+PROJECT_NUMBER         = V4.3.4
 
 # Using the PROJECT_BRIEF tag one can provide an optional one line description
 # for a project that appears at the top of each page and should give viewer a

manifest.yml

@@ -1,5 +1,5 @@
 name: "FreeRTOS-Plus-TCP"
-version: "V4.3.1"
+version: "V4.3.4"
 description:
   "Thread safe FreeRTOS TCP/IP stack working on top of the FreeRTOS-Kernel to
   implement the TCP/IP protocol. Suitable for microcontrollers."