"Das U-Boot" Source Tree
common/spl: guard against buffer overflow in spl_fit_get_image_name()
A malformed FIT image could have an image name property that is not NUL
terminated. Reject such images.
Reported-by: Mikhail Kshevetskiy <mikhail.kshevetskiy@iopsys.eu>
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Tested-by: E Shattow <e@freeshell.de>
authored by
Heinrich Schuchardt
and committed by
Tom Rini
79f8f31d
6ef9a89c
+8
-2
+8
-2
common/spl/spl_fit.c
+8
-2
common/spl/spl_fit.c
···
73
73
const char **outname)
74
74
{
75
75
struct udevice *sysinfo;
76
-
const char *name, *str;
76
+
const char *name, *str, *end;
77
77
__maybe_unused int node;
78
78
int len, i;
79
79
bool found = true;
···
83
83
debug("cannot find property '%s': %d\n", type, len);
84
84
return -EINVAL;
85
85
}
86
+
/* A string property should be NUL terminated */
87
+
end = name + len - 1;
88
+
if (!len || *end) {
89
+
debug("malformed property '%s'\n", type);
90
+
return -EINVAL;
91
+
}
86
92
87
93
str = name;
88
94
for (i = 0; i < index; i++) {
89
95
str = strchr(str, '\0') + 1;
90
-
if (!str || (str - name >= len)) {
96
+
if (str > end) {
91
97
found = false;
92
98
break;
93
99
}