mirrors/u-boot
1
0
Fork 0
mirror of https://source.denx.de/u-boot/u-boot.git synced 2026-05-05 04:36:13 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity

common/spl: guard against buffer overflow in spl_fit_get_image_name()

Browse Source 
A malformed FIT image could have an image name property that is not NUL
terminated. Reject such images.

Reported-by: Mikhail Kshevetskiy <mikhail.kshevetskiy@iopsys.eu>
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Tested-by: E Shattow <e@freeshell.de>
This commit is contained in:
Heinrich Schuchardt 2025-06-24 17:34:31 +02:00 committed by Tom Rini
parent 6ef9a89c1d
commit 79f8f31d58
1 changed files with 8 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
common/spl/spl_fit.c
View File

@ -73,7 +73,7 @@ static int spl_fit_get_image_name(const struct spl_fit_info *ctx,
const char **outname)
{
struct udevice *sysinfo;
const char *name, *str;
const char *name, *str, *end;
__maybe_unused int node;
int len, i;
bool found = true;
@ -83,11 +83,17 @@ static int spl_fit_get_image_name(const struct spl_fit_info *ctx,
debug("cannot find property '%s': %d\n", type, len);
return -EINVAL;
}
/* A string property should be NUL terminated */
end = name + len - 1;
if (!len || *end) {
debug("malformed property '%s'\n", type);
return -EINVAL;
}
str = name;
for (i = 0; i < index; i++) {
str = strchr(str, '\0') + 1;
if (!str || (str - name >= len)) {
if (str > end) {
found = false;
break;
}