[U-Boot] [PATCH v2] libfdt: Fix segfault when calling fit_check_format() on corrupt FIT images
From: Jon Nalley lists@bluebot.org
It has been observed that fit_check_format() will fail when passed a corrupt FIT image. This was tracked down to _fdt_string_eq(): return (strlen(p) == len) && (memcmp(p, s, len) == 0);
In the case of a corrupt FIT image one can't depend on 'p' being NULL terminated. I changed it to use strnlen() to fix the issue.
Signed-off-by: Tom Rini trini@ti.com
--- Changes in v2: - Pass len + 1, not len to strnlen as that's the best practice for strnlen. --- lib/libfdt/fdt_ro.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/libfdt/fdt_ro.c b/lib/libfdt/fdt_ro.c index f2154e8..36af043 100644 --- a/lib/libfdt/fdt_ro.c +++ b/lib/libfdt/fdt_ro.c @@ -44,7 +44,7 @@ static int _fdt_string_eq(const void *fdt, int stroffset, { const char *p = fdt_string(fdt, stroffset);
- return (strlen(p) == len) && (memcmp(p, s, len) == 0); + return (strnlen(p, len + 1) == len) && (memcmp(p, s, len) == 0); }
int fdt_get_mem_rsv(const void *fdt, int n, uint64_t *address, uint64_t *size)
On Wed, Feb 26, 2014 at 11:32:21AM -0500, Tom Rini wrote:
From: Jon Nalley lists@bluebot.org
It has been observed that fit_check_format() will fail when passed a corrupt FIT image. This was tracked down to _fdt_string_eq(): return (strlen(p) == len) && (memcmp(p, s, len) == 0);
In the case of a corrupt FIT image one can't depend on 'p' being NULL terminated. I changed it to use strnlen() to fix the issue.
Signed-off-by: Tom Rini trini@ti.com
Applied to u-boot/master, thanks!
participants (1)
-
Tom Rini