diff options
| author | Anton Ivanov <[email protected]> | 2026-06-02 19:27:52 +0100 |
|---|---|---|
| committer | Tom Rini <[email protected]> | 2026-06-13 10:42:17 -0600 |
| commit | f3d2ff3f5c3f49216b45a30b4b9a315a1b8d2142 (patch) | |
| tree | 8a3452ce0628247f697acfa6f83fff20a0d67c2b /boot | |
| parent | 69f6272b24a26c17a5b6de3b041218ec57239943 (diff) | |
fdt: Check return value of fdt_get_name() calls
fdt_get_name() can return NULL and set len to a negative error code.
fdt_find_regions() does not check for this, leading to a potential NULL
pointer dereference and a buffer out-of-bounds write during signature
verification of an untrusted FIT. fdt_next_region(), fdt_check_full(),
and display_fdt_by_regions() also lack validation.
Add NULL checks and propagate the error code from fdt_get_name()
to the caller.
Signed-off-by: Anton Ivanov <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
Diffstat (limited to 'boot')
| -rw-r--r-- | boot/fdt_region.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/boot/fdt_region.c b/boot/fdt_region.c index 0a9d47bb2bd..dd6e87925be 100644 --- a/boot/fdt_region.c +++ b/boot/fdt_region.c @@ -88,6 +88,8 @@ int fdt_find_regions(const void *fdt, char * const inc[], int inc_count, if (depth == FDT_MAX_DEPTH) return -FDT_ERR_BADSTRUCTURE; name = fdt_get_name(fdt, offset, &len); + if (!name) + return len; /* The root node must have an empty name */ if (!depth && *name) @@ -563,6 +565,9 @@ int fdt_next_region(const void *fdt, if (p.depth == FDT_MAX_DEPTH) return -FDT_ERR_BADSTRUCTURE; name = fdt_get_name(fdt, offset, &len); + if (!name) + return len; + if (p.end - path + 2 + len >= path_len) return -FDT_ERR_NOSPACE; |
