diff options
| author | Mikhail Kshevetskiy <[email protected]> | 2025-06-10 12:56:30 +0300 |
|---|---|---|
| committer | Tom Rini <[email protected]> | 2025-06-19 11:01:51 -0600 |
| commit | 3704b888a4cabac8daea20a4504d513bc47153ca (patch) | |
| tree | 224dd67a682426bf5abeeaf3a72a7cfb39f6b3ad /common | |
| parent | 17012e3068d047ad71460f039eeb0c3be63f82a0 (diff) | |
common/spl: fix potential out of buffer access in spl_fit_get_image_name function
The current code have two issues:
1) ineffective NULL pointer check
str = strchr(str, '\0') + 1
if (!str || ...
The str here will never be NULL (because we add 1 to result of strchr())
2) strchr() may go out of the buffer for the special forms of name variable.
It's better use memchr() function here.
According to the code the property is a sequence of C-string like
shown below:
'h', 'e', 'l', 'l', 'o', '\0', 'w', 'o', 'r', 'l', 'd', '\0', '!', '\0'
index is the string number we are interested, so
index = 0 => "hello",
index = 1 => "world",
index = 2 => "!"
The issue will arrise if last string for some reason have no terminating
'\0' character. This can happen for damaged or specially crafted dtb.
Signed-off-by: Mikhail Kshevetskiy <[email protected]>
Reviewed-by: Tom Rini <[email protected]>
Diffstat (limited to 'common')
| -rw-r--r-- | common/spl/spl_fit.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/common/spl/spl_fit.c b/common/spl/spl_fit.c index 86506d6905c..ab277bb2baa 100644 --- a/common/spl/spl_fit.c +++ b/common/spl/spl_fit.c @@ -86,11 +86,12 @@ static int spl_fit_get_image_name(const struct spl_fit_info *ctx, str = name; for (i = 0; i < index; i++) { - str = strchr(str, '\0') + 1; - if (!str || (str - name >= len)) { + str = memchr(str, '\0', name + len - str); + if (!str) { found = false; break; } + str++; } if (!found && CONFIG_IS_ENABLED(SYSINFO) && !sysinfo_get(&sysinfo)) { |