diff options
| author | Aristo Chen <[email protected]> | 2026-06-19 14:45:51 +0000 |
|---|---|---|
| committer | Tom Rini <[email protected]> | 2026-07-01 12:42:23 -0600 |
| commit | 3900903a588964555c9e76cca53ada7d217c00f7 (patch) | |
| tree | a09aa1079422bb3c96934a40b71744477fa48a30 /src/apps/http/makefsdata | |
| parent | 204eefab537f8f662abdbbce09eb6b5884ae699d (diff) | |
bootm: move OS index bound check into the legacy path
Commit 103b1e7ce8cc ("bootm: bound-check OS index in
bootm_os_get_boot_func()") added a range check to the shared accessor so
an out-of-range OS id can no longer drive an out-of-bounds read of
boot_os[]. That accessor is reached by every image format, but only a
legacy uImage can deliver an unchecked value. bootm_find_os() takes the
raw 8-bit ih_os byte straight from image_get_os() for legacy images,
whereas the FIT path reaches the accessor only after fit_image_load()
has rejected any image whose os is not one of the supported types, and
the Android path hardcodes IH_OS_LINUX. The check can therefore never
fail for FIT, where it only adds confusion and code.
Move the test to the legacy branch of bootm_find_os(), rejecting an
out-of-range OS where the untrusted byte enters. This keeps the FIT path
clear and lets the check be compiled out when CONFIG_LEGACY_IMAGE_FORMAT
is disabled. A valid OS id that has no handler is still reported by the
existing NULL return path in bootm_run_states().
Suggested-by: Simon Glass <[email protected]>
Signed-off-by: Aristo Chen <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
Diffstat (limited to 'src/apps/http/makefsdata')
0 files changed, 0 insertions, 0 deletions
