Patchwork [U-Boot] (patch) segfault when calling fit_check_format() on corrupt FIT images

login
register
mail settings
Submitter Jon Nalley
Date March 5, 2010, 5:27 p.m.
Message ID <d83696341003050927j4fef8cb4hc5de92ab79dd59ec@mail.gmail.com>
Download mbox | patch
Permalink /patch/71730/
State Superseded
Delegated to: Tom Rini
Headers show

Comments

Jon Nalley - March 5, 2010, 5:27 p.m.
All,

I found that fit_check_format() was causing a segfault when run on a
corrupt FIT image.  I tracked the problem down to line 92 in
libfdt/fdt_ro.c in _fdt_string_eq():

return (strlen(p) == len) && (memcmp(p, s, len) == 0);

In the case of a corrupt FIT image one can't depend on 'p' being NULL
terminated.  I changed it to use strnlen() to fix the issue.

Patch

--- a/libfdt/fdt_ro.c   Fri Mar 05 06:52:52 2010 -0600
+++ b/libfdt/fdt_ro.c   Fri Mar 05 11:10:21 2010 -0600
@@ -89,7 +89,7 @@ 
 {
        const char *p = fdt_string(fdt, stroffset);

-       return (strlen(p) == len) && (memcmp(p, s, len) == 0);
+       return (strnlen(p, len) == len) && (memcmp(p, s, len) == 0);
 }

 int fdt_get_mem_rsv(const void *fdt, int n, uint64_t *address, uint64_t *size)