From patchwork Fri Mar  5 17:27:19 2010
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: [U-Boot] (patch) segfault when calling fit_check_format() on corrupt
 FIT images
Date: Fri, 05 Mar 2010 07:27:19 -0000
From: Jon Nalley <lists@bluebot.org>
X-Patchwork-Id: 71730
Message-Id: <d83696341003050927j4fef8cb4hc5de92ab79dd59ec@mail.gmail.com>
To: u-boot@lists.denx.de

All,

I found that fit_check_format() was causing a segfault when run on a
corrupt FIT image.  I tracked the problem down to line 92 in
libfdt/fdt_ro.c in _fdt_string_eq():

return (strlen(p) == len) && (memcmp(p, s, len) == 0);

In the case of a corrupt FIT image one can't depend on 'p' being NULL
terminated.  I changed it to use strnlen() to fix the issue.


--- a/libfdt/fdt_ro.c   Fri Mar 05 06:52:52 2010 -0600
+++ b/libfdt/fdt_ro.c   Fri Mar 05 11:10:21 2010 -0600
@@ -89,7 +89,7 @@
 {
        const char *p = fdt_string(fdt, stroffset);

-       return (strlen(p) == len) && (memcmp(p, s, len) == 0);
+       return (strnlen(p, len) == len) && (memcmp(p, s, len) == 0);
 }

 int fdt_get_mem_rsv(const void *fdt, int n, uint64_t *address, uint64_t *size)