From: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Date: Tue, 24 Jun 2025 15:34:31 +0000 (+0200)
Subject: common/spl: guard against buffer overflow in spl_fit_get_image_name()
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=79f8f31d58dfcd2b3563c32f1cf1097cee4d7f76;p=thirdparty%2Fu-boot.git

common/spl: guard against buffer overflow in spl_fit_get_image_name()

A malformed FIT image could have an image name property that is not NUL
terminated. Reject such images.

Reported-by: Mikhail Kshevetskiy <mikhail.kshevetskiy@iopsys.eu>
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Tested-by: E Shattow <e@freeshell.de>
---

diff --git a/common/spl/spl_fit.c b/common/spl/spl_fit.c
index e250c11ebbd..25f3c822a49 100644
--- a/common/spl/spl_fit.c
+++ b/common/spl/spl_fit.c
@@ -73,7 +73,7 @@ static int spl_fit_get_image_name(const struct spl_fit_info *ctx,
 				  const char **outname)
 {
 	struct udevice *sysinfo;
-	const char *name, *str;
+	const char *name, *str, *end;
 	__maybe_unused int node;
 	int len, i;
 	bool found = true;
@@ -83,11 +83,17 @@ static int spl_fit_get_image_name(const struct spl_fit_info *ctx,
 		debug("cannot find property '%s': %d\n", type, len);
 		return -EINVAL;
 	}
+	/* A string property should be NUL terminated */
+	end = name + len - 1;
+	if (!len || *end) {
+		debug("malformed property '%s'\n", type);
+		return -EINVAL;
+	}
 
 	str = name;
 	for (i = 0; i < index; i++) {
 		str = strchr(str, '\0') + 1;
-		if (!str || (str - name >= len)) {
+		if (str > end) {
 			found = false;
 			break;
 		}