common/spl: fix potential out of buffer access in spl_fit_get_image_name function

The current code have two issues:
1) ineffective NULL pointer check

	str = strchr(str, '\0') + 1
	if (!str || ...

   The str here will never be NULL (because we add 1 to result of strchr())

2) strchr() may go out of the buffer for the special forms of name variable.
   It's better use memchr() function here.

   According to the code the property is a sequence of C-string like
   shown below:

     'h', 'e', 'l', 'l', 'o', '\0', 'w', 'o', 'r', 'l', 'd', '\0', '!', '\0'

   index is the string number we are interested, so

     index = 0   =>  "hello",
     index = 1   =>  "world",
     index = 2   =>  "!"

   The issue will arrise if last string for some reason have no terminating
   '\0' character. This can happen for damaged or specially crafted dtb.

Signed-off-by: Mikhail Kshevetskiy <mikhail.kshevetskiy@iopsys.eu>
Reviewed-by: Tom Rini <trini@konsulko.com>

diff --git a/common/spl/spl_fit.c b/common/spl/spl_fit.c
index 86506d6905c5ae45967206eb18ac4105ba8bd1e5..ab277bb2baa75c1b438779214d451150834c1330 100644 (file)
--- a/common/spl/spl_fit.c
+++ b/common/spl/spl_fit.c
@@ -86,11 +86,12 @@ static int spl_fit_get_image_name(const struct spl_fit_info *ctx,
 
        str = name;
        for (i = 0; i < index; i++) {
-               str = strchr(str, '\0') + 1;
-               if (!str || (str - name >= len)) {
+               str = memchr(str, '\0', name + len - str);
+               if (!str) {
                        found = false;
                        break;
                }
+               str++;
        }
 
        if (!found && CONFIG_IS_ENABLED(SYSINFO) && !sysinfo_get(&sysinfo)) {