boot: Check noffset before use

If noffset is negative, do not pass it to fit_get_name() and then further to
libfdt, this will crash sandbox with SIGSEGV because libfdt can not handle
negative node offsets without full tree check, which U-Boot inhibits to keep
size lower.

Instead, always check noffset before use, and if the return value indicates
failure, exit right away.

Signed-off-by: Marek Vasut <marek.vasut+renesas@mailbox.org>
Acked-by: Heinrich Schuchardt <xypron.glpk@gmx.de>

diff --git a/boot/image-fit.c b/boot/image-fit.c
index fce3a320eac75ddc22c390b7c4038d2d241ff732..f47f37471c05134097ff9892d94e90d666cede06 100644 (file)
--- a/boot/image-fit.c
+++ b/boot/image-fit.c
@@ -2142,7 +2142,6 @@ int fit_image_load(struct bootm_headers *images, ulong addr,
 
                noffset = fit_conf_get_prop_node(fit, cfg_noffset, prop_name,
                                                 image_ph_phase(ph_type));
-               fit_uname = fit_get_name(fit, noffset, NULL);
        }
        if (noffset < 0) {
                printf("Could not find subimage node type '%s'\n", prop_name);
@@ -2150,6 +2149,9 @@ int fit_image_load(struct bootm_headers *images, ulong addr,
                return -ENOENT;
        }
 
+       if (!fit_uname)
+               fit_uname = fit_get_name(fit, noffset, NULL);
+
        printf("   Trying '%s' %s subimage\n", fit_uname, prop_name);
 
        ret = fit_image_select(fit, noffset, images->verify);