From: Marek Vasut <marek.vasut+renesas@mailbox.org>
Date: Thu, 20 Nov 2025 04:15:30 +0000 (+0100)
Subject: boot: Check noffset before use
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=717f8ded395fc0369620c3935980642fed909345;p=thirdparty%2Fu-boot.git

boot: Check noffset before use

If noffset is negative, do not pass it to fit_get_name() and then further to
libfdt, this will crash sandbox with SIGSEGV because libfdt can not handle
negative node offsets without full tree check, which U-Boot inhibits to keep
size lower.

Instead, always check noffset before use, and if the return value indicates
failure, exit right away.

Signed-off-by: Marek Vasut <marek.vasut+renesas@mailbox.org>
Acked-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
---

diff --git a/boot/image-fit.c b/boot/image-fit.c
index fce3a320eac..f47f37471c0 100644
--- a/boot/image-fit.c
+++ b/boot/image-fit.c
@@ -2142,7 +2142,6 @@ int fit_image_load(struct bootm_headers *images, ulong addr,
 
 		noffset = fit_conf_get_prop_node(fit, cfg_noffset, prop_name,
 						 image_ph_phase(ph_type));
-		fit_uname = fit_get_name(fit, noffset, NULL);
 	}
 	if (noffset < 0) {
 		printf("Could not find subimage node type '%s'\n", prop_name);
@@ -2150,6 +2149,9 @@ int fit_image_load(struct bootm_headers *images, ulong addr,
 		return -ENOENT;
 	}
 
+	if (!fit_uname)
+		fit_uname = fit_get_name(fit, noffset, NULL);
+
 	printf("   Trying '%s' %s subimage\n", fit_uname, prop_name);
 
 	ret = fit_image_select(fit, noffset, images->verify);