commit 57894fbfbc0b8e1ed594d4a264f74109989938c5
author Heinrich Schuchardt <heinrich.schuchardt@canonical.com> Tue Jun 24 17:34:31 2025 +0200
committer Tom Rini <trini@konsulko.com> Thu Jun 26 11:58:17 2025 -0600
tree 0cc2926ca92003fb6f9e948b62a1b7affa07344d
parent d682bf995ba5f85ed7e06c674ee117b85ec6aa84

common/spl: guard against buffer overflow in spl_fit_get_image_name()

A malformed FIT image could have an image name property that is not NUL
terminated. Reject such images.

Reported-by: Mikhail Kshevetskiy <mikhail.kshevetskiy@iopsys.eu>
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Tested-by: E Shattow <e@freeshell.de>

common/spl/spl_fit.c

diff --git a/common/spl/spl_fit.c b/common/spl/spl_fit.c
index e250c11..25f3c82 100644
--- a/common/spl/spl_fit.c
+++ b/common/spl/spl_fit.c
@@ -73,7 +73,7 @@
 				  const char **outname)
 {
 	struct udevice *sysinfo;
-	const char *name, *str;
+	const char *name, *str, *end;
 	__maybe_unused int node;
 	int len, i;
 	bool found = true;
@@ -83,11 +83,17 @@
 		debug("cannot find property '%s': %d\n", type, len);
 		return -EINVAL;
 	}
+	/* A string property should be NUL terminated */
+	end = name + len - 1;
+	if (!len || *end) {
+		debug("malformed property '%s'\n", type);
+		return -EINVAL;
+	}
 
 	str = name;
 	for (i = 0; i < index; i++) {
 		str = strchr(str, '\0') + 1;
-		if (!str || (str - name >= len)) {
+		if (str > end) {
 			found = false;
 			break;
 		}