commit fdb575a33dde3fe4f4bd0c675a4ba5c6b773ab6e
author Pali Rohár <pali@kernel.org> Fri Jul 23 11:14:02 2021 +0200
committer Stefan Roese <sr@denx.de> Sat Jul 31 09:49:31 2021 +0200
tree 51de9d0da0a1d9d22aaf921e897b1fd4b1e90761
parent 03345b9e4be18b56a08ffebd8a5c2332d948c537

tools: kwbimage: Validate extended headers of v1 images

Add basic checks for extended headers of v1 images.

Signed-off-by: Pali Rohár <pali@kernel.org>
Reviewed-by: Marek Behún <marek.behun@nic.cz>
Reviewed-by: Stefan Roese <sr@denx.de>
Reviewed-by: Chris Packham <judge.packham@gmail.com>
Tested-by: Chris Packham <judge.packham@gmail.com>

tools/kwbimage.c

diff --git a/tools/kwbimage.c b/tools/kwbimage.c
index 4d9d818..5d017dd 100644
--- a/tools/kwbimage.c
+++ b/tools/kwbimage.c
@@ -1670,6 +1670,35 @@
 		}
 	}
 
+	if (image_version((void *)ptr) == 1) {
+		struct main_hdr_v1 *mhdr = (struct main_hdr_v1 *)ptr;
+
+		if (mhdr->ext & 0x1) {
+			uint32_t ohdr_size;
+			struct opt_hdr_v1 *ohdr = (struct opt_hdr_v1 *)
+						  (ptr + sizeof(*mhdr));
+
+			while (1) {
+				if ((uint8_t *)ohdr + sizeof(*ohdr) >
+				    (uint8_t *)mhdr + header_size)
+					return -FDT_ERR_BADSTRUCTURE;
+
+				ohdr_size = (ohdr->headersz_msb << 16) |
+					    le16_to_cpu(ohdr->headersz_lsb);
+
+				if (ohdr_size < 8 ||
+				    (uint8_t *)ohdr + ohdr_size >
+				    (uint8_t *)mhdr + header_size)
+					return -FDT_ERR_BADSTRUCTURE;
+
+				if (!(*((uint8_t *)ohdr + ohdr_size - 4) & 0x1))
+					break;
+				ohdr = (struct opt_hdr_v1 *)((uint8_t *)ohdr +
+							     ohdr_size);
+			}
+		}
+	}
+
 	return 0;
 }