diff options
author | Jon Nalley <lists@bluebot.org> | 2014-02-26 11:32:21 -0500 |
---|---|---|
committer | Tom Rini <trini@ti.com> | 2014-06-19 11:18:42 -0400 |
commit | af67b25250e5dd636a844d869bba8ce698422145 (patch) | |
tree | f1e25e955326b5670fc39f08d39047cc3a78e249 | |
parent | f1329c900374f9efd6a27658dbebb104648f1a06 (diff) | |
download | u-boot-imx-af67b25250e5dd636a844d869bba8ce698422145.zip u-boot-imx-af67b25250e5dd636a844d869bba8ce698422145.tar.gz u-boot-imx-af67b25250e5dd636a844d869bba8ce698422145.tar.bz2 |
libfdt: Fix segfault when calling fit_check_format() on corrupt FIT images
It has been observed that fit_check_format() will fail when passed a
corrupt FIT image. This was tracked down to _fdt_string_eq():
return (strlen(p) == len) && (memcmp(p, s, len) == 0);
In the case of a corrupt FIT image one can't depend on 'p' being NULL
terminated. I changed it to use strnlen() to fix the issue.
Signed-off-by: Tom Rini <trini@ti.com>
-rw-r--r-- | lib/libfdt/fdt_ro.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/lib/libfdt/fdt_ro.c b/lib/libfdt/fdt_ro.c index f2154e8..36af043 100644 --- a/lib/libfdt/fdt_ro.c +++ b/lib/libfdt/fdt_ro.c @@ -44,7 +44,7 @@ static int _fdt_string_eq(const void *fdt, int stroffset, { const char *p = fdt_string(fdt, stroffset); - return (strlen(p) == len) && (memcmp(p, s, len) == 0); + return (strnlen(p, len + 1) == len) && (memcmp(p, s, len) == 0); } int fdt_get_mem_rsv(const void *fdt, int n, uint64_t *address, uint64_t *size) |