[U-Boot] (patch) segfault when calling fit_check_format() on corrupt FIT images

Detlev Zundel dzu at denx.de
Mon Mar 8 18:07:06 CET 2010 

Hi Jon,

> I found that fit_check_format() was causing a segfault when run on a
> corrupt FIT image.  I tracked the problem down to line 92 in
> libfdt/fdt_ro.c in _fdt_string_eq():
>
> return (strlen(p) == len) && (memcmp(p, s, len) == 0);
>
> In the case of a corrupt FIT image one can't depend on 'p' being NULL
> terminated.  I changed it to use strnlen() to fix the issue.

We are a bit reluctant to accept changes here as this is shared code
with the 'dtc' device tree compiler[1].

Also when glancing over the code, it seems like there may be more places
where a corrupt fdt may backfire so this makes me also sceptic if this
single fix is a useful thing.

Stepping back a little bit, I don't even know why we should trap such a
problem at all - after all while developing we have quite a few
possibilities to shoot ourselves in the foot.  In a production system
such a thing should not happen and if it does, it will be caught by a
sensible infrastructure and e.g. a hardware watchdog.

> --- a/libfdt/fdt_ro.c   Fri Mar 05 06:52:52 2010 -0600
> +++ b/libfdt/fdt_ro.c   Fri Mar 05 11:10:21 2010 -0600
> @@ -89,7 +89,7 @@
>  {
>         const char *p = fdt_string(fdt, stroffset);
>
> -       return (strlen(p) == len) && (memcmp(p, s, len) == 0);
> +       return (strnlen(p, len) == len) && (memcmp(p, s, len) == 0);
>  }
>
>  int fdt_get_mem_rsv(const void *fdt, int n, uint64_t *address, uint64_t *size)

On the other hand if you do insist on your change, then pleas send git
patches as written in the documentation[2].

Cheers
  Detlev

[1] http://jdl.com/software/
[2] http://www.denx.de/wiki/U-Boot/Patches

-- 
[Linux] USB consoles was a  bad hack written on a drunken dare.   I'm still
constantly amazed that the thing even works at all, let alone the fact that
people are actually using it :) 
                            -- Greg KH <20090420225358.GC28697 at kroah.com>
--
DENX Software Engineering GmbH,      MD: Wolfgang Denk & Detlev Zundel
HRB 165235 Munich,  Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-40 Fax: (+49)-8142-66989-80 Email: dzu at denx.de

More information about the U-Boot mailing list