[PATCH v2 1/3] common/spl: fix potential out of buffer access in spl_fit_get_image_name function
Tom Rini
trini at konsulko.com
Mon Jun 9 18:49:22 CEST 2025
On Sat, Jun 07, 2025 at 01:31:07AM +0300, Mikhail Kshevetskiy wrote:
> The current code have two issues:
> 1) ineffective NULL pointer check
>
> str = strchr(str, '\0') + 1
> if (!str || ...
>
> The str here will never be NULL (because we add 1 to result of strchr())
>
> 2) strchr() may go out of the buffer for the special forms of name variable.
> It's better use memchr() function here.
>
> According to the code the property is a sequence of C-string like
> shown below:
>
> 'h', 'e', 'l', 'l', 'o', '\0', 'w', 'o', 'r', 'l', 'd', '\0', '!', '\0'
>
> index is the string number we are interested, so
>
> index = 0 => "hello",
> index = 1 => "world",
> index = 2 => "!"
>
> The issue will arrise if last string for some reason have no terminating
> '\0' character. This can happen for damaged or specially crafted dtb.
>
> Signed-off-by: Mikhail Kshevetskiy <mikhail.kshevetskiy at iopsys.eu>
Thanks for explaining how I was misreading things to badly.
Reviewed-by: Tom Rini <trini at konsulko.com>
--
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20250609/4016f932/attachment.sig>
More information about the U-Boot
mailing list