From patchwork Fri Mar  5 17:27:19 2010
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jon Nalley <lists@bluebot.org>
X-Patchwork-Id: 71730
X-Patchwork-Delegate: trini@ti.com
Return-Path: <u-boot-bounces@lists.denx.de>
X-Original-To: wd@gemini.denx.de
Delivered-To: wd@gemini.denx.de
Received: from diddl.denx.de (diddl.denx.de [10.0.0.6])
	by gemini.denx.de (Postfix) with ESMTP id BDAB4E4716D
	for <wd@gemini.denx.de>; Fri,  5 Mar 2010 18:35:32 +0100 (CET)
Received: from diddl.denx.de (localhost.localdomain [127.0.0.1])
	by diddl.denx.de (Postfix) with ESMTP id A7481C8C5CB5
	for <wd@localhost>; Fri,  5 Mar 2010 18:35:32 +0100 (CET)
Received: from pop.mnet-online.de
	by diddl.denx.de with POP3 (fetchmail-6.3.9)
	for <wd@localhost> (single-drop);
	Fri, 05 Mar 2010 18:35:32 +0100 (CET)
Received: from murder (svr19.m-online.net [192.168.3.147])
	by backend2 (Cyrus v2.2.12) with LMTPA;
	Fri, 05 Mar 2010 18:33:47 +0100
X-Sieve: CMU Sieve 2.2
Received: from mail.m-online.net (localhost [127.0.0.1])
	by frontend3.pop.m-online.net (Cyrus v2.2.13) with LMTPA;
	Fri, 05 Mar 2010 18:33:46 +0100
Received: from scanner-3.m-online.net (scanner-3.m-online.net [192.168.1.20])
	by mail.m-online.net (Postfix) with ESMTP id 77E482001B0;
	Fri,  5 Mar 2010 18:33:46 +0100 (CET)
Received: from mxin-2.m-online.net ([192.168.1.21])
	by scanner-3.m-online.net (scanner-3.m-online.net [192.168.1.20])
	(amavisd-new, port 10026)
	with ESMTP id 03604-05-2; Fri,  5 Mar 2010 18:33:45 +0100 (CET)
Received: from theia.denx.de (theia.denx.de [85.214.87.163])
	by mxin-2.m-online.net (Postfix) with ESMTP id B962746C0A0;
	Fri,  5 Mar 2010 18:33:44 +0100 (CET)
Received: from localhost (localhost [127.0.0.1])
	by theia.denx.de (Postfix) with ESMTP id 706DB28165;
	Fri,  5 Mar 2010 18:33:39 +0100 (CET)
Received: from theia.denx.de ([127.0.0.1])
	by localhost (theia.denx.de [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id JqZHsD1j+hyK; Fri,  5 Mar 2010 18:33:39 +0100 (CET)
Received: from theia.denx.de (localhost [127.0.0.1])
	by theia.denx.de (Postfix) with ESMTP id C651F28147;
	Fri,  5 Mar 2010 18:33:35 +0100 (CET)
Received: from localhost (localhost [127.0.0.1])
	by theia.denx.de (Postfix) with ESMTP id 32C7328142
	for <u-boot@lists.denx.de>; Fri,  5 Mar 2010 18:33:33 +0100 (CET)
Received: from theia.denx.de ([127.0.0.1])
	by localhost (theia.denx.de [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id eqwdLjhE0V3S for <u-boot@lists.denx.de>;
	Fri,  5 Mar 2010 18:33:31 +0100 (CET)
X-Greylist: delayed 369 seconds by postgrey-1.27 at theia;
	Fri, 05 Mar 2010 18:33:29 CET
X-policyd-weight: NOT_IN_SBL_XBL_SPAMHAUS=-1.5 NOT_IN_SPAMCOP=-1.5
	NOT_IN_BL_NJABL=-1.5 (only DNSBL check requested)
Received: from mail-bw0-f216.google.com (mail-bw0-f216.google.com
	[209.85.218.216]) by theia.denx.de (Postfix) with ESMTP id 077D628141
	for <u-boot@lists.denx.de>; Fri,  5 Mar 2010 18:33:29 +0100 (CET)
Received: by bwz8 with SMTP id 8so246579bwz.3
	for <u-boot@lists.denx.de>; Fri, 05 Mar 2010 09:33:29 -0800 (PST)
MIME-Version: 1.0
Received: by 10.204.8.74 with SMTP id g10mr335977bkg.10.1267810039575;
	Fri, 05 Mar 2010 09:27:19 -0800 (PST)
Date: Fri, 5 Mar 2010 11:27:19 -0600
X-Google-Sender-Auth: a660541df85ff247
Message-ID: <d83696341003050927j4fef8cb4hc5de92ab79dd59ec@mail.gmail.com>
From: Jon Nalley <lists@bluebot.org>
To: u-boot@lists.denx.de
Subject: [U-Boot] (patch) segfault when calling fit_check_format() on
	corrupt FIT images
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: U-Boot discussion <u-boot.lists.denx.de>
List-Unsubscribe: <http://lists.denx.de/mailman/listinfo/u-boot>,
	<mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
List-Archive: <http://lists.denx.de/pipermail/u-boot>
List-Post: <mailto:u-boot@lists.denx.de>
List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
List-Subscribe: <http://lists.denx.de/mailman/listinfo/u-boot>,
	<mailto:u-boot-request@lists.denx.de?subject=subscribe>
Sender: u-boot-bounces@lists.denx.de
Errors-To: u-boot-bounces@lists.denx.de
X-Virus-Scanned: by amavisd-new at m-online.net
X-Spam-Status: No, score=0.589 tagged_above=0 required=5
	tests=[BAYES_00=-2.599, FH_DATE_PAST_20XX=3.188]
X-Spam-Score: 0.589
X-Spam-Level: 

All,

I found that fit_check_format() was causing a segfault when run on a
corrupt FIT image.  I tracked the problem down to line 92 in
libfdt/fdt_ro.c in _fdt_string_eq():

return (strlen(p) == len) && (memcmp(p, s, len) == 0);

In the case of a corrupt FIT image one can't depend on 'p' being NULL
terminated.  I changed it to use strnlen() to fix the issue.

--- a/libfdt/fdt_ro.c   Fri Mar 05 06:52:52 2010 -0600
+++ b/libfdt/fdt_ro.c   Fri Mar 05 11:10:21 2010 -0600
@@ -89,7 +89,7 @@
 {
        const char *p = fdt_string(fdt, stroffset);

-       return (strlen(p) == len) && (memcmp(p, s, len) == 0);
+       return (strnlen(p, len) == len) && (memcmp(p, s, len) == 0);
 }

 int fdt_get_mem_rsv(const void *fdt, int n, uint64_t *address, uint64_t *size)