Merge patch series "spl: fix error handling in spl_fit_get_image_name()"

Heinrich Schuchardt <heinrich.schuchardt@canonical.com> says:

spl_fit_get_image_name() used to lack a detection of malformed image name
properties in FIT images. The change in commit 3704b888a4ca ("common/spl:
fix potential out of buffer access in spl_fit_get_image_name function")
tried to fix this  but led to function spl_fit_get_image_name() no longer
detecting if a property at index > 1 does not exist.

This patch is reverted.

An explicit check for malformed image name properties is introduced.

Link: https://lore.kernel.org/u-boot/38f5d078-3328-4bdb-9c95-4fb5fe89ddc2@gmx.de/T/#u
Link: https://lore.kernel.org/r/20250624153431.46986-1-heinrich.schuchardt@canonical.com

1 files changed, 9 insertions, 4 deletions

diff --git a/common/spl/spl_fit.c b/common/spl/spl_fit.c
index b3824af475f..25f3c822a49 100644
--- a/common/spl/spl_fit.c
+++ b/common/spl/spl_fit.c
@@ -73,7 +73,7 @@ static int spl_fit_get_image_name(const struct spl_fit_info *ctx,
 				  const char **outname)
 {
 	struct udevice *sysinfo;
-	const char *name, *str;
+	const char *name, *str, *end;
 	__maybe_unused int node;
 	int len, i;
 	bool found = true;
@@ -83,15 +83,20 @@ static int spl_fit_get_image_name(const struct spl_fit_info *ctx,
 		debug("cannot find property '%s': %d\n", type, len);
 		return -EINVAL;
 	}
+	/* A string property should be NUL terminated */
+	end = name + len - 1;
+	if (!len || *end) {
+		debug("malformed property '%s'\n", type);
+		return -EINVAL;
+	}
 
 	str = name;
 	for (i = 0; i < index; i++) {
-		str = memchr(str, '\0', name + len - str);
-		if (!str) {
+		str = strchr(str, '\0') + 1;
+		if (str > end) {
 			found = false;
 			break;
 		}
-		str++;
 	}
 
 	if (!found && CONFIG_IS_ENABLED(SYSINFO) && !sysinfo_get(&sysinfo)) {