WolfSSL
/
wolfBoot
mirror of https://github.com/wolfSSL/wolfBoot.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Fixed manifest header boundary checks 

Added sanity check against address-space wrap-around

Revert "Added sanity check against address-space wrap-around"

This reverts commit cf81b32f38008723aa41a260a6c46920a9d3fb40.
pull/70/head
Daniele Lacamera 2020-07-13 14:18:38 +02:00
parent d897a8b40b
commit 7c8636f16b
1 changed files with 12 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
src/libwolfboot.c
View File

@ -342,8 +342,15 @@ uint16_t wolfBoot_find_header(uint8_t *haystack, uint16_t type, uint8_t **ptr)
{ {
uint8_t *p = haystack; uint8_t *p = haystack;
uint16_t len; uint16_t len;
while (((p[0] != 0) || (p[1] != 0)) && ((p - haystack) < IMAGE_HEADER_SIZE)) { const uint8_t *max_p = (haystack - IMAGE_HEADER_OFFSET) + IMAGE_HEADER_SIZE;
while ((p + 4) < max_p) {
if ((p[0] == 0) && (p[1] == 0)) {
/* Explicit end of options reached */
break;
}
if (*p == HDR_PADDING) { if (*p == HDR_PADDING) {
/* Padding byte (skip one position) */
p++; p++;
continue; continue;
} }
@ -353,6 +360,10 @@ uint16_t wolfBoot_find_header(uint8_t *haystack, uint16_t type, uint8_t **ptr)
continue; continue;
} }
len = p[2] | (p[3] << 8); len = p[2] | (p[3] << 8);
if (p + 4 + len > max_p) {
/* This field is too large and would overflow the image header */
break;
}
if ((p[0] | (p[1] << 8)) == type) { if ((p[0] | (p[1] << 8)) == type) {
*ptr = (p + 4); *ptr = (p + 4);
return len; return len;