Improved boundary checks in wolfBoot_find_header

2020-08-13 13:54:34 +02:00 · 2020-08-13 13:54:34 +02:00 · 944f816f05
parent 7c8636f16b
commit 944f816f05
2 changed files with 19 additions and 5 deletions
--- a/.gitignore
+++ b/.gitignore
@ -81,6 +81,7 @@ include/target.h
 tools/test-expect-version/test-expect-version
 tools/test-update-server/server
 tools/uart-flash-server/ufserver
+tools/unit-tests/unit-parser
 config/*.ld

 # Generated confiuguration file
--- a/src/libwolfboot.c
+++ b/src/libwolfboot.c
@ -26,6 +26,12 @@
 #include "wolfboot/wolfboot.h"
 #include "image.h"

+#ifdef UNIT_TEST
+#   define unit_dbg printf
+#else
+#   define unit_dbg(...) do{}while(0)
+#endif
+
 #if defined(EXT_ENCRYPTED)
    #if defined(__WOLFBOOT)
        #include "encrypt.h"
@ -342,11 +348,15 @@ uint16_t wolfBoot_find_header(uint8_t *haystack, uint16_t type, uint8_t **ptr)
 {
    uint8_t *p = haystack;
    uint16_t len;
-    const uint8_t *max_p = (haystack - IMAGE_HEADER_OFFSET) + IMAGE_HEADER_SIZE;
-
+    const volatile uint8_t *max_p = (haystack - IMAGE_HEADER_OFFSET) + IMAGE_HEADER_SIZE;
+    *ptr = NULL;
+    if (p > max_p) {
+        unit_dbg("Illegal address (too high)\n");
+        return 0;
+    }
    while ((p + 4) < max_p) {
        if ((p[0] == 0) && (p[1] == 0)) {
-            /* Explicit end of options reached */
+            unit_dbg("Explicit end of options reached\n");
            break;
        }
        if (*p == HDR_PADDING) {
@ -360,8 +370,12 @@ uint16_t wolfBoot_find_header(uint8_t *haystack, uint16_t type, uint8_t **ptr)
            continue;
        }
        len = p[2] | (p[3] << 8);
+        if ((4 + len) > (IMAGE_HEADER_SIZE - IMAGE_HEADER_OFFSET)) {
+            unit_dbg("This field is too large (bigger than the space available in the current header)\n");
+            break;
+        }
        if (p + 4 + len > max_p) {
-            /* This field is too large and would overflow the image header */
+            unit_dbg("This field is too large and would overflow the image header\n");
            break;
        }
        if ((p[0] | (p[1] << 8)) == type) {
@ -370,7 +384,6 @@ uint16_t wolfBoot_find_header(uint8_t *haystack, uint16_t type, uint8_t **ptr)
        }
        p += 4 + len;
    }
-    *ptr = NULL;
    return 0;
 }