Validate FDT string offsets

danielinux · danielinux · commit cd7cb7996752 · 2026-03-30T14:12:52.000+02:00
F/1481
diff --git a/src/fdt.c b/src/fdt.c
@@ -522,9 +522,26 @@ const char* fdt_get_name(const void *fdt, int nodeoffset, int *len)
 
 const char* fdt_get_string(const void *fdt, int stroffset, int *lenp)
 {
-    const char *s = (const char*)fdt + fdt_off_dt_strings(fdt) + stroffset;
+    uint32_t strsize = fdt_size_dt_strings(fdt);
+    const char *s;
+    const char *end;
+
+    if ((stroffset < 0) || ((uint32_t)stroffset >= strsize)) {
+        if (lenp)
+            *lenp = -FDT_ERR_BADOFFSET;
+        return NULL;
+    }
+
+    s = (const char*)fdt + fdt_off_dt_strings(fdt) + stroffset;
+    end = memchr(s, '\0', strsize - (uint32_t)stroffset);
+    if (end == NULL) {
+        if (lenp)
+            *lenp = -FDT_ERR_BADSTRUCTURE;
+        return NULL;
+    }
+
     if (lenp) {
-        *lenp = (int)strlen(s);
+        *lenp = (int)(end - s);
     }
     return s;
 }
diff --git a/tools/unit-tests/Makefile b/tools/unit-tests/Makefile
@@ -42,7 +42,7 @@ endif
 
 
 
-TESTS:=unit-parser unit-extflash unit-string unit-spi-flash unit-aes128 \
+TESTS:=unit-parser unit-fdt unit-extflash unit-string unit-spi-flash unit-aes128 \
        unit-aes256 unit-chacha20 unit-pci unit-mock-state unit-sectorflags \
        unit-image unit-image-rsa unit-nvm unit-nvm-flagshome unit-enc-nvm \
        unit-enc-nvm-flagshome unit-delta unit-update-flash \
@@ -79,6 +79,7 @@ unit-aes128:CFLAGS+=-DEXT_ENCRYPTED -DENCRYPT_WITH_AES128
 unit-aes256:CFLAGS+=-DEXT_ENCRYPTED -DENCRYPT_WITH_AES256
 unit-chacha20:CFLAGS+=-DEXT_ENCRYPTED -DENCRYPT_WITH_CHACHA
 unit-parser:CFLAGS+=-DNVM_FLASH_WRITEONCE
+unit-fdt:CFLAGS+=-DWOLFBOOT_FDT
 unit-nvm:CFLAGS+=-DNVM_FLASH_WRITEONCE -DMOCK_PARTITIONS
 unit-nvm-flagshome:CFLAGS+=-DNVM_FLASH_WRITEONCE -DMOCK_PARTITIONS -DFLAGS_HOME
 unit-enc-nvm:CFLAGS+=-DNVM_FLASH_WRITEONCE -DMOCK_PARTITIONS -DEXT_ENCRYPTED \
@@ -112,6 +113,10 @@ unit-extflash.o: FORCE
 unit-parser: ../../include/target.h unit-parser.c
 	gcc -o $@ $^ $(CFLAGS) $(LDFLAGS)
 
+unit-fdt: ../../include/target.h unit-fdt.c ../../src/fdt.c
+	gcc -o $@ $^ $(CFLAGS) -ffunction-sections -fdata-sections $(LDFLAGS) \
+		-Wl,--gc-sections
+
 unit-extflash: ../../include/target.h unit-extflash.c
 	gcc -o $@ $^ $(CFLAGS) $(LDFLAGS)
 
diff --git a/tools/unit-tests/unit-fdt.c b/tools/unit-tests/unit-fdt.c
@@ -0,0 +1,86 @@
+/* unit-fdt.c
+ *
+ * Unit tests for flattened device tree helpers.
+ */
+
+#include <check.h>
+#include <stdint.h>
+#include <string.h>
+
+#include "../../include/fdt.h"
+
+void wolfBoot_printf(const char *fmt, ...)
+{
+    (void)fmt;
+}
+
+START_TEST(test_fdt_get_string_rejects_out_of_range_offset)
+{
+    struct {
+        struct fdt_header hdr;
+        char strings[8];
+        char after[4];
+    } blob;
+    int len = 1234;
+    const char *s;
+
+    memset(&blob, 0, sizeof(blob));
+    fdt_set_off_dt_strings(&blob, sizeof(blob.hdr));
+    fdt_set_size_dt_strings(&blob, sizeof(blob.strings));
+    memcpy(blob.strings, "chosen", sizeof("chosen"));
+    blob.after[0] = 'X';
+    blob.after[1] = '\0';
+
+    s = fdt_get_string(&blob, (int)sizeof(blob.strings), &len);
+
+    ck_assert_ptr_null(s);
+    ck_assert_int_eq(len, -FDT_ERR_BADOFFSET);
+}
+END_TEST
+
+START_TEST(test_fdt_get_string_returns_string_with_valid_offset)
+{
+    struct {
+        struct fdt_header hdr;
+        char strings[16];
+    } blob;
+    int len = -1;
+    const char *s;
+
+    memset(&blob, 0, sizeof(blob));
+    fdt_set_off_dt_strings(&blob, sizeof(blob.hdr));
+    fdt_set_size_dt_strings(&blob, sizeof(blob.strings));
+    memcpy(blob.strings, "serial\0console\0", 15);
+
+    s = fdt_get_string(&blob, 7, &len);
+
+    ck_assert_ptr_nonnull(s);
+    ck_assert_str_eq(s, "console");
+    ck_assert_int_eq(len, 7);
+}
+END_TEST
+
+static Suite *fdt_suite(void)
+{
+    Suite *s = suite_create("fdt");
+    TCase *tc = tcase_create("fdt");
+
+    tcase_add_test(tc, test_fdt_get_string_rejects_out_of_range_offset);
+    tcase_add_test(tc, test_fdt_get_string_returns_string_with_valid_offset);
+    suite_add_tcase(s, tc);
+
+    return s;
+}
+
+int main(void)
+{
+    int fails;
+    Suite *s = fdt_suite();
+    SRunner *sr = srunner_create(s);
+
+    srunner_run_all(sr, CK_NORMAL);
+    fails = srunner_ntests_failed(sr);
+    srunner_free(sr);
+
+    return fails;
+}
