boot: add precise check of the image size

It is possible that image in the slot is so big
that MCUboot swap metadata will interfere with
its content during the swap operation.

This patch introduces additional check to the image
validation procedure.

Signed-off-by: Andrzej Puzdrowski <[email protected]>

Author: nvlsianpu

boot/bootutil/src/bootutil_misc.c

@@ -387,3 +387,27 @@ boot_write_enc_key(const struct flash_area *fap, uint8_t slot,
     return 0;
 }
 #endif
+
+uint32_t bootutil_max_image_size(const struct flash_area *fap)
+{
+#if defined(MCUBOOT_SWAP_USING_SCRATCH)
+    return boot_status_off(fap);
+#elif defined(MCUBOOT_SWAP_USING_MOVE)
+    struct flash_sector sector;
+    /* get the last sector offset */
+    int rc = flash_area_sector_from_off(boot_status_off(fap), &sector);
+    if (rc) {
+        BOOT_LOG_ERR("Unable to determine flash sector of the image trailer");
+        return 0; /* Returning of zero here should cause any check which uses
+                   * this value to fail.
+                   */
+    }
+    return flash_sector_get_off(&sector);
+#elif defined(MCUBOOT_OVERWRITE_ONLY)
+    return boot_swap_info_off(fap);
+#elif defined(MCUBOOT_DIRECT_XIP)
+    return boot_swap_info_off(fap);
+#elif defined(MCUBOOT_RAM_LOAD)
+    return boot_swap_info_off(fap);
+#endif
+}

boot/bootutil/src/bootutil_priv.h

@@ -463,6 +463,8 @@ struct bootsim_ram_info *bootsim_get_ram_info(void);
     (flash_area_read((fap), (start), (output), (size)))
 #endif /* MCUBOOT_RAM_LOAD */
 
+uint32_t bootutil_max_image_size(const struct flash_area *fap);
+
 #ifdef __cplusplus
 }
 #endif

boot/bootutil/src/image_validate.c

@@ -376,6 +376,11 @@ bootutil_img_validate(struct enc_key_data *enc_state, int image_index,
         goto out;
     }
 
+    if (it.tlv_end > bootutil_max_image_size(fap)) {
+        rc = -1;
+        goto out;
+    }
+
     /*
      * Traverse through all of the TLVs, performing any checks we know
      * and are able to do.