[PATCH] powerpc/boot: validate compatible entries before comparing them

[Pengpeng Hou]

`dt_is_compatible()` reads a raw `"compatible"` property into `prop_buf`
and then immediately calls `strcmp(buf + pos, compat)` on each string-list
entry.

If the current entry is not NUL-terminated within the returned property
length, `strcmp()` reads past the end of the local buffer before the
following `strnlen()` has any chance to reject the malformed property.

Validate the current entry with `strnlen()` first and only compare
bounded, terminated compatible strings.

Signed-off-by: Pengpeng Hou <pengpeng at iscas.ac.cn>
---
 arch/powerpc/boot/devtree.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/arch/powerpc/boot/devtree.c b/arch/powerpc/boot/devtree.c
index 58fbcfcc98c9..d93822f61831 100644
--- a/arch/powerpc/boot/devtree.c
+++ b/arch/powerpc/boot/devtree.c
@@ -343,11 +343,16 @@ int dt_is_compatible(void *node, const char *compat)
 	if (len < 0)
 		return 0;
 
-	for (pos = 0; pos < len; pos++) {
+	for (pos = 0; pos < len; ) {
+		int entry_len = strnlen(&buf[pos], len - pos);
+
+		if (entry_len == len - pos)
+			return 0;
+
 		if (!strcmp(buf + pos, compat))
 			return 1;
 
-		pos += strnlen(&buf[pos], len - pos);
+		pos += entry_len + 1;
 	}
 
 	return 0;
-- 
2.50.1 (Apple Git-155)