To make the filename handling more robust we need to resolve any
possible link to get an abosulte path. Furthermore the filename shall be
absolut, e.g. must start with the root '/'.
This is in preparation of adding cached fit_open support.
Signed-off-by: Marco Felsch <m.fel...@pengutronix.de>
---
common/image-fit.c | 18 +++++++++++++++++-
1 file changed, 17 insertions(+), 1 deletion(-)
diff --git a/common/image-fit.c b/common/image-fit.c
index
0067f46e60bc954b418aef3398e2c10856b41c02..1cb407d4d86cb3d0a643149bb08c46caadcd56fe
100644
--- a/common/image-fit.c
+++ b/common/image-fit.c
@@ -972,12 +972,25 @@ struct fit_handle *fit_open_buf(const void *buf, size_t
size, bool verbose,
*
* Return: A handle to a FIT image or a ERR_PTR
*/
-struct fit_handle *fit_open(const char *filename, bool verbose,
+struct fit_handle *fit_open(const char *_filename, bool verbose,
enum bootm_verify verify, loff_t max_size)
{
struct fit_handle *handle;
+ char *filename;
int ret;
+ if (*_filename != '/') {
+ pr_err("The FIT filename must start with '/'\n");
+ return ERR_PTR(-EINVAL);
+ }
+
+ /* dirfd is ignored, since _filename is absolute */
+ filename = canonicalize_path(AT_FDCWD, _filename);
+ if (!filename) {
+ pr_err("Failed to resolve %s with %s\n", _filename,
strerror(errno));
+ return ERR_PTR(-errno);
+ }
+
handle = xzalloc(sizeof(struct fit_handle));
handle->verbose = verbose;
@@ -988,9 +1001,12 @@ struct fit_handle *fit_open(const char *filename, bool
verbose,
if (ret && ret != -EFBIG) {
pr_err("unable to read %s: %pe\n", filename, ERR_PTR(ret));
free(handle);
+ free(filename);
return ERR_PTR(ret);
}
+ free(filename);
+
handle->fit = handle->fit_alloc;
ret = fit_do_open(handle);
--
2.39.5
