kernel
/
dtc
mirror of https://git.kernel.org/pub/scm/utils/dtc/dtc.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

libfdt: fix fdt_check_full buffer overrun 

fdt_check_header assumes that its argument points to a complete header
and can read data beyond the FDT_V1_SIZE bytes which fdt_check_full
can provide.

fdt_header_size can safely return a header size with FDT_V1_SIZE bytes
available and will return a usable value even for a corrupted header.

Signed-off-by: Patrick Oppenlander <patrick.oppenlander@gmail.com>
Message-Id: <20200709041451.338548-1-patrick.oppenlander@gmail.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
main
Patrick Oppenlander 2020-07-09 14:14:51 +10:00 committed by David Gibson
parent 9d7888cbf1
commit 3e3138b4a9
1 changed files with 2 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
libfdt/fdt_check.c
View File

@ -22,6 +22,8 @@ int fdt_check_full(const void *fdt, size_t bufsize)


if (bufsize < FDT_V1_SIZE) if (bufsize < FDT_V1_SIZE)
return -FDT_ERR_TRUNCATED; return -FDT_ERR_TRUNCATED;
if (bufsize < fdt_header_size(fdt))
return -FDT_ERR_TRUNCATED;
err = fdt_check_header(fdt); err = fdt_check_header(fdt);
if (err != 0) if (err != 0)
return err; return err;