kernel
/
dtc
mirror of https://git.kernel.org/pub/scm/utils/dtc/dtc.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

libfdt: check for potential overrun in _fdt_splice() 

This patch catches the conditions where:
 - 'splicepoint' is set to a point outside of [ fdt, fdt_totalsize(fdt) )
 - 'newlen' is negative, or 'splicepoint' plus 'newlen' results in overflow

Either of these cases can be caused by math which overflows in calling
functions, or by sizes specified through dynamic means.

Signed-off-by: Courtney Cavin <courtney.cavin@sonymobile.com>
Signed-off-by: Bjorn Andersson <bjorn.andersson@sonymobile.com>
main
Courtney Cavin 2015-12-01 16:43:10 -08:00 committed by David Gibson
parent f58799be13
commit d4c7c25c9e
1 changed files with 2 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
libfdt/fdt_rw.c
View File

@ -101,6 +101,8 @@ static int _fdt_splice(void *fdt, void *splicepoint, int oldlen, int newlen)


if (((p + oldlen) < p) || ((p + oldlen) > end)) if (((p + oldlen) < p) || ((p + oldlen) > end))
return -FDT_ERR_BADOFFSET; return -FDT_ERR_BADOFFSET;
if ((p < (char *)fdt) || ((end - oldlen + newlen) < (char *)fdt))
return -FDT_ERR_BADOFFSET;
if ((end - oldlen + newlen) > ((char *)fdt + fdt_totalsize(fdt))) if ((end - oldlen + newlen) > ((char *)fdt + fdt_totalsize(fdt)))
return -FDT_ERR_NOSPACE; return -FDT_ERR_NOSPACE;
memmove(p + newlen, p + oldlen, end - p - oldlen); memmove(p + newlen, p + oldlen, end - p - oldlen);