This new function implements a complete and thorough check of an fdt blob's
structure. Given a buffer containing an fdt, it should return 0 only if
the fdt within is structurally sound in all regards. It doesn't check
anything about the blob's contents (i.e. the actual values of the nodes and
properties), of course.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Tested-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Reviewed-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Reviewed-by: Simon Glass <sjg@chromium.org>
fdt_num_mem_rsv() and fdt_get_mem_rsv() currently don't sanity check their
parameters, or the memory reserve section offset in the header. That means
that on a corrupted blob they could access outside of the range of memory
that they should.
This improves their safety checking, meaning they shouldn't access outside
the blob's bounds, even if its contents are badly corrupted.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Tested-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Reviewed-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Reviewed-by: Simon Glass <sjg@chromium.org>
fdt_string() is used to retrieve strings from a DT blob's strings section.
It's rarely used directly, but is widely used internally.
However, it doesn't do any bounds checking, which means in the case of a
corrupted blob it could access bad memory, which libfdt is supposed to
avoid.
This write a safe alternative to fdt_string, fdt_get_string(). It checks
both that the given offset is within the string section and that the string
it points to is properly \0 terminated within the section. It also returns
the string's length as a convenience (since it needs to determine to do the
checks anyway).
fdt_string() is rewritten in terms of fdt_get_string() for compatibility.
Most of the diff here is actually testing infrastructure.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Tested-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Reviewed-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Currently fdt_check_header() performs only some rudimentary checks, which
is not really what the name suggests. This strengthens fdt_check_header()
to check as much about the blob as is possible from the header alone: as
well as checking the magic number and version, it checks that the total
size is sane, and that all the sub-blocks within the blob lie within the
total size.
* This broadens the meaning of FDT_ERR_TRUNCATED to cover all sorts of
improperly terminated blocks as well as just a structure block without
FDT_END.
* This makes fdt_check_header() only succeed on "complete" blobs, not
in-progress sequential write blobs. The only reason this didn't fail
before was that this function used to be called by many RO functions
which are supposed to also work on incomplete SW blobs.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Tested-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Reviewed-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Reviewed-by: Simon Glass <sjg@chromium.org>
When creating a tree with the sequential write functions, certain things
have to be done in a certain order. You must create the memory reserve map
and only then can you create the actual tree structure.
The -FDT_ERR_BADSTATE return code is for if you try to do things out of
order. However, we weren't checking that very thoroughly, so it was
possible to generate a corrupted blob if, for example, you started calling
fdt_begin_node() etc. before calling fdt_finish_reservemap().
This makes the state checking more thorough disallow that.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Tested-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Reviewed-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Reviewed-by: Simon Glass <sjg@chromium.org>
Add a test that checks for existence or not of a node.
It is useful for testing the various cases when generating
symbols and fixups for dynamic device tree objects.
Signed-off-by: Pantelis Antoniou <pantelis.antoniou@konsulko.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Add some test infrastructure to test that the overlay can be merged, but
also that poorly formatted fixups would fail as expected.
Signed-off-by: Maxime Ripard <maxime.ripard@free-electrons.com>
[dwg: Don't execute bad overlay tests without overlay aware dtc]
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Implement a macro based on fdt_first_property_offset and
fdt_next_property_offset that provides a convenience to iterate over all
the properties of a given node.
Signed-off-by: Maxime Ripard <maxime.ripard@free-electrons.com>
Acked-by: Simon Glass <sjg@chromium.org>
[dwg: Removed a stray trailing blank line]
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Given a device tree node and a property name, the fdt_stringlist_count()
function counts the number of strings found in the property value.
This also adds a new error code, FDT_ERR_BADVALUE, that the function
returns when it encounters a non-NUL-terminated string list.
Signed-off-by: Thierry Reding <treding@nvidia.com>
[Changed testcase name --dwg]
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
This patch makes a small start on libfdt functions which actually help to
parse the contents of device trees, rather than purely manipulating the
tree's structure.
We add simple helpers to read and sanity check the #address-cells and
#size-cells values for a given node.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
The device tree language as currently defined conflicts with the C pre-
processor in one aspect - when a property or node name begins with a #
character, a pre-processor would attempt to interpret it as a directive,
fail, and most likely error out.
This change allows a property/node name to be prefixed with \. This
prevents a pre-processor from seeing # as the first non-whitespace
character on the line, and hence prevents the conflict. \ was previously
an illegal character in property/node names, so this change is
backwards compatible. The \ is stripped from the name during parsing
by dtc.
Signed-off-by: Stephen Warren <swarren@nvidia.com>
Acked-by: David Gibson <david@gibson.dropbear.id.au>
Several files were added, and should be in .gitignore. The *.test.dts
pattern should catch future source files which are generated by tests.
It also subsumes the old *.dtb.test.dts pattern.
Signed-off-by: Simon Glass <sjg@chromium.org>
We've add some test (generated) binaries that aren't currently listed in
.gitignore, in addition more scripts now generate various tmp.* files
during operation. This adds them all to .gitignore.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Elements of size 8, 16, 32, and 64 bits are supported. The new
/bits/ syntax was selected so as to not pollute the reserved
keyword space with uint8/uint16/... type names.
With this patch the following property assignment:
property = /bits/ 16 <0x1234 0x5678 0x0 0xffff>;
is equivalent to:
property = <0x12345678 0x0000ffff>;
It is now also possible to directly specify a 64 bit literal in a
cell list, also known as an array using:
property = /bits/ 64 <0xdeadbeef00000000>;
It is an error to attempt to store a literal into an element that is
too small to hold the literal, and the compiler will generate an
error when it detects this. For instance:
property = /bits/ 8 <256>;
Will fail to compile. It is also an error to attempt to place a
reference in a non 32-bit element.
The documentation has been changed to reflect that the cell list
is now an array of elements that can be of sizes other than the
default 32-bit cell size.
The sized_cells test tests the creation and access of 8, 16, 32,
and 64-bit sized elements. It also tests that the creation of two
properties, one with 16 bit elements and one with 32 bit elements
result in the same property contents.
Signed-off-by: Anton Staaf <robotboy@chromium.org>
Acked-by: David Gibson <david@gibson.dropbear.id.au>
With this patch the following property assignment:
property = <0x12345678 'a' '\r' 100>;
is equivalent to:
property = <0x12345678 0x00000061 0x0000000D 0x00000064>
Signed-off-by: Anton Staaf <robotboy@chromium.org>
Acked-by: David Gibson <david@gibson.dropbear.id.au>