With -Wsign-compare, compilers warn about a mismatching signedness in
comparisons in various files in the tests/ directory.
For about half of the cases we can simply change the signed variable to
be of an unsigned type, because they will never need to store negative
values (which is the best fix of the problem).
In the remaining cases we can cast the signed variable to an unsigned
type, provided we know for sure it is not negative.
We see two different scenarios here:
- We either just explicitly checked for this variable to be positive
(if (rc < 0) FAIL();), or
- We rely on a function returning only positive values in the "length"
pointer if the function returned successfully: which we just checked.
At two occassions we compare with a constant "-1" (even though the
variable is unsigned), so we just change this to ~0U to create an
unsigned comparison value.
Since this is about the tests, let's also add explicit tests for those
values really not being negative.
This fixes "make tests" (but not "make check" yet), when compiled
with -Wsign-compare.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Message-Id: <20210618172030.9684-2-andre.przywara@arm.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
The root node is supposed to have an empty name, but at present this is
not checked. The behaviour of such a tree is not well defined. Most
software rightly assumes that the root node is at offset 0 and does not
check the name. This oddity was discovered as part of a security
investigation into U-Boot verified boot.
Add a check for this to fdt_check_full().
Signed-off-by: Simon Glass <sjg@chromium.org>
Reported-by: Arie Haenel <arie.haenel@intel.com>
Reported-by: Julien Lenoir <julien.lenoir@intel.com>
Message-Id: <20210323010410.3222701-2-sjg@chromium.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
At present it is possible to have two root nodes and even access nodes
in the 'second' root. Such trees should not be considered valid. This
was discovered as part of a security investigation into U-Boot verified
boot.
Add a check for this to fdt_check_full().
Signed-off-by: Simon Glass <sjg@chromium.org>
Reported-by: Arie Haenel <arie.haenel@intel.com>
Reported-by: Julien Lenoir <julien.lenoir@intel.com>
Message-Id: <20210323000926.3210733-1-sjg@chromium.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Instead of outputing files to current directory, allow to specificy an
output directory. This helps with meson build system out-of-tree support.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-Id: <20191009102025.10179-4-marcandre.lureau@redhat.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Replace instances in tests of mostly LGPL-2.1 license boilerplate
with SPDX tags.
Signed-off-by: Rob Herring <robh@kernel.org>
Message-Id: <20190620211944.9378-5-robh@kernel.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
This new function implements a complete and thorough check of an fdt blob's
structure. Given a buffer containing an fdt, it should return 0 only if
the fdt within is structurally sound in all regards. It doesn't check
anything about the blob's contents (i.e. the actual values of the nodes and
properties), of course.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Tested-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Reviewed-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Reviewed-by: Simon Glass <sjg@chromium.org>
In a number of places, dtc and associated tools and test code use
leading _ characters on identifiers to flag them as "internal", an
idiom taken from the Linux kernel. This is a bad idea in a userspace
program, because identifiers with a leading _ are reserved for the C
library / system.
In some cases, the extra _ served no real purpose, so simply drop it. In
others move to the end of the identifier, which is a convention we're free
to use for our own purposes.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
This fixes a great many sparse warnings on the fdt and libfdt sources.
These are mostly due to incorrect mixing of endian annotated and native
integer types.
This includes fixing a couple of quasi-bugs where we had endian conversions
the wrong way around (this will have the right effect in practice, but is
certainly conceptually incorrect).
This doesn't make the whole tree sparse clean: there are many warnings in
bison and lex generated code, and there are a handful of other remaining
warnings that are (for now) more trouble than they're worth to fix (and
are not genuine bugs).
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
We have a couple of checks of the form:
if (offset+size > totalsize)
die();
We need to check that offset+size doesn't overflow, otherwise the check
will pass, and we may access past totalsize.
Found with AFL.
Signed-off-by: Anton Blanchard <anton@samba.org>
[Added a testcase]
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
tests will need fdt type definitions provided in a subsequent patch
to libfdt_env.h. Since libfdt.h includes libfdt_env.h in the right
order anyway, just remove the fdt.h include.
Signed-off-by: Kim Phillips <kim.phillips@freescale.com>
Acked-by: David Gibson <david@gibson.dropbear.id.au>
This patch adds checks to the checking framework to verify that node
and property names contain only legal characters, and in the case of
node names there is at most one '@'.
At present when coming from dts input, this is mostly already ensured
by the grammer, however putting the check later means its easier to
generate helpful error messages rather than just "syntax error". For
dtb input, these checks replace the older similar check built into
flattree.c.
Testcases for the checks are also implemented.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
When I released libfdt, I forgot to add a copyright notice to
dumptrees.c (probably because the program is so trivial). Apparently
the lack causes trouble for Debian, so this patch adds one. I've gone
through the git history and double checked that no-one has touched
this file except me (and I barely have myself since its initial
commit).
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
At present fdt.h #includes stdint.h. This makes some sense, because fdt.h
uses the standard fixed-width integer types. However, this can make life
difficult when building in different environments which may not have a
stdint.h. Therefore, this patch removes the #include from fdt.h, instead
requiring that users of fdt.h define the fixed-width integer types before
including fdt.h, either by themselves including stdint.h, or by any other
means.
At present, the blob containing a device tree is passed to the various
fdt_*() functions as a (struct fdt_header *) i.e. a pointer to the
header structure at the beginning of the blob.
This patch changes all the functions so that they instead take a (void
*) pointing to the blob. Under some circumstances can avoid the need
for the caller to cast a blob pointer into a (struct fdt_header *)
before passing it to the fdt_*() functions.
Using a (void *) also reduce the temptation for users of the library
to directly dereference toe (struct fdt_header *) to access header
fields. Instead they must use the fdt_get_header() or
fdt_set_header() macros, or the fdt_magic(), fdt_totalsize()
etc. wrappers around them which are safer, since they will always
handle endian conversion.
With this change, the whole-tree moving, or manipulating functions:
fdt_move(), fdt_open_into() and fdt_pack() no longer need to return a
pointer to the "new" tree. The given (void *) buffer pointer they
take can instead be used directly by the caller as the new tree.
Those functions are thus changed to instead return an error code
(which in turn reduces the number of functions using the ugly encoding
of error values into pointers).
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
This patch adds exported accessor macros for the various flat device
tree header fields to libfdt.h. This necessitates moving some of the
byte-swapping functions.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>