diff options
author | David Gibson <david@gibson.dropbear.id.au> | 2019-07-05 13:42:40 +1000 |
---|---|---|
committer | Sebastian Huber <sebastian.huber@embedded-brains.de> | 2020-03-02 07:52:20 +0100 |
commit | 1a5c324480167b9eca9398a10d95d85a74fcb941 (patch) | |
tree | 31f05831da5436c7b74bce3e5f9b7c96cdb9da3f /cpukit/dtc/libfdt/libfdt_internal.h | |
parent | 0b83b822d7bfbf2910f61a103a25becf8701a223 (diff) |
libfdt: Tweak data handling to satisfy Coverity
In libfdt we often sanity test fdt_totalsize(fdt) fairly early, then
trust it (but *only* that header field) for the remainder of our work.
However, Coverity gets confused by this - it sees the byteswap in
fdt32_ld() and assumes that means it is coming from an untrusted source
everytime, resulting in many tainted data warnings.
Most of these end up with logic in fdt_get_string() as the unsafe
destination for this tainted data, so let's tweak the logic there to make
it clearer to Coverity that this is ok.
We add a sanity test on fdt_totalsize() to fdt_probe_ro_(). Because the
interface allows bare ints to be used for offsets, we already have the
assumption that totalsize must be 31-bits or less (2GiB would be a
ludicrously large fdt). This makes this more explicit.
We also make fdt_probe_ro() return the size for convenience, and change the
logic in fdt_get_string() to keep it in a local so that Coverity can see
that it has already been bounds-checked.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Diffstat (limited to '')
-rw-r--r-- | cpukit/dtc/libfdt/libfdt_internal.h | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/cpukit/dtc/libfdt/libfdt_internal.h b/cpukit/dtc/libfdt/libfdt_internal.h index 7830e550c3..741eeb3150 100644 --- a/cpukit/dtc/libfdt/libfdt_internal.h +++ b/cpukit/dtc/libfdt/libfdt_internal.h @@ -11,11 +11,11 @@ #define FDT_TAGALIGN(x) (FDT_ALIGN((x), FDT_TAGSIZE)) int fdt_ro_probe_(const void *fdt); -#define FDT_RO_PROBE(fdt) \ - { \ - int err_; \ - if ((err_ = fdt_ro_probe_(fdt)) != 0) \ - return err_; \ +#define FDT_RO_PROBE(fdt) \ + { \ + int totalsize_; \ + if ((totalsize_ = fdt_ro_probe_(fdt)) < 0) \ + return totalsize_; \ } int fdt_check_node_offset_(const void *fdt, int offset); |