diff options
author | Courtney Cavin <courtney.cavin@sonymobile.com> | 2015-12-01 16:43:10 -0800 |
---|---|---|
committer | Sebastian Huber <sebastian.huber@embedded-brains.de> | 2018-07-19 07:01:08 +0200 |
commit | b41cd6cb076e465346cb0b02899bea74ad8f18d9 (patch) | |
tree | a0cee7d40bf4349ee26e94e4d8e06a0e18f3e8eb | |
parent | score: Add a FALLTHROUGH comment to kvprintf() (diff) | |
download | rtems-b41cd6cb076e465346cb0b02899bea74ad8f18d9.tar.bz2 |
libfdt: check for potential overrun in _fdt_splice()
This patch catches the conditions where:
- 'splicepoint' is set to a point outside of [ fdt, fdt_totalsize(fdt) )
- 'newlen' is negative, or 'splicepoint' plus 'newlen' results in overflow
Either of these cases can be caused by math which overflows in calling
functions, or by sizes specified through dynamic means.
Signed-off-by: Courtney Cavin <courtney.cavin@sonymobile.com>
Signed-off-by: Bjorn Andersson <bjorn.andersson@sonymobile.com>
-rw-r--r-- | cpukit/dtc/libfdt/fdt_rw.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/cpukit/dtc/libfdt/fdt_rw.c b/cpukit/dtc/libfdt/fdt_rw.c index 70adec6c37..8be02b1f68 100644 --- a/cpukit/dtc/libfdt/fdt_rw.c +++ b/cpukit/dtc/libfdt/fdt_rw.c @@ -101,6 +101,8 @@ static int _fdt_splice(void *fdt, void *splicepoint, int oldlen, int newlen) if (((p + oldlen) < p) || ((p + oldlen) > end)) return -FDT_ERR_BADOFFSET; + if ((p < (char *)fdt) || ((end - oldlen + newlen) < (char *)fdt)) + return -FDT_ERR_BADOFFSET; if ((end - oldlen + newlen) > ((char *)fdt + fdt_totalsize(fdt))) return -FDT_ERR_NOSPACE; memmove(p + newlen, p + oldlen, end - p - oldlen); |