diff options
author | LoveSy <shana@zju.edu.cn> | 2021-12-15 17:30:11 +0800 |
---|---|---|
committer | Sebastian Huber <sebastian.huber@embedded-brains.de> | 2022-07-19 09:28:22 +0200 |
commit | 6f79435915cfe57c64964ff85c234b68718980c9 (patch) | |
tree | 329c78370b21c770ef6e4e270ebacdc012c105bd /cpukit/dtc | |
parent | spsysinit01: Account for use of .noinit section (diff) | |
download | rtems-6f79435915cfe57c64964ff85c234b68718980c9.tar.bz2 |
Fix a UB when fdt_get_string return null
When fdt_get_string return null, `namep` is not correctly reset.
From the document of `fdt_getprop_by_offset`, the parameter `namep` will
be always overwritten (that is, it will be overwritten without exception
of error occurance).
As for the caller (like
https://github.com/topjohnwu/Magisk/blob/e097c097feb881f6097b6d1dc346f310bc92f5d6/native/jni/magiskboot/dtb.cpp#L42),
the code may be like:
```cpp
size_t size;
const char *name;
auto *value = fdt_getprop_by_offset(fdt, prop, &name, &size);
```
and if `value == nullptr`, `size` is also be overwritten correctly but
`name` is not, which is quite inconsistent.
This commit makes sure `name` and `size` behavior consistently (reset to
reasonable value) when error occurs.
Signed-off-by: LoveSy <shana@zju.edu.cn>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Diffstat (limited to 'cpukit/dtc')
-rw-r--r-- | cpukit/dtc/libfdt/fdt_ro.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/cpukit/dtc/libfdt/fdt_ro.c b/cpukit/dtc/libfdt/fdt_ro.c index 17584da257..9f6c551a22 100644 --- a/cpukit/dtc/libfdt/fdt_ro.c +++ b/cpukit/dtc/libfdt/fdt_ro.c @@ -481,12 +481,12 @@ const void *fdt_getprop_by_offset(const void *fdt, int offset, if (!can_assume(VALID_INPUT)) { name = fdt_get_string(fdt, fdt32_ld_(&prop->nameoff), &namelen); + *namep = name; if (!name) { if (lenp) *lenp = namelen; return NULL; } - *namep = name; } else { *namep = fdt_string(fdt, fdt32_ld_(&prop->nameoff)); } |