[rtems commit] libfdt: check for potential overrun in _fdt_splice()
Sebastian Huber
sebh at rtems.org
Thu Jul 19 05:07:41 UTC 2018
Module: rtems
Branch: master
Commit: b41cd6cb076e465346cb0b02899bea74ad8f18d9
Changeset: http://git.rtems.org/rtems/commit/?id=b41cd6cb076e465346cb0b02899bea74ad8f18d9
Author: Courtney Cavin <courtney.cavin at sonymobile.com>
Date: Tue Dec 1 16:43:10 2015 -0800
libfdt: check for potential overrun in _fdt_splice()
This patch catches the conditions where:
- 'splicepoint' is set to a point outside of [ fdt, fdt_totalsize(fdt) )
- 'newlen' is negative, or 'splicepoint' plus 'newlen' results in overflow
Either of these cases can be caused by math which overflows in calling
functions, or by sizes specified through dynamic means.
Signed-off-by: Courtney Cavin <courtney.cavin at sonymobile.com>
Signed-off-by: Bjorn Andersson <bjorn.andersson at sonymobile.com>
---
cpukit/dtc/libfdt/fdt_rw.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/cpukit/dtc/libfdt/fdt_rw.c b/cpukit/dtc/libfdt/fdt_rw.c
index 70adec6..8be02b1 100644
--- a/cpukit/dtc/libfdt/fdt_rw.c
+++ b/cpukit/dtc/libfdt/fdt_rw.c
@@ -101,6 +101,8 @@ static int _fdt_splice(void *fdt, void *splicepoint, int oldlen, int newlen)
if (((p + oldlen) < p) || ((p + oldlen) > end))
return -FDT_ERR_BADOFFSET;
+ if ((p < (char *)fdt) || ((end - oldlen + newlen) < (char *)fdt))
+ return -FDT_ERR_BADOFFSET;
if ((end - oldlen + newlen) > ((char *)fdt + fdt_totalsize(fdt)))
return -FDT_ERR_NOSPACE;
memmove(p + newlen, p + oldlen, end - p - oldlen);
More information about the vc
mailing list