[rtems commit] Fix a UB when fdt_get_string return null
Sebastian Huber
sebh at rtems.org
Tue Jul 19 07:21:29 UTC 2022
Module: rtems
Branch: master
Commit: 6f79435915cfe57c64964ff85c234b68718980c9
Changeset: http://git.rtems.org/rtems/commit/?id=6f79435915cfe57c64964ff85c234b68718980c9
Author: LoveSy <shana at zju.edu.cn>
Date: Wed Dec 15 17:30:11 2021 +0800
Fix a UB when fdt_get_string return null
When fdt_get_string return null, `namep` is not correctly reset.
>From the document of `fdt_getprop_by_offset`, the parameter `namep` will
be always overwritten (that is, it will be overwritten without exception
of error occurance).
As for the caller (like
https://github.com/topjohnwu/Magisk/blob/e097c097feb881f6097b6d1dc346f310bc92f5d6/native/jni/magiskboot/dtb.cpp#L42),
the code may be like:
```cpp
size_t size;
const char *name;
auto *value = fdt_getprop_by_offset(fdt, prop, &name, &size);
```
and if `value == nullptr`, `size` is also be overwritten correctly but
`name` is not, which is quite inconsistent.
This commit makes sure `name` and `size` behavior consistently (reset to
reasonable value) when error occurs.
Signed-off-by: LoveSy <shana at zju.edu.cn>
Signed-off-by: David Gibson <david at gibson.dropbear.id.au>
---
cpukit/dtc/libfdt/fdt_ro.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/cpukit/dtc/libfdt/fdt_ro.c b/cpukit/dtc/libfdt/fdt_ro.c
index 17584da257..9f6c551a22 100644
--- a/cpukit/dtc/libfdt/fdt_ro.c
+++ b/cpukit/dtc/libfdt/fdt_ro.c
@@ -481,12 +481,12 @@ const void *fdt_getprop_by_offset(const void *fdt, int offset,
if (!can_assume(VALID_INPUT)) {
name = fdt_get_string(fdt, fdt32_ld_(&prop->nameoff),
&namelen);
+ *namep = name;
if (!name) {
if (lenp)
*lenp = namelen;
return NULL;
}
- *namep = name;
} else {
*namep = fdt_string(fdt, fdt32_ld_(&prop->nameoff));
}
More information about the vc
mailing list