Changeset 87acb61e in rtems for cpukit/dtc


Ignore:
Timestamp:
Dec 17, 2015, 6:19:11 AM (4 years ago)
Author:
David Gibson <david@…>
Branches:
master
Children:
0ddfe029
Parents:
b41cd6c
git-author:
David Gibson <david@…> (12/17/15 06:19:11)
git-committer:
Sebastian Huber <sebastian.huber@…> (07/19/18 05:01:08)
Message:

libfdt: Fix undefined behaviour in fdt_offset_ptr()

Using pointer arithmetic to generate a pointer outside a known object is,
technically, undefined behaviour in C. Unfortunately, we were using that
in fdt_offset_ptr() to detect overflows.

To fix this we need to do our bounds / overflow checking on the offsets
before constructing pointers from them.

Reported-by: David Binderman <dcb314@…>
Signed-off-by: David Gibson <david@…>

File:
1 edited

Legend:

Unmodified
Added
Removed
  • cpukit/dtc/libfdt/fdt.c

    rb41cd6c r87acb61e  
    7777const void *fdt_offset_ptr(const void *fdt, int offset, unsigned int len)
    7878{
    79         const char *p;
     79        unsigned absoffset = offset + fdt_off_dt_struct(fdt);
     80
     81        if ((absoffset < offset)
     82            || ((absoffset + len) < absoffset)
     83            || (absoffset + len) > fdt_totalsize(fdt))
     84                return NULL;
    8085
    8186        if (fdt_version(fdt) >= 0x11)
     
    8489                        return NULL;
    8590
    86         p = _fdt_offset_ptr(fdt, offset);
    87 
    88         if (p + len < p)
    89                 return NULL;
    90         return p;
     91        return _fdt_offset_ptr(fdt, offset);
    9192}
    9293
Note: See TracChangeset for help on using the changeset viewer.