Changeset b41cd6c in rtems


Ignore:
Timestamp:
Dec 2, 2015, 12:43:10 AM (4 years ago)
Author:
Courtney Cavin <courtney.cavin@…>
Branches:
master
Children:
87acb61e
Parents:
bda8f80
git-author:
Courtney Cavin <courtney.cavin@…> (12/02/15 00:43:10)
git-committer:
Sebastian Huber <sebastian.huber@…> (07/19/18 05:01:08)
Message:

libfdt: check for potential overrun in _fdt_splice()

This patch catches the conditions where:

  • 'splicepoint' is set to a point outside of [ fdt, fdt_totalsize(fdt) )
  • 'newlen' is negative, or 'splicepoint' plus 'newlen' results in overflow

Either of these cases can be caused by math which overflows in calling
functions, or by sizes specified through dynamic means.

Signed-off-by: Courtney Cavin <courtney.cavin@…>
Signed-off-by: Bjorn Andersson <bjorn.andersson@…>

File:
1 edited

Legend:

Unmodified
Added
Removed
  • cpukit/dtc/libfdt/fdt_rw.c

    rbda8f80 rb41cd6c  
    101101
    102102        if (((p + oldlen) < p) || ((p + oldlen) > end))
     103                return -FDT_ERR_BADOFFSET;
     104        if ((p < (char *)fdt) || ((end - oldlen + newlen) < (char *)fdt))
    103105                return -FDT_ERR_BADOFFSET;
    104106        if ((end - oldlen + newlen) > ((char *)fdt + fdt_totalsize(fdt)))
Note: See TracChangeset for help on using the changeset viewer.