summaryrefslogtreecommitdiff
path: root/lib/libfdt
diff options
context:
space:
mode:
authorDavid Gibson <david@gibson.dropbear.id.au>2016-10-02 17:59:26 -0600
committerSimon Glass <sjg@chromium.org>2016-10-13 13:54:10 -0600
commit491c7b6f42a8101f1e84cf8e13a0e23b5eca729e (patch)
treee823ddccede6edbf22cdffdebac66c63b2b05fec /lib/libfdt
parentef47683646516002694729986d19713e49b903e3 (diff)
downloadu-boot-imx-491c7b6f42a8101f1e84cf8e13a0e23b5eca729e.zip
u-boot-imx-491c7b6f42a8101f1e84cf8e13a0e23b5eca729e.tar.gz
u-boot-imx-491c7b6f42a8101f1e84cf8e13a0e23b5eca729e.tar.bz2
libfdt: Fix undefined behaviour in fdt_offset_ptr()
Using pointer arithmetic to generate a pointer outside a known object is, technically, undefined behaviour in C. Unfortunately, we were using that in fdt_offset_ptr() to detect overflows. To fix this we need to do our bounds / overflow checking on the offsets before constructing pointers from them. Reported-by: David Binderman <dcb314@hotmail.com> Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Simon Glass <sjg@chromium.org>
Diffstat (limited to 'lib/libfdt')
-rw-r--r--lib/libfdt/fdt.c13
1 files changed, 7 insertions, 6 deletions
diff --git a/lib/libfdt/fdt.c b/lib/libfdt/fdt.c
index 96017a1..2055734 100644
--- a/lib/libfdt/fdt.c
+++ b/lib/libfdt/fdt.c
@@ -35,18 +35,19 @@ int fdt_check_header(const void *fdt)
const void *fdt_offset_ptr(const void *fdt, int offset, unsigned int len)
{
- const char *p;
+ unsigned absoffset = offset + fdt_off_dt_struct(fdt);
+
+ if ((absoffset < offset)
+ || ((absoffset + len) < absoffset)
+ || (absoffset + len) > fdt_totalsize(fdt))
+ return NULL;
if (fdt_version(fdt) >= 0x11)
if (((offset + len) < offset)
|| ((offset + len) > fdt_size_dt_struct(fdt)))
return NULL;
- p = _fdt_offset_ptr(fdt, offset);
-
- if (p + len < p)
- return NULL;
- return p;
+ return _fdt_offset_ptr(fdt, offset);
}
uint32_t fdt_next_tag(const void *fdt, int startoffset, int *nextoffset)