Fix null-pointer dereference on malformed dtb parsing in fdt_check_full(). Add example of malformed input to fuzz corpus. Test: make check Test: run libFuzzer on updated corpus. Bug: 238913758 Change-Id: Id0d21c57077fd5448ddfa59844eb5a016d2ba62c

commit: 5b4d456bb6f56a8771af5a3a524be423df6e45b2 [log] [tgz]
author: Mike McTernan <mikemcternan@google.com> Thu Jul 21 15:45:45 2022 +0100
committer: Mike McTernan <mikemcternan@google.com> Tue Jul 26 16:11:14 2022 +0000
tree: 9d9c3d41eebb185d5c5c3655bf301568d082f8de
parent: c4164ff32f39ed1846c946e7a882c60a2e194422 [diff]
diff --git a/fuzzing/corpus/crash-a5b94d95681291f3057eea7f0233c8f1529b2f59 b/fuzzing/corpus/crash-a5b94d95681291f3057eea7f0233c8f1529b2f59
new file mode 100644
index 0000000..dbab42e
--- /dev/null
+++ b/fuzzing/corpus/crash-a5b94d95681291f3057eea7f0233c8f1529b2f59
Binary files differ

diff --git a/libfdt/fdt_check.c b/libfdt/fdt_check.c
index fa410a8..4c02d96 100644
--- a/libfdt/fdt_check.c
+++ b/libfdt/fdt_check.c

@@ -66,6 +66,11 @@
 				int len;
 
 				name = fdt_get_name(fdt, offset, &len);
+
+				/* on error NULL is returned with FDT_ERR in len */
+				if (!name)
+					return len;
+
 				if (*name || len)
 					return -FDT_ERR_BADSTRUCTURE;
 			}
commit	5b4d456bb6f56a8771af5a3a524be423df6e45b2	[log] [tgz]
author	Mike McTernan <mikemcternan@google.com>	Thu Jul 21 15:45:45 2022 +0100
committer	Mike McTernan <mikemcternan@google.com>	Tue Jul 26 16:11:14 2022 +0000
tree	9d9c3d41eebb185d5c5c3655bf301568d082f8de
parent	c4164ff32f39ed1846c946e7a882c60a2e194422 [diff]