diff options
| author | 2015-12-01 16:43:10 -0800 | |
|---|---|---|
| committer | 2015-12-02 13:11:11 +1100 | |
| commit | d4c7c25c9ed138df8bafbe61097c27c9d2629ee3 (patch) | |
| tree | 9a37858d7e0fea7d58c89a258c7ca346b3511fa5 /libfdt/fdt_rw.c | |
| parent | f58799be130e27cc729cb2d45566daa0bb3b8605 (diff) | |
libfdt: check for potential overrun in _fdt_splice()
This patch catches the conditions where:
- 'splicepoint' is set to a point outside of [ fdt, fdt_totalsize(fdt) )
- 'newlen' is negative, or 'splicepoint' plus 'newlen' results in overflow
Either of these cases can be caused by math which overflows in calling
functions, or by sizes specified through dynamic means.
Signed-off-by: Courtney Cavin <courtney.cavin@sonymobile.com>
Signed-off-by: Bjorn Andersson <bjorn.andersson@sonymobile.com>
Diffstat (limited to 'libfdt/fdt_rw.c')
| -rw-r--r-- | libfdt/fdt_rw.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/libfdt/fdt_rw.c b/libfdt/fdt_rw.c index 70adec6..8be02b1 100644 --- a/libfdt/fdt_rw.c +++ b/libfdt/fdt_rw.c @@ -101,6 +101,8 @@ static int _fdt_splice(void *fdt, void *splicepoint, int oldlen, int newlen) if (((p + oldlen) < p) || ((p + oldlen) > end)) return -FDT_ERR_BADOFFSET; + if ((p < (char *)fdt) || ((end - oldlen + newlen) < (char *)fdt)) + return -FDT_ERR_BADOFFSET; if ((end - oldlen + newlen) > ((char *)fdt + fdt_totalsize(fdt))) return -FDT_ERR_NOSPACE; memmove(p + newlen, p + oldlen, end - p - oldlen); |