Skip to content

Commit

Permalink
libfdt: fix undefined behaviour in _fdt_splice()
Browse files Browse the repository at this point in the history 
Along the lines of commit d0b3ab0a0f46 ("libfdt: Fix undefined behaviour
in fdt_offset_ptr()"), _fdt_splice() similarly may not use pointer
arithmetic to do overflow checks.

[upstream commit 73d6e9ecb4179b510408bc526240f829262df361]
Signed-off-by: Jan Beulich <[email protected]>
Acked-by: Julien Grall <[email protected]>
  • Loading branch information
@jbeulich
jbeulich committed Mar 17, 2020
1 parent 66fb140 commit 1faa954
Showing 1 changed file with 6 additions and 5 deletions.
11 changes: 6 additions & 5 deletions xen/common/libfdt/fdt_rw.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -87,21 +87,22 @@ static int _fdt_rw_check_header(void *fdt)
return err; \
}

static inline int _fdt_data_size(void *fdt)
static inline unsigned int _fdt_data_size(void *fdt)
{
return fdt_off_dt_strings(fdt) + fdt_size_dt_strings(fdt);
}

static int _fdt_splice(void *fdt, void *splicepoint, int oldlen, int newlen)
{
char *p = splicepoint;
char *end = (char *)fdt + _fdt_data_size(fdt);
unsigned int dsize = _fdt_data_size(fdt);
size_t soff = p - (char *)fdt;

if (((p + oldlen) < p) || ((p + oldlen) > end))
if (oldlen < 0 || soff + oldlen < soff || soff + oldlen > dsize)
return -FDT_ERR_BADOFFSET;
if ((end - oldlen + newlen) > ((char *)fdt + fdt_totalsize(fdt)))
if (dsize - oldlen + newlen > fdt_totalsize(fdt))
return -FDT_ERR_NOSPACE;
memmove(p + newlen, p + oldlen, end - p - oldlen);
memmove(p + newlen, p + oldlen, ((char *)fdt + dsize) - (p + oldlen));
return 0;
}

Expand Down

0 comments on commit 1faa954

Please sign in to comment.