fdtoverlay: Sanity check blob size

The fdtoverlay utility reads in the base fdt blob, then expands it to make room for all the overlays requested. However, it uses the totalsize field of the base blob without verifying that it actually read all of it in (it's possible the blob file could have been truncated). Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
author: David Gibson <david@gibson.dropbear.id.au> 2017-09-27 19:44:50 +1000
committer: David Gibson <david@gibson.dropbear.id.au> 2017-09-27 20:00:10 +1000
commit: b6a6f9490d19317200f2b23a5934ed32797734b8 (patch)
tree: 98df3bb09b8cc0a22a7584fa31a83ab7a04c5501 /fdtoverlay.c
parent: 8c1eb1526d2d02f34bfe6f94dacba60834ae9f79 (diff)
download: device-tree-compiler-b6a6f9490d19317200f2b23a5934ed32797734b8.tar.gz
1 files changed, 7 insertions, 0 deletions
diff --git a/fdtoverlay.c b/fdtoverlay.c
index 9c5618c..7f124fc 100644
--- a/fdtoverlay.c
+++ b/fdtoverlay.c
@@ -27,6 +27,7 @@
 #include <stdlib.h>
 #include <string.h>
 #include <alloca.h>
+#include <inttypes.h>
 
 #include <libfdt.h>
 
@@ -69,6 +70,12 @@ static int do_fdtoverlay(const char *input_filename,
 				input_filename);
 		goto out_err;
 	}
+	if (fdt_totalsize(blob) > blob_len) {
+		fprintf(stderr,
+ "\nBase blob is incomplete (%lu / %" PRIu32 " bytes read)\n",
+			(unsigned long)blob_len, fdt_totalsize(blob));
+		goto out_err;
+	}
 	ret = 0;
 
 	/* allocate blob pointer array */
author	David Gibson <david@gibson.dropbear.id.au>	2017-09-27 19:44:50 +1000
committer	David Gibson <david@gibson.dropbear.id.au>	2017-09-27 20:00:10 +1000
commit	b6a6f9490d19317200f2b23a5934ed32797734b8 (patch)
tree	98df3bb09b8cc0a22a7584fa31a83ab7a04c5501 /fdtoverlay.c
parent	8c1eb1526d2d02f34bfe6f94dacba60834ae9f79 (diff)
download	device-tree-compiler-b6a6f9490d19317200f2b23a5934ed32797734b8.tar.gz