diff options
author | Patrick Oppenlander <patrick.oppenlander@gmail.com> | 2020-07-09 14:14:51 +1000 |
---|---|---|
committer | David Gibson <david@gibson.dropbear.id.au> | 2020-07-10 19:55:36 +1000 |
commit | 3e3138b4a9565934487d7b39019282e75a894487 (patch) | |
tree | dead08f2a6b496c3fa021fd423cc550d9990ed6e /libfdt | |
parent | 9d7888cbf19c2930992844e69a097dc71e5a7354 (diff) | |
download | device-tree-compiler-3e3138b4a9565934487d7b39019282e75a894487.tar.gz |
libfdt: fix fdt_check_full buffer overrun
fdt_check_header assumes that its argument points to a complete header
and can read data beyond the FDT_V1_SIZE bytes which fdt_check_full
can provide.
fdt_header_size can safely return a header size with FDT_V1_SIZE bytes
available and will return a usable value even for a corrupted header.
Signed-off-by: Patrick Oppenlander <patrick.oppenlander@gmail.com>
Message-Id: <20200709041451.338548-1-patrick.oppenlander@gmail.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Diffstat (limited to 'libfdt')
-rw-r--r-- | libfdt/fdt_check.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/libfdt/fdt_check.c b/libfdt/fdt_check.c index 7f6a96c..9ddfdbf 100644 --- a/libfdt/fdt_check.c +++ b/libfdt/fdt_check.c @@ -22,6 +22,8 @@ int fdt_check_full(const void *fdt, size_t bufsize) if (bufsize < FDT_V1_SIZE) return -FDT_ERR_TRUNCATED; + if (bufsize < fdt_header_size(fdt)) + return -FDT_ERR_TRUNCATED; err = fdt_check_header(fdt); if (err != 0) return err; |