From 3e3138b4a9565934487d7b39019282e75a894487 Mon Sep 17 00:00:00 2001
From: Patrick Oppenlander <patrick.oppenlander@gmail.com>
Date: Thu, 9 Jul 2020 14:14:51 +1000
Subject: libfdt: fix fdt_check_full buffer overrun

fdt_check_header assumes that its argument points to a complete header
and can read data beyond the FDT_V1_SIZE bytes which fdt_check_full
can provide.

fdt_header_size can safely return a header size with FDT_V1_SIZE bytes
available and will return a usable value even for a corrupted header.

Signed-off-by: Patrick Oppenlander <patrick.oppenlander@gmail.com>
Message-Id: <20200709041451.338548-1-patrick.oppenlander@gmail.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
---
 libfdt/fdt_check.c | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'libfdt')

diff --git a/libfdt/fdt_check.c b/libfdt/fdt_check.c
index 7f6a96c..9ddfdbf 100644
--- a/libfdt/fdt_check.c
+++ b/libfdt/fdt_check.c
@@ -22,6 +22,8 @@ int fdt_check_full(const void *fdt, size_t bufsize)
 
 	if (bufsize < FDT_V1_SIZE)
 		return -FDT_ERR_TRUNCATED;
+	if (bufsize < fdt_header_size(fdt))
+		return -FDT_ERR_TRUNCATED;
 	err = fdt_check_header(fdt);
 	if (err != 0)
 		return err;
-- 
cgit v1.2.1