libfdt: fix fdt_check_full buffer overrun
fdt_check_header assumes that its argument points to a complete header and can read data beyond the FDT_V1_SIZE bytes which fdt_check_full can provide. fdt_header_size can safely return a header size with FDT_V1_SIZE bytes available and will return a usable value even for a corrupted header. Signed-off-by: Patrick Oppenlander <patrick.oppenlander@gmail.com> Message-Id: <20200709041451.338548-1-patrick.oppenlander@gmail.com> Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
This commit is contained in:
Patrick Oppenlander
David Gibson
parent
9d7888cbf1
commit
3e3138b4a9
1 changed files with 2 additions and 0 deletions
|
|
@ -22,6 +22,8 @@ int fdt_check_full(const void *fdt, size_t bufsize)
|
|||
|
||||
if (bufsize < FDT_V1_SIZE)
|
||||
return -FDT_ERR_TRUNCATED;
|
||||
if (bufsize < fdt_header_size(fdt))
|
||||
return -FDT_ERR_TRUNCATED;
|
||||
err = fdt_check_header(fdt);
|
||||
if (err != 0)
|
||||
return err;
|
||||
|
|
|
|||
Loading…
Reference in a new issue