libfdt: check for potential overrun in _fdt_splice()
This patch catches the conditions where: - 'splicepoint' is set to a point outside of [ fdt, fdt_totalsize(fdt) ) - 'newlen' is negative, or 'splicepoint' plus 'newlen' results in overflow Either of these cases can be caused by math which overflows in calling functions, or by sizes specified through dynamic means. Signed-off-by: Courtney Cavin <courtney.cavin@sonymobile.com> Signed-off-by: Bjorn Andersson <bjorn.andersson@sonymobile.com>
This commit is contained in:
Courtney Cavin
David Gibson
parent
f58799be13
commit
d4c7c25c9e
1 changed files with 2 additions and 0 deletions
|
|
@ -101,6 +101,8 @@ static int _fdt_splice(void *fdt, void *splicepoint, int oldlen, int newlen)
|
|||
|
||||
if (((p + oldlen) < p) || ((p + oldlen) > end))
|
||||
return -FDT_ERR_BADOFFSET;
|
||||
if ((p < (char *)fdt) || ((end - oldlen + newlen) < (char *)fdt))
|
||||
return -FDT_ERR_BADOFFSET;
|
||||
if ((end - oldlen + newlen) > ((char *)fdt + fdt_totalsize(fdt)))
|
||||
return -FDT_ERR_NOSPACE;
|
||||
memmove(p + newlen, p + oldlen, end - p - oldlen);
|
||||
|
|
|
|||
Loading…
Reference in a new issue