From: David Gibson <david-xT8FGy+AXnRB3Ne2BGzF6laj5H9X9Tb+@public.gmane.org>
To: Jean-Christophe Dubois <jcd-WBS85hRCVJbxB9160cZjhg@public.gmane.org>
Cc: devicetree-compiler-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
jdl-CYoMK+44s/E@public.gmane.org
Subject: Re: [PATCH v2] fdtdump.c: make sure size_t argument to memchr is always unsigned.
Date: Sun, 24 Jul 2016 00:41:46 +1000 [thread overview]
Message-ID: <20160723144146.GB24621@voom.fritz.box> (raw)
In-Reply-To: <1468369873-3244-1-git-send-email-jcd-WBS85hRCVJbxB9160cZjhg@public.gmane.org>
[-- Attachment #1: Type: text/plain, Size: 2146 bytes --]
On Wed, Jul 13, 2016 at 02:31:13AM +0200, Jean-Christophe Dubois wrote:
> CID 132817 (#1 of 1): Integer overflowed argument (INTEGER_OVERFLOW)
> 15. overflow_sink: Overflowed or truncated value (or a value computed from an overflowed or truncated value) endp - p - 4L used as critical argument to function.
>
> Signed-off-by: Jean-Christophe Dubois <jcd-WBS85hRCVJbxB9160cZjhg@public.gmane.org>
Applied.
fdtdump is a hacky tool, so I don't particularly care about bugs in
it, but I guess we might as well shut up the semantic checker.
> ---
>
> Changes since v1:
> * fix the post loop test.
>
> fdtdump.c | 10 ++++++----
> 1 file changed, 6 insertions(+), 4 deletions(-)
>
> diff --git a/fdtdump.c b/fdtdump.c
> index 95a6a20..a9a2484 100644
> --- a/fdtdump.c
> +++ b/fdtdump.c
> @@ -15,6 +15,8 @@
>
> #include "util.h"
>
> +#define FDT_MAGIC_SIZE 4
> +
> #define ALIGN(x, a) (((x) + ((a) - 1)) & ~((a) - 1))
> #define PALIGN(p, a) ((void *)(ALIGN((unsigned long)(p), (a))))
> #define GET_CELL(p) (p += 4, *((const uint32_t *)(p-4)))
> @@ -188,15 +190,15 @@ int main(int argc, char *argv[])
>
> /* try and locate an embedded fdt in a bigger blob */
> if (scan) {
> - unsigned char smagic[4];
> + unsigned char smagic[FDT_MAGIC_SIZE];
> char *p = buf;
> char *endp = buf + len;
>
> fdt_set_magic(smagic, FDT_MAGIC);
>
> /* poor man's memmem */
> - while (true) {
> - p = memchr(p, smagic[0], endp - p - 4);
> + while ((endp - p) >= FDT_MAGIC_SIZE) {
> + p = memchr(p, smagic[0], endp - p - FDT_MAGIC_SIZE);
> if (!p)
> break;
> if (fdt_magic(p) == FDT_MAGIC) {
> @@ -215,7 +217,7 @@ int main(int argc, char *argv[])
> }
> ++p;
> }
> - if (!p)
> + if (!p || ((endp - p) < FDT_MAGIC_SIZE))
> die("%s: could not locate fdt magic\n", file);
> printf("%s: found fdt at offset %#zx\n", file, p - buf);
> buf = p;
--
David Gibson | I'll have my music baroque, and my code
david AT gibson.dropbear.id.au | minimalist, thank you. NOT _the_ _other_
| _way_ _around_!
http://www.ozlabs.org/~dgibson
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]
prev parent reply other threads:[~2016-07-23 14:41 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-07-13 0:31 [PATCH v2] fdtdump.c: make sure size_t argument to memchr is always unsigned Jean-Christophe Dubois
[not found] ` <1468369873-3244-1-git-send-email-jcd-WBS85hRCVJbxB9160cZjhg@public.gmane.org>
2016-07-23 14:41 ` David Gibson [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160723144146.GB24621@voom.fritz.box \
--to=david-xt8fgy+axnrb3ne2bgzf6laj5h9x9tb+@public.gmane.org \
--cc=devicetree-compiler-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=jcd-WBS85hRCVJbxB9160cZjhg@public.gmane.org \
--cc=jdl-CYoMK+44s/E@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).