* [PATCH] libfdt: fix fdt_check_full buffer overrun
@ 2020-07-09 4:14 patrick.oppenlander-Re5JQEeQqe8AvxtiuMwx3w
[not found] ` <20200709041451.338548-1-patrick.oppenlander-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
0 siblings, 1 reply; 2+ messages in thread
From: patrick.oppenlander-Re5JQEeQqe8AvxtiuMwx3w @ 2020-07-09 4:14 UTC (permalink / raw)
To: devicetree-compiler-u79uwXL29TY76Z2rM5mHXA; +Cc: Patrick Oppenlander
From: Patrick Oppenlander <patrick.oppenlander-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
fdt_check_header assumes that its argument points to a complete header
and can read data beyond the FDT_V1_SIZE bytes which fdt_check_full
can provide.
fdt_header_size can safely return a header size with FDT_V1_SIZE bytes
available and will return a usable value even for a corrupted header.
Signed-off-by: Patrick Oppenlander <patrick.oppenlander-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
---
libfdt/fdt_check.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/libfdt/fdt_check.c b/libfdt/fdt_check.c
index 7f6a96c..9ddfdbf 100644
--- a/libfdt/fdt_check.c
+++ b/libfdt/fdt_check.c
@@ -22,6 +22,8 @@ int fdt_check_full(const void *fdt, size_t bufsize)
if (bufsize < FDT_V1_SIZE)
return -FDT_ERR_TRUNCATED;
+ if (bufsize < fdt_header_size(fdt))
+ return -FDT_ERR_TRUNCATED;
err = fdt_check_header(fdt);
if (err != 0)
return err;
--
2.27.0
^ permalink raw reply related [flat|nested] 2+ messages in thread[parent not found: <20200709041451.338548-1-patrick.oppenlander-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>]
* Re: [PATCH] libfdt: fix fdt_check_full buffer overrun [not found] ` <20200709041451.338548-1-patrick.oppenlander-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> @ 2020-07-10 9:55 ` David Gibson 0 siblings, 0 replies; 2+ messages in thread From: David Gibson @ 2020-07-10 9:55 UTC (permalink / raw) To: patrick.oppenlander-Re5JQEeQqe8AvxtiuMwx3w Cc: devicetree-compiler-u79uwXL29TY76Z2rM5mHXA [-- Attachment #1: Type: text/plain, Size: 1349 bytes --] On Thu, Jul 09, 2020 at 02:14:51PM +1000, patrick.oppenlander-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org wrote: > From: Patrick Oppenlander <patrick.oppenlander-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> > > fdt_check_header assumes that its argument points to a complete header > and can read data beyond the FDT_V1_SIZE bytes which fdt_check_full > can provide. > > fdt_header_size can safely return a header size with FDT_V1_SIZE bytes > available and will return a usable value even for a corrupted header. > > Signed-off-by: Patrick Oppenlander <patrick.oppenlander-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> Applied, thanks. > --- > libfdt/fdt_check.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/libfdt/fdt_check.c b/libfdt/fdt_check.c > index 7f6a96c..9ddfdbf 100644 > --- a/libfdt/fdt_check.c > +++ b/libfdt/fdt_check.c > @@ -22,6 +22,8 @@ int fdt_check_full(const void *fdt, size_t bufsize) > > if (bufsize < FDT_V1_SIZE) > return -FDT_ERR_TRUNCATED; > + if (bufsize < fdt_header_size(fdt)) > + return -FDT_ERR_TRUNCATED; > err = fdt_check_header(fdt); > if (err != 0) > return err; -- David Gibson | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you. NOT _the_ _other_ | _way_ _around_! http://www.ozlabs.org/~dgibson [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-07-10 9:55 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-07-09 4:14 [PATCH] libfdt: fix fdt_check_full buffer overrun patrick.oppenlander-Re5JQEeQqe8AvxtiuMwx3w
[not found] ` <20200709041451.338548-1-patrick.oppenlander-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2020-07-10 9:55 ` David Gibson
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).