From mboxrd@z Thu Jan 1 00:00:00 1970 From: Simon Glass Subject: [PATCH v2 3/3] RFC: Check offset in fdt_string() Date: Fri, 15 Feb 2013 14:49:38 -0800 Message-ID: <1360968578-18443-4-git-send-email-sjg@chromium.org> References: <1360968578-18443-1-git-send-email-sjg@chromium.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <1360968578-18443-1-git-send-email-sjg-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: devicetree-discuss-bounces+gldd-devicetree-discuss=m.gmane.org-uLR06cmDAlY/bJ5BZ2RsiQ@public.gmane.org Sender: "devicetree-discuss" To: Jon Loeliger Cc: Devicetree Discuss List-Id: devicetree@vger.kernel.org (We probably don't want this patch, and certainly can't apply it as is, but I send it in order to find out the intent of fdt_string()). At present fdt_string() says that returns: - a pointer to the string, on success - NULL, if stroffset is out of bounds However it does not in fact return NULL. Changing it to do so also breaks 15 tests (segfault). What is the intended behaviour of this function, please? Signed-off-by: Simon Glass --- Changes in v2: - Drop patch to replace fdtdump libfdt/fdt_ro.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libfdt/fdt_ro.c b/libfdt/fdt_ro.c index 50007f6..cba8772 100644 --- a/libfdt/fdt_ro.c +++ b/libfdt/fdt_ro.c @@ -77,6 +77,8 @@ static int _fdt_nodename_eq(const void *fdt, int offset, const char *fdt_string(const void *fdt, int stroffset) { + if (stroffset < 0 || stroffset >= fdt_size_dt_strings(fdt)) + return NULL; return (const char *)fdt + fdt_off_dt_strings(fdt) + stroffset; } -- 1.8.1.3