From: David Gibson Date: Sun, 2 Oct 2016 23:59:26 +0000 (-0600) Subject: libfdt: Fix undefined behaviour in fdt_offset_ptr() X-Git-Tag: v2025.01-rc5-pxa1908~8323^2~4 X-Git-Url: http://git.dujemihanovic.xyz/img/sics.gif?a=commitdiff_plain;h=491c7b6f42a8101f1e84cf8e13a0e23b5eca729e;p=u-boot.git libfdt: Fix undefined behaviour in fdt_offset_ptr() Using pointer arithmetic to generate a pointer outside a known object is, technically, undefined behaviour in C. Unfortunately, we were using that in fdt_offset_ptr() to detect overflows. To fix this we need to do our bounds / overflow checking on the offsets before constructing pointers from them. Reported-by: David Binderman Signed-off-by: David Gibson Signed-off-by: Simon Glass --- diff --git a/lib/libfdt/fdt.c b/lib/libfdt/fdt.c index 96017a15a2..2055734012 100644 --- a/lib/libfdt/fdt.c +++ b/lib/libfdt/fdt.c @@ -35,18 +35,19 @@ int fdt_check_header(const void *fdt) const void *fdt_offset_ptr(const void *fdt, int offset, unsigned int len) { - const char *p; + unsigned absoffset = offset + fdt_off_dt_struct(fdt); + + if ((absoffset < offset) + || ((absoffset + len) < absoffset) + || (absoffset + len) > fdt_totalsize(fdt)) + return NULL; if (fdt_version(fdt) >= 0x11) if (((offset + len) < offset) || ((offset + len) > fdt_size_dt_struct(fdt))) return NULL; - p = _fdt_offset_ptr(fdt, offset); - - if (p + len < p) - return NULL; - return p; + return _fdt_offset_ptr(fdt, offset); } uint32_t fdt_next_tag(const void *fdt, int startoffset, int *nextoffset)