dtc: add integer overflow checks in fdt header

Protect against integer overflows caused by malformed fdt headers. CRs-Fixed: 749977 Change-Id: I51d87038f520bc761b163d291b0138c513c69a33 Signed-off-by: Vijay Kumar Pendoti <vpendo@codeaurora.org> Signed-off-by: Rishabh Bhatnagar <rishabhb@codeaurora.org>
2014-08-12 20:35:44 +05:30
parent 48c8494b35
commit 3088f58407
3 changed files with 16 additions and 1 deletions
--- a/include/linux/libfdt_env.h
+++ b/include/linux/libfdt_env.h
@@ -2,6 +2,7 @@
 #ifndef LIBFDT_ENV_H
 #define LIBFDT_ENV_H
 #include <linux/kernel.h>
 #include <linux/string.h>
 #include <asm/byteorder.h>
--- a/scripts/dtc/libfdt/fdt.c
+++ b/scripts/dtc/libfdt/fdt.c
@@ -71,6 +71,20 @@ int fdt_check_header(const void *fdt)
 		return -FDT_ERR_BADMAGIC;
 	}
 	if (fdt_off_dt_struct(fdt) > (UINT_MAX - fdt_size_dt_struct(fdt)))
 		return FDT_ERR_BADOFFSET;
 	if (fdt_off_dt_strings(fdt) > (UINT_MAX -  fdt_size_dt_strings(fdt)))
 		return FDT_ERR_BADOFFSET;
 	if ((fdt_off_dt_struct(fdt) + fdt_size_dt_struct(fdt))
 	    > fdt_totalsize(fdt))
 		return FDT_ERR_BADOFFSET;
 	if ((fdt_off_dt_strings(fdt) + fdt_size_dt_strings(fdt))
 	    > fdt_totalsize(fdt))
 		return FDT_ERR_BADOFFSET;
 	return 0;
 }
--- a/scripts/dtc/libfdt/fdt_rw.c
+++ b/scripts/dtc/libfdt/fdt_rw.c
@@ -407,7 +407,7 @@ int fdt_del_node(void *fdt, int nodeoffset)
 static void fdt_packblocks_(const char *old, char *new,
 			    int mem_rsv_size, int struct_size)
 {
-	int mem_rsv_off, struct_off, strings_off;
+	uint32_t mem_rsv_off, struct_off, strings_off;
 	mem_rsv_off = FDT_ALIGN(sizeof(struct fdt_header), 8);
 	struct_off = mem_rsv_off + mem_rsv_size;