lib: fdt: add integer overflow checks in fdt header

these checks will usefull in finding the integer overflow in fdt header fields. (cherry picked from commit b6b7c1e767cd03e34fe835115d01f83d935abf3a) Change-Id: I8469116124e4c0086885994132345df95bbf3bdc Signed-off-by: Kathiravan T <kathirav@codeaurora.org>
2025-12-10 07:44:53 +01:00 · 2014-08-12 20:35:44 +05:30 · 2014-08-12 20:35:44 +05:30 · 01b8983f67
commit 01b8983f67
parent 39b207217d
2 changed files with 15 additions and 1 deletions
--- a/lib/libfdt/fdt.c
+++ b/lib/libfdt/fdt.c
@ -14,6 +14,8 @@

 #include "libfdt_internal.h"

+#define UINT_MAX	(~0U)
+
 int fdt_check_header(const void *fdt)
 {
 	if (fdt_magic(fdt) == FDT_MAGIC) {
@ -30,6 +32,18 @@ int fdt_check_header(const void *fdt)
 		return -FDT_ERR_BADMAGIC;
 	}

+	if (fdt_off_dt_struct(fdt) > (UINT_MAX - fdt_size_dt_struct(fdt)))
+		return FDT_ERR_BADOFFSET;
+
+	if (fdt_off_dt_strings(fdt) > (UINT_MAX -  fdt_size_dt_strings(fdt)))
+		return FDT_ERR_BADOFFSET;
+
+	if ((fdt_off_dt_struct(fdt) + fdt_size_dt_struct(fdt)) > fdt_totalsize(fdt))
+		return FDT_ERR_BADOFFSET;
+
+	if ((fdt_off_dt_strings(fdt) + fdt_size_dt_strings(fdt)) > fdt_totalsize(fdt))
+		return FDT_ERR_BADOFFSET;
+
 	return 0;
 }

--- a/lib/libfdt/fdt_rw.c
+++ b/lib/libfdt/fdt_rw.c
@ -353,7 +353,7 @@ int fdt_del_node(void *fdt, int nodeoffset)
 static void _fdt_packblocks(const char *old, char *new,
 			    int mem_rsv_size, int struct_size)
 {
-	int mem_rsv_off, struct_off, strings_off;
+	uint32_t mem_rsv_off, struct_off, strings_off;

 	mem_rsv_off = FDT_ALIGN(sizeof(struct fdt_header), 8);
 	struct_off = mem_rsv_off + mem_rsv_size;