libfdt: Safer access to memory reservations

fdt_num_mem_rsv() and fdt_get_mem_rsv() currently don't sanity check their parameters, or the memory reserve section offset in the header. That means that on a corrupted blob they could access outside of the range of memory that they should. This improves their safety checking, meaning they shouldn't access outside the blob's bounds, even if its contents are badly corrupted. Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Tested-by: Alexey Kardashevskiy <aik@ozlabs.ru> Reviewed-by: Alexey Kardashevskiy <aik@ozlabs.ru> Reviewed-by: Simon Glass <sjg@chromium.org>
2018-03-09 23:28:56 +11:00
parent 719d582e98
commit d5db5382c5
7 changed files with 114 additions and 7 deletions
--- a/tests/run_tests.sh
+++ b/tests/run_tests.sh
@@ -416,6 +416,7 @@ libfdt_tests () {
    # Tests for behaviour on various sorts of corrupted trees
    run_test truncated_property
    run_test truncated_string
+    run_test truncated_memrsv

    # Check aliases support in fdt_path_offset
    run_dtc_test -I dts -O dtb -o aliases.dtb aliases.dts