On Mon, Aug 10, 2015 at 11:39:02AM -0700, Bjorn Andersson wrote: > From: Courtney Cavin <courtney.cavin@xxxxxxxxxxxxxx> > > Signed-off-by: Courtney Cavin <courtney.cavin@xxxxxxxxxxxxxx> > Signed-off-by: Bjorn Andersson <bjorn.andersson@xxxxxxxxxxxxxx> The logic looks ok, but this needs a commit message explaining the details of what condition it is protecting against, and how it might arise. > --- > libfdt/fdt_rw.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/libfdt/fdt_rw.c b/libfdt/fdt_rw.c > index 70adec6c371b..8be02b1f68f3 100644 > --- a/libfdt/fdt_rw.c > +++ b/libfdt/fdt_rw.c > @@ -101,6 +101,8 @@ static int _fdt_splice(void *fdt, void *splicepoint, int oldlen, int newlen) > > if (((p + oldlen) < p) || ((p + oldlen) > end)) > return -FDT_ERR_BADOFFSET; > + if ((p < (char *)fdt) || ((end - oldlen + newlen) < (char *)fdt)) > + return -FDT_ERR_BADOFFSET; > if ((end - oldlen + newlen) > ((char *)fdt + fdt_totalsize(fdt))) > return -FDT_ERR_NOSPACE; > memmove(p + newlen, p + oldlen, end - p - oldlen); -- David Gibson | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you. NOT _the_ _other_ | _way_ _around_! http://www.ozlabs.org/~dgibson
Attachment:
pgpSXVyaEV66D.pgp
Description: PGP signature
