libfdt: Fix bounds-checking bug in fdt_get_property()

The libfdt functions are supposed to behave tolerably well when practical, even if given a corrupted device tree as input. A silly mistake in fdt_get_property() means we're bounds checking against the size of a pointer instead of the size of a property header, meaning we can get bogus behaviour in a corrupted device tree where the structure block ends in what's supposed to be the middle of a property. This patch corrects the problem (fdt_get_property() will now return BADSTRUCTURE in this case), and also adds a testcase to catch the bug.
2025-12-09 13:15:18 -05:00 · 2006-12-14 15:29:25 +11:00 · 2006-12-14 15:29:25 +11:00 · 9825f823eb
commit 9825f823eb
parent 6ae4de5c81
6 changed files with 72 additions and 2 deletions
--- a/fdt_ro.c
+++ b/fdt_ro.c
@ -193,7 +193,7 @@ struct fdt_property *fdt_get_property(const struct fdt_header *fdt,
 				/* Found it! */
 				int len = fdt32_to_cpu(prop->len);
 				prop = fdt_offset_ptr(fdt, offset,
-						      sizeof(prop)+len);
+						      sizeof(*prop)+len);
 				if (! prop)
 					return PTR_ERROR(FDT_ERR_BADSTRUCTURE);