mirror of
https://github.com/dgibson/dtc.git
synced 2026-04-11 16:37:42 -04:00
812b1956a0
In libfdt we often sanity test fdt_totalsize(fdt) fairly early, then trust it (but *only* that header field) for the remainder of our work. However, Coverity gets confused by this - it sees the byteswap in fdt32_ld() and assumes that means it is coming from an untrusted source everytime, resulting in many tainted data warnings. Most of these end up with logic in fdt_get_string() as the unsafe destination for this tainted data, so let's tweak the logic there to make it clearer to Coverity that this is ok. We add a sanity test on fdt_totalsize() to fdt_probe_ro_(). Because the interface allows bare ints to be used for offsets, we already have the assumption that totalsize must be 31-bits or less (2GiB would be a ludicrously large fdt). This makes this more explicit. We also make fdt_probe_ro() return the size for convenience, and change the logic in fdt_get_string() to keep it in a local so that Coverity can see that it has already been bounds-checked. Signed-off-by: David Gibson <david@gibson.dropbear.id.au> |
||
|---|---|---|
| .. | ||
| .gitignore | ||
| fdt.c | ||
| fdt.h | ||
| fdt_addresses.c | ||
| fdt_empty_tree.c | ||
| fdt_overlay.c | ||
| fdt_ro.c | ||
| fdt_rw.c | ||
| fdt_strerror.c | ||
| fdt_sw.c | ||
| fdt_wip.c | ||
| libfdt.h | ||
| libfdt_env.h | ||
| libfdt_internal.h | ||
| Makefile.libfdt | ||
| TODO | ||
| version.lds | ||