Catch unsigned 32bit overflow when parsing flattened device tree offsets We have a couple of checks of the form: if (offset+size > totalsize) die(); We need to check that offset+size doesn't overflow, otherwise the check will pass, and we may access past totalsize. Found with AFL. Signed-off-by: Anton Blanchard <anton@samba.org> [Added a testcase] Signed-off-by: David Gibson <david@gibson.dropbear.id.au>

commit: 2e53f9d2f0a8faab6cec0d78958d52c155f6c6eb [log] [tgz]
author: Anton Blanchard <anton@samba.org> Sun Jan 03 08:43:35 2016 +1100
committer: David Gibson <david@gibson.dropbear.id.au> Fri Feb 19 01:08:46 2016 +1100
tree: 1c498c162608ead00ad8e841967b426df45293b4
parent: b06e55c88b9b922ff7e25cd62a4709b65524f0fc [diff] [blame]
diff --git a/flattree.c b/flattree.c
index bd99fa2..ec14954 100644
--- a/flattree.c
+++ b/flattree.c

@@ -889,7 +889,7 @@
 
 	if (version >= 3) {
 		uint32_t size_str = fdt32_to_cpu(fdt->size_dt_strings);
-		if (off_str+size_str > totalsize)
+		if ((off_str+size_str < off_str) || (off_str+size_str > totalsize))
 			die("String table extends past total size\n");
 		inbuf_init(&strbuf, blob + off_str, blob + off_str + size_str);
 	} else {
@@ -898,7 +898,7 @@
 
 	if (version >= 17) {
 		size_dt = fdt32_to_cpu(fdt->size_dt_struct);
-		if (off_dt+size_dt > totalsize)
+		if ((off_dt+size_dt < off_dt) || (off_dt+size_dt > totalsize))
 			die("Structure block extends past total size\n");
 	}
commit	2e53f9d2f0a8faab6cec0d78958d52c155f6c6eb	[log] [tgz]
author	Anton Blanchard <anton@samba.org>	Sun Jan 03 08:43:35 2016 +1100
committer	David Gibson <david@gibson.dropbear.id.au>	Fri Feb 19 01:08:46 2016 +1100
tree	1c498c162608ead00ad8e841967b426df45293b4
parent	b06e55c88b9b922ff7e25cd62a4709b65524f0fc [diff] [blame]