]> xenbits.xensource.com Git - people/liuw/libxenctrl-split/xen.git/commitdiff
projects / people / liuw / libxenctrl-split / xen.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 07c77aa)
xen: arm: bootfdt: Avoid reading off the front of *_cells array
authorIan Campbell <ian.campbell@citrix.com>
Thu, 16 Jul 2015 08:50:07 +0000 (09:50 +0100)
committerIan Campbell <ian.campbell@citrix.com>
Thu, 16 Jul 2015 15:25:26 +0000 (16:25 +0100)
In device_tree_for_each_node the call to the callback was using
{address,size}_cells[depth - 1], which at depth 0 could read off the
front of the array.

We already handled this correctly in the rest of the loop so fixup
this instance as well.

Reported-by: Chris (Christopher) Brand <chris.brand@broadcom.com>
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Cc: Chris (Christopher) Brand <chris.brand@broadcom.com>
Reviewed-by: Julien Grall <julien.grall@citrix.com>
xen/arch/arm/bootfdt.c patch | blob | blame | history

diff --git a/xen/arch/arm/bootfdt.c b/xen/arch/arm/bootfdt.c
index e10023382644635a339d86f3af260d6ca1b072db..74d208b5ebf6c42509ea1afa2966229d4dcc3f20 100644 (file)
--- a/xen/arch/arm/bootfdt.c
+++ b/xen/arch/arm/bootfdt.c
@@ -100,6 +100,7 @@ static int __init device_tree_for_each_node(const void *fdt,
           node = fdt_next_node(fdt, node, &depth) )
     {
         const char *name = fdt_get_name(fdt, node, NULL);
+        u32 as, ss;
 
         if ( depth >= DEVICE_TREE_MAX_DEPTH )
         {
@@ -108,14 +109,15 @@ static int __init device_tree_for_each_node(const void *fdt,
             continue;
         }
 
-        address_cells[depth] = device_tree_get_u32(fdt, node, "#address-cells",
-                                depth > 0 ? address_cells[depth-1] : 0);
-        size_cells[depth] = device_tree_get_u32(fdt, node, "#size-cells",
-                                depth > 0 ? size_cells[depth-1] : 0);
+        as = depth > 0 ? address_cells[depth-1] : 0;
+        ss = depth > 0 ? size_cells[depth-1] : 0;
 
+        address_cells[depth] = device_tree_get_u32(fdt, node,
+                                                   "#address-cells", as);
+        size_cells[depth] = device_tree_get_u32(fdt, node,
+                                                "#size-cells", ss);
 
-        ret = func(fdt, node, name, depth,
-                   address_cells[depth-1], size_cells[depth-1], data);
+        ret = func(fdt, node, name, depth, as, ss, data);
         if ( ret != 0 )
             return ret;
     }
Unnamed repository; edit this file 'description' to name the repository.