diff mbox series

[OpenWrt-Devel,fwtool,7/8] fix possible copy of null buffer and validation of unitialized header

Message ID 20191023105339.16326-8-ynezz@true.cz
State Accepted
Delegated to: Petr Štetiar
Headers show
Series fwtool improvements | expand

Commit Message

Petr Štetiar Oct. 23, 2019, 10:53 a.m. UTC 
scan-build from clang version 9 has reported following issues:

 fwtool.c:257:2: warning: Null pointer passed as an argument to a 'nonnull' parameter
        memcpy(dest, dbuf->cur + dbuf->cur_len - cur_len, cur_len);
        ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 fwtool.c:275:20: warning: The left operand of '!=' is a garbage value
         if (hdr->version != 0)
             ~~~~~~~~~~~~ ^

Signed-off-by: Petr Štetiar <ynezz@true.cz>
---
 fwtool.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)
diff mbox series

Patch

diff --git a/fwtool.c b/fwtool.c
index c059331ad231..e925b0bf5e65 100644
--- a/fwtool.c
+++ b/fwtool.c
@@ -251,7 +251,7 @@  extract_tail(struct data_buf *dbuf, void *dest, int len)
 	remove_tail(dbuf, cur_len);
 
 	cur_len = len - cur_len;
-	if (cur_len && !dbuf->cur)
+	if (cur_len < 0 || !dbuf->cur)
 		return 1;
 
 	memcpy(dest, dbuf->cur + dbuf->cur_len - cur_len, cur_len);
@@ -327,8 +327,10 @@  extract_data(const char *name)
 
 	while (1) {
 
-		if (extract_tail(&dbuf, &tr, sizeof(tr)))
+		if (extract_tail(&dbuf, &tr, sizeof(tr))) {
+			msg("unable to extract trailer header\n");
 			break;
+		}
 
 		if (tr.magic != cpu_to_be32(FWIMAGE_MAGIC)) {
 			msg("Data not found\n");
@@ -348,7 +350,10 @@  extract_data(const char *name)
 			break;
 		}
 
-		extract_tail(&dbuf, buf, data_len);
+		if (extract_tail(&dbuf, buf, data_len)) {
+			msg("unable to extract trailer data\n");
+			break;
+		}
 
 		if (tr.type == FWIMAGE_SIGNATURE) {
 			if (!signature_file)