From 989f3939bd16a0e1669c179b6c5c264812a25fc2 Mon Sep 17 00:00:00 2001 From: Ian Campbell Date: Thu, 16 Jul 2015 09:50:07 +0100 Subject: [PATCH] xen: arm: bootfdt: Avoid reading off the front of *_cells array In device_tree_for_each_node the call to the callback was using {address,size}_cells[depth - 1], which at depth 0 could read off the front of the array. We already handled this correctly in the rest of the loop so fixup this instance as well. Reported-by: Chris (Christopher) Brand Signed-off-by: Ian Campbell Cc: Chris (Christopher) Brand Reviewed-by: Julien Grall --- xen/arch/arm/bootfdt.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/xen/arch/arm/bootfdt.c b/xen/arch/arm/bootfdt.c index e100233826..74d208b5eb 100644 --- a/xen/arch/arm/bootfdt.c +++ b/xen/arch/arm/bootfdt.c @@ -100,6 +100,7 @@ static int __init device_tree_for_each_node(const void *fdt, node = fdt_next_node(fdt, node, &depth) ) { const char *name = fdt_get_name(fdt, node, NULL); + u32 as, ss; if ( depth >= DEVICE_TREE_MAX_DEPTH ) { @@ -108,14 +109,15 @@ static int __init device_tree_for_each_node(const void *fdt, continue; } - address_cells[depth] = device_tree_get_u32(fdt, node, "#address-cells", - depth > 0 ? address_cells[depth-1] : 0); - size_cells[depth] = device_tree_get_u32(fdt, node, "#size-cells", - depth > 0 ? size_cells[depth-1] : 0); + as = depth > 0 ? address_cells[depth-1] : 0; + ss = depth > 0 ? size_cells[depth-1] : 0; + address_cells[depth] = device_tree_get_u32(fdt, node, + "#address-cells", as); + size_cells[depth] = device_tree_get_u32(fdt, node, + "#size-cells", ss); - ret = func(fdt, node, name, depth, - address_cells[depth-1], size_cells[depth-1], data); + ret = func(fdt, node, name, depth, as, ss, data); if ( ret != 0 ) return ret; } -- 2.30.2