[PATCH v2 2/3] lib/bootconfig: check bounds before writing in __xbc_open_brace()

Next message: Frank Li: "Re: [PATCH v5 3/5] arm64: dts: imx94: add pcie0 and pcie0-ep supports"
Previous message: Josh Law: "[PATCH v2 1/3] lib/bootconfig: fix off-by-one in xbc_verify_tree() unclosed brace error"
In reply to: Google: "Re: [PATCH v2 1/3] lib/bootconfig: fix off-by-one in xbc_verify_tree() unclosed brace error"
Next in thread: Steven Rostedt: "Re: [PATCH v2 2/3] lib/bootconfig: check bounds before writing in __xbc_open_brace()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Josh Law

Date: Thu Mar 12 2026 - 15:12:48 EST

From: Josh Law <objecting@xxxxxxxxxxxxx>

The bounds check for brace_index happens after the array write.
While the current call pattern prevents an actual out-of-bounds
access (the previous call would have returned an error), the
write-before-check pattern is fragile and would become a real
out-of-bounds write if the error return were ever not propagated.

Move the bounds check before the array write so the function is
self-contained and safe regardless of caller behavior.

Signed-off-by: Josh Law <objecting@xxxxxxxxxxxxx>
---
lib/bootconfig.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/bootconfig.c b/lib/bootconfig.c
index a1e6a2e14b01..62b4ed7a0ba6 100644
--- a/lib/bootconfig.c
+++ b/lib/bootconfig.c
@@ -532,9 +532,9 @@ static char *skip_spaces_until_newline(char *p)
static int __init __xbc_open_brace(char *p)
{
/* Push the last key as open brace */
- open_brace[brace_index++] = xbc_node_index(last_parent);
if (brace_index >= XBC_DEPTH_MAX)
return xbc_parse_error("Exceed max depth of braces", p);
+ open_brace[brace_index++] = xbc_node_index(last_parent);

return 0;
}
--
2.34.1