Force manifest booleans to have empty values.
Allowing values such as `<0>` or `"false"` be considered true has the
potential to cause confusion so only accept empty properties as booleans.
Change-Id: I8a9db6a97fc8687ac336138b7b8fc10eee69ae91
diff --git a/src/manifest.c b/src/manifest.c
index 1933d10..c3b5566 100644
--- a/src/manifest.c
+++ b/src/manifest.c
@@ -55,21 +55,22 @@
}
/**
- * Read a boolean property: true if present; false if not. The value of the
- * property is ignored.
- *
- * This is the convention used by Linux but beware of things like the following
- * that will actually be considered as `true`.
- *
- * true-property0 = <0>;
- * true-property1 = "false";
+ * Read a boolean property: true if present; false if not. If present, the value
+ * of the property must be empty else it is considered malformed.
*/
-static bool read_bool(const struct fdt_node *node, const char *property)
+static enum manifest_return_code read_bool(const struct fdt_node *node,
+ const char *property, bool *out)
{
const char *data;
uint32_t size;
+ bool present = fdt_read_property(node, property, &data, &size);
- return fdt_read_property(node, property, &data, &size);
+ if (present && size != 0) {
+ return MANIFEST_ERROR_MALFORMED_BOOLEAN;
+ }
+
+ *out = present;
+ return MANIFEST_SUCCESS;
}
static enum manifest_return_code read_string(const struct fdt_node *node,
@@ -286,8 +287,8 @@
dlog("%s SMC whitelist too long.\n", vm->debug_name);
}
- vm->smc_whitelist.permissive =
- read_bool(node, "smc_whitelist_permissive");
+ TRY(read_bool(node, "smc_whitelist_permissive",
+ &vm->smc_whitelist.permissive));
if (vm_id == HF_PRIMARY_VM_ID) {
TRY(read_optional_string(node, "ramdisk_filename",
@@ -396,6 +397,8 @@
return "Integer overflow";
case MANIFEST_ERROR_MALFORMED_INTEGER_LIST:
return "Malformed integer list property";
+ case MANIFEST_ERROR_MALFORMED_BOOLEAN:
+ return "Malformed boolean property";
}
panic("Unexpected manifest return code.");