It's only safe to dereference r when dt_ptr_ok(fdt, r) determines that
the r object is within the bounds of fdt.
Commit 8a6b7db572c7 ("of: fdt: fix possibles overflows during
parsing of invalid DTs") had a first attempt at enforcing this, but
failed to do this for the very last element, so shift around the code,
so we only every dereference r when it's safe to do so.
Signed-off-by: Ahmad Fatoum <a.fatoum@xxxxxxxxxxxxxx>
---
drivers/of/fdt.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/of/fdt.c b/drivers/of/fdt.c
index 8dca41990c87..f56f5802bb73 100644
--- a/drivers/of/fdt.c
+++ b/drivers/of/fdt.c
@@ -69,14 +69,14 @@ static int of_reservemap_num_entries(const struct fdt_header *fdt)
r = (void *)fdt + be32_to_cpu(fdt->off_mem_rsvmap);
- while (dt_ptr_ok(fdt, r) && r->size) {
+ while (dt_ptr_ok(fdt, r) && n < OF_MAX_RESERVE_MAP) {
+ if (!r->size)
+ return n;
n++;
r++;
- if (n == OF_MAX_RESERVE_MAP)
- return -EINVAL;
}
- return r->size == 0 ? n : -ESPIPE;
+ return n == OF_MAX_RESERVE_MAP ? -EINVAL : -ESPIPE;
}
/**
--
2.39.2
