[PATCH master 3/3] of: fdt: harden against corrupted reserve map entries

[Ahmad Fatoum]

It's only safe to dereference r when dt_ptr_ok(fdt, r) determines that
the r object is within the bounds of fdt.

Commit 8a6b7db572c7 ("of: fdt: fix possibles overflows during
parsing of invalid DTs") had a first attempt at enforcing this, but
failed to do this for the very last element, so shift around the code,
so we only every dereference r when it's safe to do so.

Signed-off-by: Ahmad Fatoum <a.fatoum at pengutronix.de>
---
 drivers/of/fdt.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/drivers/of/fdt.c b/drivers/of/fdt.c
index 8dca41990c87..f56f5802bb73 100644
--- a/drivers/of/fdt.c
+++ b/drivers/of/fdt.c
@@ -69,14 +69,14 @@ static int of_reservemap_num_entries(const struct fdt_header *fdt)
 
 	r = (void *)fdt + be32_to_cpu(fdt->off_mem_rsvmap);
 
-	while (dt_ptr_ok(fdt, r) && r->size) {
+	while (dt_ptr_ok(fdt, r) && n < OF_MAX_RESERVE_MAP) {
+		if (!r->size)
+			return n;
 		n++;
 		r++;
-		if (n == OF_MAX_RESERVE_MAP)
-			return -EINVAL;
 	}
 
-	return r->size == 0 ? n : -ESPIPE;
+	return n == OF_MAX_RESERVE_MAP ? -EINVAL : -ESPIPE;
 }
 
 /**
-- 
2.39.2