reg must contain enough cells for the entire next address/size pair
after skipping `index` pairs. The previous code allows an out-of-bounds
read when na + ns > 1.
Fixes: 69b41388ba45 ("dm: core: Add a new api to get indexed device address")
Signed-off-by: Samuel Holland <[email protected]>
---
drivers/core/fdtaddr.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/core/fdtaddr.c b/drivers/core/fdtaddr.c
index 91bcd1a2c2..50ea05263e 100644
--- a/drivers/core/fdtaddr.c
+++ b/drivers/core/fdtaddr.c
@@ -43,7 +43,7 @@ fdt_addr_t devfdt_get_addr_index(const struct udevice *dev,
int index)
}
reg = fdt_getprop(gd->fdt_blob, offset, "reg", &len);
- if (!reg || (len <= (index * sizeof(fdt32_t) * (na + ns)))) {
+ if (!reg || (len < ((index + 1) * sizeof(fdt32_t) * (na +
ns)))) {
debug("Req index out of range\n");
return FDT_ADDR_T_NONE;
}
--
2.37.3
