From f2a2765625340b63877b8c25e46d5a3178739880 Mon Sep 17 00:00:00 2001
From: Samuel Holland <samuel@sholland.org>
Date: Sun, 30 Oct 2022 14:53:45 -0500
Subject: [PATCH] fdt: Fix bounds check in devfdt_get_addr_index

reg must contain enough cells for the entire next address/size pair
after skipping `index` pairs. The previous code allows an out-of-bounds
read when na + ns > 1.

Series-to: Simon Glass <sjg@chromium.org>

Fixes: 69b41388ba45 ("dm: core: Add a new api to get indexed device address")
Signed-off-by: Samuel Holland <samuel@sholland.org>
---
 drivers/core/fdtaddr.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/core/fdtaddr.c b/drivers/core/fdtaddr.c
index 91bcd1a2c21..50ea05263e3 100644
--- a/drivers/core/fdtaddr.c
+++ b/drivers/core/fdtaddr.c
@@ -43,7 +43,7 @@ fdt_addr_t devfdt_get_addr_index(const struct udevice *dev, int index)
 		}
 
 		reg = fdt_getprop(gd->fdt_blob, offset, "reg", &len);
-		if (!reg || (len <= (index * sizeof(fdt32_t) * (na + ns)))) {
+		if (!reg || (len < ((index + 1) * sizeof(fdt32_t) * (na + ns)))) {
 			debug("Req index out of range\n");
 			return FDT_ADDR_T_NONE;
 		}