From ed9756c1376d1c7b91f1be817baff52c50c431ac Mon Sep 17 00:00:00 2001
From: Gregory Nutt <gnutt@nuttx.org>
Date: Thu, 5 Dec 2013 18:19:48 -0600
Subject: [PATCH] MTD NAND: Check if block number is out of ragne at top of
 loop, not bottom, to avoid some bogus transfers

---
 ChangeLog              |  3 +++
 drivers/mtd/mtd_nand.c | 38 ++++++++++++++++++++++++--------------
 2 files changed, 27 insertions(+), 14 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 8b81f89560..a08d607e3f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -6164,4 +6164,7 @@
 	  from FLASH (2013-12-05).
 	* fs/fat/fs_configfat.c: Fix a typo in the FAT16 formatting logic.
 	  Was this ever able to format a FAT16 disk? (2013-12-05).
+	* drivers/mtd/mtd_nand.c:  Check if block number is within range at
+	  the top of the loop not the bottom.  Otherwise, we will do a bogus
+	  transfer with the out-of-range block before we test it (2013-12-05).
 
diff --git a/drivers/mtd/mtd_nand.c b/drivers/mtd/mtd_nand.c
index 50e59c105d..9fb38e4e8c 100755
--- a/drivers/mtd/mtd_nand.c
+++ b/drivers/mtd/mtd_nand.c
@@ -638,6 +638,17 @@ static ssize_t nand_bread(struct mtd_dev_s *dev, off_t startpage,
 
   for (remaining = npages; remaining > 0; remaining--)
     {
+      /* Check for attempt to read beyond the end of NAND */
+
+      if (block > maxblock)
+        {
+          fdbg("ERROR: Read beyond the end of FLASH, block=%ld\n",
+               (long)block);
+
+          ret = -ESPIPE;
+          goto errout_with_lock;
+        }
+
       /* Read the next page from NAND */
 
       ret = nand_readpage(nand, block, page, buffer);
@@ -656,13 +667,7 @@ static ssize_t nand_bread(struct mtd_dev_s *dev, off_t startpage,
       if (++page >= pagesperblock)
         {
           page = 0;
-          if (++block > maxblock)
-            {
-              fdbg("ERROR: Read beyond the end of FLASH, block=%d\n",
-                   block);
-              ret = -ESPIPE;
-              goto errout_with_lock;
-            }
+          block++;
         }
 
       /* Increment the buffer point by the size of one page */
@@ -729,6 +734,17 @@ static ssize_t nand_bwrite(struct mtd_dev_s *dev, off_t startpage,
 
   for (remaining = npages; remaining > 0; remaining--)
     {
+      /* Check for attempt to write beyond the end of NAND */
+
+      if (block > maxblock)
+        {
+          fdbg("ERROR: Write beyond the end of FLASH, block=%ld\n",
+               (long)block);
+
+          ret = -ESPIPE;
+          goto errout_with_lock;
+        }
+
       /* Write the next page into NAND */
 
       ret = nand_writepage(nand, block, page, buffer);
@@ -747,13 +763,7 @@ static ssize_t nand_bwrite(struct mtd_dev_s *dev, off_t startpage,
       if (++page >= pagesperblock)
         {
           page = 0;
-          if (++block > maxblock)
-            {
-              fdbg("ERROR: Write beyond the end of FLASH, block=%d\n",
-                   block);
-              ret = -ESPIPE;
-              goto errout_with_lock;
-            }
+          block++;
         }
 
       /* Increment the buffer point by the size of one page */