efi_get_boot_option() validates the overall Boot#### variable size and
the advertised device-path byte count, but then walks each device-path
node without first checking that the node header and subtype payload fit
in the remaining buffer.
A malformed Boot#### variable could make the parser read past the end of
the current node, or past the available device-path data.
Limit parsing to the bytes that are actually present, and stop walking
the device path when a malformed node is encountered. This keeps the
previous best-effort behaviour for fields parsed before the anomaly while
avoiding out-of-bounds reads.