Bump CIS_MAXSTR from 30 to 254. pccard appears to define the entire

section we take them from to be up to 255 bytes long, so that's the
max size for the string.  They can't all be this big, but I don't have
a better number and better to be a little long than a little short.

Also only consume len characters of the cis buffer so we don't run off
the end into the next buffer and get garbage.  This second patch
shouldn't impact anything, but I'll hold off back porting this to
-stable until I get more reports on the stability before/after this
fix.

usr.sbin/pccard/pccardd/readcis.c

@@ -170,16 +170,29 @@ freecis(struct cis *cp)
 static void
 cis_info(struct cis *cp, unsigned char *p, int len)
 {
+	unsigned char *end = p + len;
 	*cp->manuf = *cp->vers = *cp->add_info1 = *cp->add_info2 = '\0';
 	cp->maj_v = *p++;
 	cp->min_v = *p++;
+	if (p >= end)
+		return;
 	strncpy(cp->manuf, p, CIS_MAXSTR - 1);
-	while (*p++);
+	cp->manuf[CIS_MAXSTR - 1] = '\0';
+	p += strlen(p);
+	if (p >= end)
+		return;
 	strncpy(cp->vers, p, CIS_MAXSTR - 1);
-	while (*p++);
+	cp->vers[CIS_MAXSTR - 1] = '\0';
+	p += strlen(p);
+	if (p >= end)
+		return;
 	strncpy(cp->add_info1, p, CIS_MAXSTR - 1);
-	while (*p++);
+	cp->add_info1[CIS_MAXSTR - 1] = '\0';
+	p += strlen(p);
+	if (p >= end)
+		return;
 	strncpy(cp->add_info2, p, CIS_MAXSTR - 1);
+	cp->add_info2[CIS_MAXSTR - 1] = '\0';
 }
 
 /*

usr.sbin/pccard/pccardd/readcis.h

@@ -26,7 +26,7 @@
  * $FreeBSD$
  */
 
-#define	CIS_MAXSTR	30
+#define	CIS_MAXSTR	254
 struct tuple {
 	struct tuple *next;
 	unsigned char code;