From 87db5eaa0d511538e2450a0f29c33aec7f8417a2 Mon Sep 17 00:00:00 2001 From: Warner Losh Date: Tue, 7 Dec 1999 19:23:56 +0000 Subject: [PATCH] Bump CIS_MAXSTR from 30 to 254. pccard appears to define the entire section we take them from to be up to 255 bytes long, so that's the max size for the string. They can't all be this big, but I don't have a better number and better to be a little long than a little short. Also only consume len characters of the cis buffer so we don't run off the end into the next buffer and get garbage. This second patch shouldn't impact anything, but I'll hold off back porting this to -stable until I get more reports on the stability before/after this fix. --- usr.sbin/pccard/pccardd/readcis.c | 19 ++++++++++++++++--- usr.sbin/pccard/pccardd/readcis.h | 2 +- 2 files changed, 17 insertions(+), 4 deletions(-) diff --git a/usr.sbin/pccard/pccardd/readcis.c b/usr.sbin/pccard/pccardd/readcis.c index 6fd7c7bb2592..ddfd6fcba783 100644 --- a/usr.sbin/pccard/pccardd/readcis.c +++ b/usr.sbin/pccard/pccardd/readcis.c @@ -170,16 +170,29 @@ freecis(struct cis *cp) static void cis_info(struct cis *cp, unsigned char *p, int len) { + unsigned char *end = p + len; *cp->manuf = *cp->vers = *cp->add_info1 = *cp->add_info2 = '\0'; cp->maj_v = *p++; cp->min_v = *p++; + if (p >= end) + return; strncpy(cp->manuf, p, CIS_MAXSTR - 1); - while (*p++); + cp->manuf[CIS_MAXSTR - 1] = '\0'; + p += strlen(p); + if (p >= end) + return; strncpy(cp->vers, p, CIS_MAXSTR - 1); - while (*p++); + cp->vers[CIS_MAXSTR - 1] = '\0'; + p += strlen(p); + if (p >= end) + return; strncpy(cp->add_info1, p, CIS_MAXSTR - 1); - while (*p++); + cp->add_info1[CIS_MAXSTR - 1] = '\0'; + p += strlen(p); + if (p >= end) + return; strncpy(cp->add_info2, p, CIS_MAXSTR - 1); + cp->add_info2[CIS_MAXSTR - 1] = '\0'; } /* diff --git a/usr.sbin/pccard/pccardd/readcis.h b/usr.sbin/pccard/pccardd/readcis.h index 054003604d4e..58d83ef8d083 100644 --- a/usr.sbin/pccard/pccardd/readcis.h +++ b/usr.sbin/pccard/pccardd/readcis.h @@ -26,7 +26,7 @@ * $FreeBSD$ */ -#define CIS_MAXSTR 30 +#define CIS_MAXSTR 254 struct tuple { struct tuple *next; unsigned char code;