Update length more correctly when parsing a cis info field.
Before, we were using while (*p++ && --len > 0); to do this. However, len doesn't get decremented for the NUL byte, so when we used len later to see if we still have CIS left for some optional fields, we'd run off the end of an array and dump core. Instead, replace it with len -= strlen(p) + 1; p += strlen(p) + 1; which is more correct. It is a little bogus to assume that p points to a valid C string, but only a little. The PC Card SPEC mandates that it does, and we already depend on that with the use of strdup a few lines earlier. Since much of the rest of the cis parsing code isn't hyper retentive about error checking, I'll leave that level of checking for another time and/or another committer :-).
This commit is contained in:
parent
967375e92e
commit
7a731ac2d2
@ -203,7 +203,8 @@ cis_info(struct cis *cp, unsigned char *p, int len)
|
||||
}
|
||||
if (len > 1 && *p != 0xff) {
|
||||
cp->manuf = strdup(p);
|
||||
while (*p++ && --len > 0);
|
||||
len -= strlen(p) + 1;
|
||||
p += strlen(p) + 1;
|
||||
}
|
||||
if (cp->vers) {
|
||||
free(cp->vers);
|
||||
@ -211,9 +212,10 @@ cis_info(struct cis *cp, unsigned char *p, int len)
|
||||
}
|
||||
if (len > 1 && *p != 0xff) {
|
||||
cp->vers = strdup(p);
|
||||
while (*p++ && --len > 0);
|
||||
len -= strlen(p) + 1;
|
||||
p += strlen(p) + 1;
|
||||
} else {
|
||||
cp->vers = strdup("?");
|
||||
cp->vers = strdup("[none]");
|
||||
}
|
||||
if (cp->add_info1) {
|
||||
free(cp->add_info1);
|
||||
@ -221,7 +223,10 @@ cis_info(struct cis *cp, unsigned char *p, int len)
|
||||
}
|
||||
if (len > 1 && *p != 0xff) {
|
||||
cp->add_info1 = strdup(p);
|
||||
while (*p++ && --len > 0);
|
||||
len -= strlen(p) + 1;
|
||||
p += strlen(p) + 1;
|
||||
} else {
|
||||
cp->add_info1 = strdup("[none]");
|
||||
}
|
||||
if (cp->add_info2) {
|
||||
free(cp->add_info2);
|
||||
@ -229,6 +234,8 @@ cis_info(struct cis *cp, unsigned char *p, int len)
|
||||
}
|
||||
if (len > 1 && *p != 0xff)
|
||||
cp->add_info2 = strdup(p);
|
||||
else
|
||||
cp->add_info2 = strdup("[none]");
|
||||
}
|
||||
|
||||
/*
|
||||
|
Loading…
Reference in New Issue
Block a user