When "cp >= barg_buf + BARG_LEN-2", it breaks internel looping 'while', but outside loop 'for' still has effect, so "*cp++ = ' '" will continue repeating which may cause memory overflow. So need additional length check for it in the outside looping. Also beautify the related code which found by "./scripts/checkpatch.pl" Signed-off-by: Chen Gang <gang.chen@asianux.com> Signed-off-by: David S. Miller <davem@davemloft.net>
		
			
				
	
	
		
			63 lines
		
	
	
		
			1.3 KiB
		
	
	
	
		
			C
		
	
	
	
	
	
			
		
		
	
	
			63 lines
		
	
	
		
			1.3 KiB
		
	
	
	
		
			C
		
	
	
	
	
	
| /*
 | |
|  * bootstr.c:  Boot string/argument acquisition from the PROM.
 | |
|  *
 | |
|  * Copyright(C) 1995 David S. Miller (davem@caip.rutgers.edu)
 | |
|  */
 | |
| 
 | |
| #include <linux/string.h>
 | |
| #include <asm/oplib.h>
 | |
| #include <linux/init.h>
 | |
| 
 | |
| #define BARG_LEN  256
 | |
| static char barg_buf[BARG_LEN] = { 0 };
 | |
| static char fetched __initdata = 0;
 | |
| 
 | |
| char * __init
 | |
| prom_getbootargs(void)
 | |
| {
 | |
| 	int iter;
 | |
| 	char *cp, *arg;
 | |
| 
 | |
| 	/* This check saves us from a panic when bootfd patches args. */
 | |
| 	if (fetched) {
 | |
| 		return barg_buf;
 | |
| 	}
 | |
| 
 | |
| 	switch (prom_vers) {
 | |
| 	case PROM_V0:
 | |
| 		cp = barg_buf;
 | |
| 		/* Start from 1 and go over fd(0,0,0)kernel */
 | |
| 		for (iter = 1; iter < 8; iter++) {
 | |
| 			arg = (*(romvec->pv_v0bootargs))->argv[iter];
 | |
| 			if (arg == NULL)
 | |
| 				break;
 | |
| 			while (*arg != 0) {
 | |
| 				/* Leave place for space and null. */
 | |
| 				if (cp >= barg_buf + BARG_LEN - 2)
 | |
| 					/* We might issue a warning here. */
 | |
| 					break;
 | |
| 				*cp++ = *arg++;
 | |
| 			}
 | |
| 			*cp++ = ' ';
 | |
| 			if (cp >= barg_buf + BARG_LEN - 1)
 | |
| 				/* We might issue a warning here. */
 | |
| 				break;
 | |
| 		}
 | |
| 		*cp = 0;
 | |
| 		break;
 | |
| 	case PROM_V2:
 | |
| 	case PROM_V3:
 | |
| 		/*
 | |
| 		 * V3 PROM cannot supply as with more than 128 bytes
 | |
| 		 * of an argument. But a smart bootstrap loader can.
 | |
| 		 */
 | |
| 		strlcpy(barg_buf, *romvec->pv_v2bootargs.bootargs, sizeof(barg_buf));
 | |
| 		break;
 | |
| 	default:
 | |
| 		break;
 | |
| 	}
 | |
| 
 | |
| 	fetched = 1;
 | |
| 	return barg_buf;
 | |
| }
 |