linux-next/arch/sparc/prom/bootstr_32.c
Chen Gang 242ece22f0 arch: sparc: prom: looping issue, need additional length check in the outside looping
When "cp >= barg_buf + BARG_LEN-2", it breaks internel looping 'while',
but outside loop 'for' still has effect, so "*cp++ = ' '" will continue
repeating which may cause memory overflow.

So need additional length check for it in the outside looping.

Also beautify the related code which found by "./scripts/checkpatch.pl"

Signed-off-by: Chen Gang <gang.chen@asianux.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-06-19 02:10:29 -07:00

63 lines
1.3 KiB
C

/*
* bootstr.c: Boot string/argument acquisition from the PROM.
*
* Copyright(C) 1995 David S. Miller (davem@caip.rutgers.edu)
*/
#include <linux/string.h>
#include <asm/oplib.h>
#include <linux/init.h>
#define BARG_LEN 256
static char barg_buf[BARG_LEN] = { 0 };
static char fetched __initdata = 0;
char * __init
prom_getbootargs(void)
{
int iter;
char *cp, *arg;
/* This check saves us from a panic when bootfd patches args. */
if (fetched) {
return barg_buf;
}
switch (prom_vers) {
case PROM_V0:
cp = barg_buf;
/* Start from 1 and go over fd(0,0,0)kernel */
for (iter = 1; iter < 8; iter++) {
arg = (*(romvec->pv_v0bootargs))->argv[iter];
if (arg == NULL)
break;
while (*arg != 0) {
/* Leave place for space and null. */
if (cp >= barg_buf + BARG_LEN - 2)
/* We might issue a warning here. */
break;
*cp++ = *arg++;
}
*cp++ = ' ';
if (cp >= barg_buf + BARG_LEN - 1)
/* We might issue a warning here. */
break;
}
*cp = 0;
break;
case PROM_V2:
case PROM_V3:
/*
* V3 PROM cannot supply as with more than 128 bytes
* of an argument. But a smart bootstrap loader can.
*/
strlcpy(barg_buf, *romvec->pv_v2bootargs.bootargs, sizeof(barg_buf));
break;
default:
break;
}
fetched = 1;
return barg_buf;
}