When "cp >= barg_buf + BARG_LEN-2", it breaks internel looping 'while',
but outside loop 'for' still has effect, so "*cp++ = ' '" will continue
repeating which may cause memory overflow.
So need additional length check for it in the outside looping.
Also beautify the related code which found by "./scripts/checkpatch.pl"
Signed-off-by: Chen Gang <gang.chen@asianux.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
return barg_buf;
}
- switch(prom_vers) {
+ switch (prom_vers) {
case PROM_V0:
cp = barg_buf;
/* Start from 1 and go over fd(0,0,0)kernel */
- for(iter = 1; iter < 8; iter++) {
+ for (iter = 1; iter < 8; iter++) {
arg = (*(romvec->pv_v0bootargs))->argv[iter];
if (arg == NULL)
break;
- while(*arg != 0) {
+ while (*arg != 0) {
/* Leave place for space and null. */
- if(cp >= barg_buf + BARG_LEN-2){
+ if (cp >= barg_buf + BARG_LEN - 2)
/* We might issue a warning here. */
break;
- }
*cp++ = *arg++;
}
*cp++ = ' ';
+ if (cp >= barg_buf + BARG_LEN - 1)
+ /* We might issue a warning here. */
+ break;
}
*cp = 0;
break;
projects / thirdparty / kernel / linux.git / commitdiff
