From owner-svn-src-head@freebsd.org  Tue Sep 22 16:59:42 2015
Return-Path: <owner-svn-src-head@freebsd.org>
Delivered-To: svn-src-head@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id C5983A079D2;
 Tue, 22 Sep 2015 16:59:42 +0000 (UTC)
 (envelope-from amdmi3@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2001:1900:2254:2068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id B692F15C3;
 Tue, 22 Sep 2015 16:59:42 +0000 (UTC)
 (envelope-from amdmi3@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.70])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id t8MGxgYd036045;
 Tue, 22 Sep 2015 16:59:42 GMT (envelope-from amdmi3@FreeBSD.org)
Received: (from amdmi3@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id t8MGxgjg036043;
 Tue, 22 Sep 2015 16:59:42 GMT (envelope-from amdmi3@FreeBSD.org)
Message-Id: <201509221659.t8MGxgjg036043@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: amdmi3 set sender to
 amdmi3@FreeBSD.org using -f
From: Dmitry Marakasov <amdmi3@FreeBSD.org>
Date: Tue, 22 Sep 2015 16:59:42 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-head@freebsd.org
Subject: svn commit: r288120 - head/usr.sbin/ndiscvt
X-SVN-Group: head
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-head@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: SVN commit messages for the src tree for head/-current
 <svn-src-head.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-head/>
List-Post: <mailto:svn-src-head@freebsd.org>
List-Help: <mailto:svn-src-head-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Sep 2015 16:59:42 -0000

Author: amdmi3 (ports committer)
Date: Tue Sep 22 16:59:41 2015
New Revision: 288120
URL: https://svnweb.freebsd.org/changeset/base/288120

Log:
  Fix crash on parsing some inf files
  
  ndiscvt uses 16 entry array for words into which it parses
  comma-separated lists of strings, like AddReg line in
  
      [somesection]
          AddReg = foo.reg, bar.reg, baz.reg, quiz.reg
  
  Overflows were not checked so it crashed on a line with 17 words
  encountered in some Broadcom/Dell Wireless 1704 802.11b-g-n driver
  
  So extend the array up to 32 entries and add an overflow check.
  
  Reviewed by:	bapt
  Approved by:	bapt
  MFC after:	2 weeks
  Differential Revision:	D3713

Modified:
  head/usr.sbin/ndiscvt/inf.c
  head/usr.sbin/ndiscvt/inf.h

Modified: head/usr.sbin/ndiscvt/inf.c
==============================================================================
--- head/usr.sbin/ndiscvt/inf.c	Tue Sep 22 16:51:40 2015	(r288119)
+++ head/usr.sbin/ndiscvt/inf.c	Tue Sep 22 16:59:41 2015	(r288120)
@@ -887,6 +887,12 @@ regkey_add (const char *r)
 void
 push_word (const char *w)
 {
+
+	if (idx == W_MAX) {
+		fprintf(stderr, "too many words; try bumping W_MAX in inf.h\n");
+		exit(1);
+	}
+
 	if (w && strlen(w))
 		words[idx++] = w;
 	else

Modified: head/usr.sbin/ndiscvt/inf.h
==============================================================================
--- head/usr.sbin/ndiscvt/inf.h	Tue Sep 22 16:51:40 2015	(r288119)
+++ head/usr.sbin/ndiscvt/inf.h	Tue Sep 22 16:59:41 2015	(r288120)
@@ -4,7 +4,7 @@
  * $FreeBSD$
  */
 
-#define W_MAX	16
+#define W_MAX	32
 
 struct section {
 	const char *	name;