MIPS: BCM47XX: Use strnchr to avoid reading out of the buffer

Signed-off-by: Rafał Miłecki <zajec5@gmail.com>
Cc: Hauke Mehrtens <hauke@hauke-m.de>
Cc: Paul Walmsley <paul@pwsan.com>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/8662/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>

diff --git a/arch/mips/bcm47xx/nvram.c b/arch/mips/bcm47xx/nvram.c
index 5e4ae042deb93bac25d374635e370179a662bc81..d805d8af415f58b69ce676491a470498bc47bd1a 100644 (file)
--- a/arch/mips/bcm47xx/nvram.c
+++ b/arch/mips/bcm47xx/nvram.c
@@ -175,7 +175,7 @@ static int nvram_init(void)
 int bcm47xx_nvram_getenv(const char *name, char *val, size_t val_len)
 {
        char *var, *value, *end, *eq;
-       int err;
+       int data_left, err;
 
        if (!name)
                return -EINVAL;
@@ -191,7 +191,9 @@ int bcm47xx_nvram_getenv(const char *name, char *val, size_t val_len)
        end = nvram_buf + sizeof(nvram_buf) - 2;
        end[0] = end[1] = '\0';
        for (; *var; var = value + strlen(value) + 1) {
-               eq = strchr(var, '=');
+               data_left = end - var;
+
+               eq = strnchr(var, data_left, '=');
                if (!eq)
                        break;
                value = eq + 1;