getenv_f(): fix handling of too short buffers
authorWolfgang Denk <wd@denx.de>
Sat, 24 Jul 2010 20:16:20 +0000 (22:16 +0200)
committerWolfgang Denk <wd@denx.de>
Sun, 8 Aug 2010 22:53:57 +0000 (00:53 +0200)
Fix error handling in getenv_f() when the user provided buffer is too
short to hold the variable name; make sure to truncate and
NUL-terminate without overwriting the buffer limits.

Signed-off-by: Wolfgang Denk <wd@denx.de>
common/cmd_nvedit.c

index 16d5ff74d9e03d1225a1713f5fafa61e811d432e..fd5320d1704f99e4688d54b2ada7b069fa7af9dc 100644 (file)
@@ -557,13 +557,19 @@ int getenv_f(char *name, char *buf, unsigned len)
                }
                if ((val=envmatch((uchar *)name, i)) < 0)
                        continue;
+
                /* found; copy out */
-               n = 0;
-               while ((len > n++) && (*buf++ = env_get_char(val++)) != '\0')
-                       ;
-               if (len == n)
-                       *buf = '\0';
-               return (n);
+               for (n=0; n<len; ++n, ++buf) {
+                       if ((*buf = env_get_char(val++)) == '\0')
+                               return n;
+               }
+
+               if (n)
+                       *--buf = '\0';
+
+               printf("env_buf too small [%d]\n", len);
+
+               return n;
        }
        return (-1);
 }