From 7a731ac2d2900c8fcab19cfb05f4bb9c8e6b701e Mon Sep 17 00:00:00 2001
From: Warner Losh <imp@FreeBSD.org>
Date: Sun, 6 Jan 2002 18:03:55 +0000
Subject: [PATCH] Update length more correctly when parsing a cis info field.

Before, we were using
	while (*p++ && --len > 0);
to do this.  However, len doesn't get decremented for the NUL byte, so when
we used len later to see if we still have CIS left for some optional fields,
we'd run off the end of an array and dump core.

Instead, replace it with
	len -= strlen(p) + 1;
	p += strlen(p) + 1;
which is more correct.  It is a little bogus to assume that p points to
a valid C string, but only a little.  The PC Card SPEC mandates that it
does, and we already depend on that with the use of strdup a few lines
earlier.  Since much of the rest of the cis parsing code isn't hyper
retentive about error checking, I'll leave that level of checking for
another time and/or another committer :-).
---
 usr.sbin/pccard/pccardd/readcis.c | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/usr.sbin/pccard/pccardd/readcis.c b/usr.sbin/pccard/pccardd/readcis.c
index 17ca514f6c2..49b2abffb4b 100644
--- a/usr.sbin/pccard/pccardd/readcis.c
+++ b/usr.sbin/pccard/pccardd/readcis.c
@@ -203,7 +203,8 @@ cis_info(struct cis *cp, unsigned char *p, int len)
 	}
 	if (len > 1 && *p != 0xff) {
 		cp->manuf = strdup(p);
-		while (*p++ && --len > 0);
+		len -= strlen(p) + 1;
+		p += strlen(p) + 1;
 	}
 	if (cp->vers) {
 		free(cp->vers);
@@ -211,9 +212,10 @@ cis_info(struct cis *cp, unsigned char *p, int len)
 	}
 	if (len > 1 && *p != 0xff) {
 		cp->vers = strdup(p);
-		while (*p++ && --len > 0);
+		len -= strlen(p) + 1;
+		p += strlen(p) + 1;
 	} else {
-		cp->vers = strdup("?");
+		cp->vers = strdup("[none]");
 	}
 	if (cp->add_info1) {
 		free(cp->add_info1);
@@ -221,7 +223,10 @@ cis_info(struct cis *cp, unsigned char *p, int len)
 	}
 	if (len > 1 && *p != 0xff) {
 		cp->add_info1 = strdup(p);
-		while (*p++ && --len > 0);
+		len -= strlen(p) + 1;
+		p += strlen(p) + 1;
+	} else {
+		cp->add_info1 = strdup("[none]");
 	}
 	if (cp->add_info2) {
 		free(cp->add_info2);
@@ -229,6 +234,8 @@ cis_info(struct cis *cp, unsigned char *p, int len)
 	}
 	if (len > 1 && *p != 0xff)
 		cp->add_info2 = strdup(p);
+	else
+		cp->add_info2 = strdup("[none]");
 }
 
 /*