From: Enrico Scholz <enrico.scholz@xxxxxxxxxxxxxxxxx>
On large string tables (>64K), a
| fdt->strings = realloc(fdt->strings, fdt->str_size * 2);
operation is executed. This 'realloc()' does not zero the memory so
there is no guarantee that the strings will be terminated properly.
Modify 'lstrcpy()' so that it also copies the terminating '\0'.
Signed-off-by: Enrico Scholz <enrico.scholz@xxxxxxxxxxxxxxxxx>
---
drivers/of/fdt.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/of/fdt.c b/drivers/of/fdt.c
index 01d7dc37439f..9d72fafd3669 100644
--- a/drivers/of/fdt.c
+++ b/drivers/of/fdt.c
@@ -302,15 +302,15 @@ static int lstrcpy(char *dest, const char *src)
int len = 0;
int maxlen = 1023;
- while (*src) {
- *dest++ = *src++;
+ do {
+ *dest++ = *src;
len++;
if (!maxlen)
return -ENOSPC;
maxlen--;
- }
+ } while (*src++);
- return len;
+ return len - 1;
}
static void *memalign_realloc(void *orig, size_t oldsize, size_t newsize)
--
2.41.0
