From: Roel K. <roe...@gm...> - 2009-08-11 20:40:50
|
Prevent write to write init->argw.argv[SLIRP_MAX_ARGS] Signed-off-by: Roel Kluin <roe...@gm...> --- If i becomes SLIRP_MAX_ARGS - 1 and `*str != ','` evaluates to true, then we write init->argw.argv[SLIRP_MAX_ARGS]. Can this occur? diff --git a/arch/um/drivers/slirp_kern.c b/arch/um/drivers/slirp_kern.c index e376284..39bc9a7 100644 --- a/arch/um/drivers/slirp_kern.c +++ b/arch/um/drivers/slirp_kern.c @@ -97,6 +97,9 @@ static int slirp_setup(char *str, char **mac_out, void *data) *str++ = '\0'; } while (1); + if (i == SLIRP_MAX_ARGS) + i--; + init->argw.argv[i] = NULL; return 1; } |