elilo/elilo-strncpy-overflow-fix.diff

From: Jarrod Johnson <jbjohnso@us.ibm.com>

Fix StrnCpy bug that would overflow dst buffer if length of src met or exceeded passed size value.
diff -urN elilo/strops.c elilo-strncpy-overflow-fix/strops.c
--- elilo/strops.c	2003-08-19 12:47:41.000000000 -0400
+++ elilo-strncpy-overflow-fix/strops.c	2009-02-07 11:17:10.000000000 -0500
@@ -41,11 +41,11 @@
 {
 	CHAR16 *res = dst;
 
-	while (size-- && (*dst++ = *src++) != CHAR_NULL);
+	while (size && size-- && (*dst++ = *src++) != CHAR_NULL);
 	/*
 	 * does the null padding
 	 */
-	while (size-- > 0) *dst++ = CHAR_NULL;
+	while (size && size-- > 0) *dst++ = CHAR_NULL;
 
 	return res;
 }
@@ -55,11 +55,11 @@
 {
 	CHAR8 *res = dst;
 
-	while (size-- && (*dst++ = (CHAR8)*src++) != '\0');
+	while (size && size-- && (*dst++ = (CHAR8)*src++) != '\0');
 	/*
 	 * does the null padding
 	 */
-	while (size-- > 0) *dst++ = '\0';
+	while (size && size-- > 0) *dst++ = '\0';
 
 	return res;
 }
@@ -76,11 +76,11 @@
 {
 	CHAR8 *res = dst;
 
-	while (size-- && (*dst++ = *src++) != '\0');
+	while (size && size-- && (*dst++ = *src++) != '\0');
 	/*
 	 * does the null padding
 	 */
-	while (size-- > 0) *dst++ = '\0';
+	while (size && size-- > 0) *dst++ = '\0';
 
 	return res;
 }