From a40531fcf89a402335086436d0f8a1d613f687a6 Mon Sep 17 00:00:00 2001
From: Dmitry Marakasov <amdmi3@FreeBSD.org>
Date: Tue, 22 Sep 2015 16:59:41 +0000
Subject: [PATCH] Fix crash on parsing some inf files

ndiscvt uses 16 entry array for words into which it parses
comma-separated lists of strings, like AddReg line in

    [somesection]
        AddReg = foo.reg, bar.reg, baz.reg, quiz.reg

Overflows were not checked so it crashed on a line with 17 words
encountered in some Broadcom/Dell Wireless 1704 802.11b-g-n driver

So extend the array up to 32 entries and add an overflow check.

Reviewed by:	bapt
Approved by:	bapt
MFC after:	2 weeks
Differential Revision:	D3713
---
 usr.sbin/ndiscvt/inf.c | 6 ++++++
 usr.sbin/ndiscvt/inf.h | 2 +-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/usr.sbin/ndiscvt/inf.c b/usr.sbin/ndiscvt/inf.c
index fe4db6af5c7d..4b30da0a3024 100644
--- a/usr.sbin/ndiscvt/inf.c
+++ b/usr.sbin/ndiscvt/inf.c
@@ -887,6 +887,12 @@ regkey_add (const char *r)
 void
 push_word (const char *w)
 {
+
+	if (idx == W_MAX) {
+		fprintf(stderr, "too many words; try bumping W_MAX in inf.h\n");
+		exit(1);
+	}
+
 	if (w && strlen(w))
 		words[idx++] = w;
 	else
diff --git a/usr.sbin/ndiscvt/inf.h b/usr.sbin/ndiscvt/inf.h
index 8d0b0c123de4..ba08d674eeac 100644
--- a/usr.sbin/ndiscvt/inf.h
+++ b/usr.sbin/ndiscvt/inf.h
@@ -4,7 +4,7 @@
  * $FreeBSD$
  */
 
-#define W_MAX	16
+#define W_MAX	32
 
 struct section {
 	const char *	name;