From 3967f81b561cb989ee957aa7e3996e543e20d524 Mon Sep 17 00:00:00 2001
From: nks <nks@sixserv.org>
Date: Sat, 12 Apr 2014 18:52:27 +0200
Subject: [PATCH] Fix buffer overflow in syren utility

Patch for https://code.google.com/p/android/issues/detail?id=68268

A length check for the argv[2] was added in order to prevent buffer
overflow.  Also replace strcpy with strlcpy.

Signed-off-by: nks <nks@sixserv.org>
Change-Id: If65b83e9b658315c672e684f64e3ae00e69fac31
---
 toolbox/syren.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/toolbox/syren.c b/toolbox/syren.c
index 06e329e99..47c2460ec 100644
--- a/toolbox/syren.c
+++ b/toolbox/syren.c
@@ -123,7 +123,11 @@ syren_main(int argc, char **argv)
 
 	r = find_reg(argv[2]);
 	if (r == NULL) {
-		strcpy(name, argv[2]);
+		if(strlen(argv[2]) >= sizeof(name)){
+			fprintf(stderr, "REGNAME too long\n");
+			return 0;
+		}
+		strlcpy(name, argv[2], sizeof(name));
 		char *addr_str = strchr(argv[2], ':');
 		if (addr_str == NULL)
 			return usage();
@@ -131,7 +135,7 @@ syren_main(int argc, char **argv)
 		sio.page = strtoul(argv[2], 0, 0);
 		sio.addr = strtoul(addr_str, 0, 0);
 	} else {
-		strcpy(name, r->name);
+		strlcpy(name, r->name, sizeof(name));
 		sio.page = r->page;
 		sio.addr = r->addr;
 	}