From 9ed4a9582ff61225d46241a1c99795549722503c Mon Sep 17 00:00:00 2001
From: Wolfgang Denk <wd@denx.de>
Date: Sat, 24 Jul 2010 22:16:20 +0200
Subject: [PATCH] getenv_f(): fix handling of too short buffers

Fix error handling in getenv_f() when the user provided buffer is too
short to hold the variable name; make sure to truncate and
NUL-terminate without overwriting the buffer limits.

Signed-off-by: Wolfgang Denk <wd@denx.de>
---
 common/cmd_nvedit.c | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/common/cmd_nvedit.c b/common/cmd_nvedit.c
index 16d5ff74d9..fd5320d170 100644
--- a/common/cmd_nvedit.c
+++ b/common/cmd_nvedit.c
@@ -557,13 +557,19 @@ int getenv_f(char *name, char *buf, unsigned len)
 		}
 		if ((val=envmatch((uchar *)name, i)) < 0)
 			continue;
+
 		/* found; copy out */
-		n = 0;
-		while ((len > n++) && (*buf++ = env_get_char(val++)) != '\0')
-			;
-		if (len == n)
-			*buf = '\0';
-		return (n);
+		for (n=0; n<len; ++n, ++buf) {
+			if ((*buf = env_get_char(val++)) == '\0')
+				return n;
+		}
+
+		if (n)
+			*--buf = '\0';
+
+		printf("env_buf too small [%d]\n", len);
+
+		return n;
 	}
 	return (-1);
 }
-- 
2.39.5