Fix crash on parsing some inf files

ndiscvt uses 16 entry array for words into which it parses
comma-separated lists of strings, like AddReg line in

    [somesection]
        AddReg = foo.reg, bar.reg, baz.reg, quiz.reg

Overflows were not checked so it crashed on a line with 17 words
encountered in some Broadcom/Dell Wireless 1704 802.11b-g-n driver

So extend the array up to 32 entries and add an overflow check.

Reviewed by:	bapt
Approved by:	bapt
MFC after:	2 weeks
Differential Revision:	D3713

2 files changed, 7 insertions, 1 deletions

diff --git a/usr.sbin/ndiscvt/inf.c b/usr.sbin/ndiscvt/inf.c
index fe4db6a..4b30da0 100644
--- a/usr.sbin/ndiscvt/inf.c
+++ b/usr.sbin/ndiscvt/inf.c
@@ -887,6 +887,12 @@ regkey_add (const char *r)
 void
 push_word (const char *w)
 {
+
+	if (idx == W_MAX) {
+		fprintf(stderr, "too many words; try bumping W_MAX in inf.h\n");
+		exit(1);
+	}
+
 	if (w && strlen(w))
 		words[idx++] = w;
 	else
diff --git a/usr.sbin/ndiscvt/inf.h b/usr.sbin/ndiscvt/inf.h
index 8d0b0c1..ba08d67 100644
--- a/usr.sbin/ndiscvt/inf.h
+++ b/usr.sbin/ndiscvt/inf.h
@@ -4,7 +4,7 @@
  * $FreeBSD$
  */
 
-#define W_MAX	16
+#define W_MAX	32
 
 struct section {
 	const char *	name;