commit 381e50d930be0ea4343a20a0c62b8171468629a1
Author: Hannes Reinecke <hare@suse.de>
Date:   Tue Feb 10 10:52:23 2009 +0100

    Overflow in search_ibft()
    
    search_ibft() checks for the search boundaries, but fails to
    accomodate for the length of the search string.
    
    References: 471475
    
    Signed-off-by: Hannes Reinecke <hare@suse.de>

diff --git a/utils/fwparam_ibft/fwparam_ibft.c b/utils/fwparam_ibft/fwparam_ibft.c
index 02f8ac8..e0ed4a1 100644
--- a/utils/fwparam_ibft/fwparam_ibft.c
+++ b/utils/fwparam_ibft/fwparam_ibft.c
@@ -415,7 +415,7 @@ char *search_ibft(unsigned char *start, int length)
 
 	cur_ptr = (unsigned char *)start;
 	for (cur_ptr = (unsigned char *)start;
-	     cur_ptr < (start + length);
+	     cur_ptr < (start + length - strlen(iBFTSTR));
 	     cur_ptr++) {
 		if (memcmp(cur_ptr, iBFTSTR,strlen(iBFTSTR)))
 			continue;