If the vendor name (from c16) can be longer than 100 bytes (or missing a terminating null), then the null is writen past the end of vendor[]. Reproducible: Always
Created attachment 199465 [details] patch to fix bugs
http://xorl.wordpress.com/2009/07/29/linux-kernel-extensible-firmware-interface-off-by-one-overwrite/