disk: Fix possible out-of-bounds access in part_efi.c

Make sure to never access beyond bounds of either EFI partition name or DOS partition name. This situation is happening: part.h: disk_partition_t->name is 32-byte long part_efi.h: gpt_entry->partition_name is 36-bytes long The loop in part_efi.c copies over 36 bytes and thus accesses beyond the disk_partition_t->name . Fix this by picking the shortest of source and destination arrays and make sure the destination array is cleared so the trailing bytes are zeroed-out and don't cause issues with string manipulation. Signed-off-by: Marek Vasut <marex@denx.de> Cc: Tom Rini <trini@ti.com> Cc: Simon Glass <sjg@chromium.org>
2013-05-19 12:53:34 +00:00 · 2013-05-19 12:53:34 +00:00 · 67cd4a6348
commit 67cd4a6348
parent 301e803867
1 changed files with 8 additions and 3 deletions
--- a/disk/part_efi.c
+++ b/disk/part_efi.c
@ -372,7 +372,7 @@ int gpt_fill_pte(gpt_header *gpt_h, gpt_entry *gpt_e,
 	u32 offset = (u32)le32_to_cpu(gpt_h->first_usable_lba);
 	ulong start;
 	int i, k;
-	size_t name_len;
+	size_t efiname_len, dosname_len;
 #ifdef CONFIG_PARTITION_UUIDS
 	char *str_uuid;
 #endif
@ -420,9 +420,14 @@ int gpt_fill_pte(gpt_header *gpt_h, gpt_entry *gpt_e,
 		       sizeof(gpt_entry_attributes));

 		/* partition name */
-		name_len = sizeof(gpt_e[i].partition_name)
+		efiname_len = sizeof(gpt_e[i].partition_name)
 			/ sizeof(efi_char16_t);
-		for (k = 0; k < name_len; k++)
+		dosname_len = sizeof(partitions[i].name);
+
+		memset(gpt_e[i].partition_name, 0,
+		       sizeof(gpt_e[i].partition_name));
+
+		for (k = 0; k < min(dosname_len, efiname_len); k++)
 			gpt_e[i].partition_name[k] =
 				(efi_char16_t)(partitions[i].name[k]);