From: Marek Vasut Date: Sun, 19 May 2013 12:53:34 +0000 (+0000) Subject: disk: Fix possible out-of-bounds access in part_efi.c X-Git-Url: http://git.dujemihanovic.xyz/?a=commitdiff_plain;h=67cd4a63487400317f1586b130bc2475767a5315;p=u-boot.git disk: Fix possible out-of-bounds access in part_efi.c Make sure to never access beyond bounds of either EFI partition name or DOS partition name. This situation is happening: part.h: disk_partition_t->name is 32-byte long part_efi.h: gpt_entry->partition_name is 36-bytes long The loop in part_efi.c copies over 36 bytes and thus accesses beyond the disk_partition_t->name . Fix this by picking the shortest of source and destination arrays and make sure the destination array is cleared so the trailing bytes are zeroed-out and don't cause issues with string manipulation. Signed-off-by: Marek Vasut Cc: Tom Rini Cc: Simon Glass --- diff --git a/disk/part_efi.c b/disk/part_efi.c index 5986589708..fb5e9f0477 100644 --- a/disk/part_efi.c +++ b/disk/part_efi.c @@ -372,7 +372,7 @@ int gpt_fill_pte(gpt_header *gpt_h, gpt_entry *gpt_e, u32 offset = (u32)le32_to_cpu(gpt_h->first_usable_lba); ulong start; int i, k; - size_t name_len; + size_t efiname_len, dosname_len; #ifdef CONFIG_PARTITION_UUIDS char *str_uuid; #endif @@ -420,9 +420,14 @@ int gpt_fill_pte(gpt_header *gpt_h, gpt_entry *gpt_e, sizeof(gpt_entry_attributes)); /* partition name */ - name_len = sizeof(gpt_e[i].partition_name) + efiname_len = sizeof(gpt_e[i].partition_name) / sizeof(efi_char16_t); - for (k = 0; k < name_len; k++) + dosname_len = sizeof(partitions[i].name); + + memset(gpt_e[i].partition_name, 0, + sizeof(gpt_e[i].partition_name)); + + for (k = 0; k < min(dosname_len, efiname_len); k++) gpt_e[i].partition_name[k] = (efi_char16_t)(partitions[i].name[k]);