disk: Fix possible out-of-bounds access in part_efi.c

Make sure to never access beyond bounds of either EFI partition name
or DOS partition name. This situation is happening:

part.h:     disk_partition_t->name is 32-byte long
part_efi.h: gpt_entry->partition_name is 36-bytes long

The loop in part_efi.c copies over 36 bytes and thus accesses beyond
the disk_partition_t->name .

Fix this by picking the shortest of source and destination arrays and
make sure the destination array is cleared so the trailing bytes are
zeroed-out and don't cause issues with string manipulation.

Signed-off-by: Marek Vasut <marex@denx.de>
Cc: Tom Rini <trini@ti.com>
Cc: Simon Glass <sjg@chromium.org>

diff --git a/disk/part_efi.c b/disk/part_efi.c
index 59865897085c1750067a3c8f2712006cbe6c5abe..fb5e9f0477a59d8bf6cc4a17c7db94d9e17363f2 100644 (file)
--- a/disk/part_efi.c
+++ b/disk/part_efi.c
@@ -372,7 +372,7 @@ int gpt_fill_pte(gpt_header *gpt_h, gpt_entry *gpt_e,
        u32 offset = (u32)le32_to_cpu(gpt_h->first_usable_lba);
        ulong start;
        int i, k;
-       size_t name_len;
+       size_t efiname_len, dosname_len;
 #ifdef CONFIG_PARTITION_UUIDS
        char *str_uuid;
 #endif
@@ -420,9 +420,14 @@ int gpt_fill_pte(gpt_header *gpt_h, gpt_entry *gpt_e,
                       sizeof(gpt_entry_attributes));
 
                /* partition name */
-               name_len = sizeof(gpt_e[i].partition_name)
+               efiname_len = sizeof(gpt_e[i].partition_name)
                        / sizeof(efi_char16_t);
-               for (k = 0; k < name_len; k++)
+               dosname_len = sizeof(partitions[i].name);
+
+               memset(gpt_e[i].partition_name, 0,
+                      sizeof(gpt_e[i].partition_name));
+
+               for (k = 0; k < min(dosname_len, efiname_len); k++)
                        gpt_e[i].partition_name[k] =
                                (efi_char16_t)(partitions[i].name[k]);