summaryrefslogtreecommitdiff
path: root/disk
diff options
context:
space:
mode:
authorMarek Vasut <marex@denx.de>2013-05-19 12:53:34 +0000
committerTom Rini <trini@ti.com>2013-06-04 16:06:32 -0400
commit67cd4a63487400317f1586b130bc2475767a5315 (patch)
tree794c9e2022186512f21f82e2ddc72c75e79e2073 /disk
parent301e8038678a70762144c0e9de3513fca3a13cb8 (diff)
downloadu-boot-67cd4a63487400317f1586b130bc2475767a5315.tar.gz
u-boot-67cd4a63487400317f1586b130bc2475767a5315.tar.bz2
u-boot-67cd4a63487400317f1586b130bc2475767a5315.zip
disk: Fix possible out-of-bounds access in part_efi.c
Make sure to never access beyond bounds of either EFI partition name or DOS partition name. This situation is happening: part.h: disk_partition_t->name is 32-byte long part_efi.h: gpt_entry->partition_name is 36-bytes long The loop in part_efi.c copies over 36 bytes and thus accesses beyond the disk_partition_t->name . Fix this by picking the shortest of source and destination arrays and make sure the destination array is cleared so the trailing bytes are zeroed-out and don't cause issues with string manipulation. Signed-off-by: Marek Vasut <marex@denx.de> Cc: Tom Rini <trini@ti.com> Cc: Simon Glass <sjg@chromium.org>
Diffstat (limited to 'disk')
-rw-r--r--disk/part_efi.c11
1 files changed, 8 insertions, 3 deletions
diff --git a/disk/part_efi.c b/disk/part_efi.c
index 5986589708..fb5e9f0477 100644
--- a/disk/part_efi.c
+++ b/disk/part_efi.c
@@ -372,7 +372,7 @@ int gpt_fill_pte(gpt_header *gpt_h, gpt_entry *gpt_e,
u32 offset = (u32)le32_to_cpu(gpt_h->first_usable_lba);
ulong start;
int i, k;
- size_t name_len;
+ size_t efiname_len, dosname_len;
#ifdef CONFIG_PARTITION_UUIDS
char *str_uuid;
#endif
@@ -420,9 +420,14 @@ int gpt_fill_pte(gpt_header *gpt_h, gpt_entry *gpt_e,
sizeof(gpt_entry_attributes));
/* partition name */
- name_len = sizeof(gpt_e[i].partition_name)
+ efiname_len = sizeof(gpt_e[i].partition_name)
/ sizeof(efi_char16_t);
- for (k = 0; k < name_len; k++)
+ dosname_len = sizeof(partitions[i].name);
+
+ memset(gpt_e[i].partition_name, 0,
+ sizeof(gpt_e[i].partition_name));
+
+ for (k = 0; k < min(dosname_len, efiname_len); k++)
gpt_e[i].partition_name[k] =
(efi_char16_t)(partitions[i].name[k]);