diff options
author | Marek Vasut <marex@denx.de> | 2013-05-19 12:53:34 +0000 |
---|---|---|
committer | Tom Rini <trini@ti.com> | 2013-06-04 16:06:32 -0400 |
commit | 67cd4a63487400317f1586b130bc2475767a5315 (patch) | |
tree | 794c9e2022186512f21f82e2ddc72c75e79e2073 /disk | |
parent | 301e8038678a70762144c0e9de3513fca3a13cb8 (diff) | |
download | u-boot-67cd4a63487400317f1586b130bc2475767a5315.tar.gz u-boot-67cd4a63487400317f1586b130bc2475767a5315.tar.bz2 u-boot-67cd4a63487400317f1586b130bc2475767a5315.zip |
disk: Fix possible out-of-bounds access in part_efi.c
Make sure to never access beyond bounds of either EFI partition name
or DOS partition name. This situation is happening:
part.h: disk_partition_t->name is 32-byte long
part_efi.h: gpt_entry->partition_name is 36-bytes long
The loop in part_efi.c copies over 36 bytes and thus accesses beyond
the disk_partition_t->name .
Fix this by picking the shortest of source and destination arrays and
make sure the destination array is cleared so the trailing bytes are
zeroed-out and don't cause issues with string manipulation.
Signed-off-by: Marek Vasut <marex@denx.de>
Cc: Tom Rini <trini@ti.com>
Cc: Simon Glass <sjg@chromium.org>
Diffstat (limited to 'disk')
-rw-r--r-- | disk/part_efi.c | 11 |
1 files changed, 8 insertions, 3 deletions
diff --git a/disk/part_efi.c b/disk/part_efi.c index 5986589708..fb5e9f0477 100644 --- a/disk/part_efi.c +++ b/disk/part_efi.c @@ -372,7 +372,7 @@ int gpt_fill_pte(gpt_header *gpt_h, gpt_entry *gpt_e, u32 offset = (u32)le32_to_cpu(gpt_h->first_usable_lba); ulong start; int i, k; - size_t name_len; + size_t efiname_len, dosname_len; #ifdef CONFIG_PARTITION_UUIDS char *str_uuid; #endif @@ -420,9 +420,14 @@ int gpt_fill_pte(gpt_header *gpt_h, gpt_entry *gpt_e, sizeof(gpt_entry_attributes)); /* partition name */ - name_len = sizeof(gpt_e[i].partition_name) + efiname_len = sizeof(gpt_e[i].partition_name) / sizeof(efi_char16_t); - for (k = 0; k < name_len; k++) + dosname_len = sizeof(partitions[i].name); + + memset(gpt_e[i].partition_name, 0, + sizeof(gpt_e[i].partition_name)); + + for (k = 0; k < min(dosname_len, efiname_len); k++) gpt_e[i].partition_name[k] = (efi_char16_t)(partitions[i].name[k]); |