kbootd: fix overflow when reading gpt header

When we read GPT header on LBA 1 we must use data allocated with a size of LBA_SIZE. Otherwise we may have an overflow. Signed-off-by: Julien Masson <jmasson@baylibre.com>
BayLibre · Oct 5, 2023 · b97b348 · b97b348
1 parent c0db7d1
commit b97b348
Showing 1 changed file with 8 additions and 6 deletions.
diff --git a/kbootd/src/part.c b/kbootd/src/part.c
@@ -327,9 +327,10 @@ static void gpt_convert_efi_name_to_char(char *s, void *es, int n)
 static int find_gpt_entry(int fd, const char *name, struct gpt_entry *gpt_e,
                           off_t *offset)
 {
-        struct gpt_header gpt_hdr;
+        struct gpt_header *gpt_hdr;
         char part[PARTNAME_SZ];
-        char data[LBA_SIZE];
+	char data_hdr[LBA_SIZE];
+        char data_part[LBA_SIZE];
         int ret;
 
         /* GPT header on LBA 1 */
@@ -339,19 +340,20 @@ static int find_gpt_entry(int fd, const char *name, struct gpt_entry *gpt_e,
                 return ret;
         }
 
-        ret = kread(fd, (char *)&gpt_hdr, LBA_SIZE);
+        ret = kread(fd, data_hdr, LBA_SIZE);
         if (ret == -1) {
                 log("read GPT header failed\n");
                 return -1;
         }
+	gpt_hdr = (struct gpt_header *)data_hdr;
 
-        for (int i = 0; i < gpt_hdr.n_parts; i++) {
-                ret = kread(fd, data, LBA_SIZE);
+        for (int i = 0; i < gpt_hdr->n_parts; i++) {
+                ret = kread(fd, data_part, LBA_SIZE);
                 if (ret == -1) {
                         log("read GPT entry failed\n");
                         return -1;
                 }
-                memcpy(gpt_e, data, sizeof(struct gpt_entry));
+                memcpy(gpt_e, data_part, sizeof(struct gpt_entry));
 
                 gpt_convert_efi_name_to_char(part, gpt_e->partition_name, PARTNAME_SZ);
                 if (!strcmp(part, name)) {