mtd: Make sure the name passed in mtdparts fits in mtd_name[]

The local mtd_name[] variable is limited in size. Return an error if
the name passed in mtdparts does not fit in this local var.

Fixes: 5db66b3aee6f ("cmd: mtd: add 'mtd' command")
Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
Tested-by: Heiko Schocher <hs@denx.de>

diff --git a/drivers/mtd/mtd_uboot.c b/drivers/mtd/mtd_uboot.c
index d551aee20203828889a74833e22e3de80af20d9c..0eda36278309da616c167955015f71105875abc0 100644 (file)
--- a/drivers/mtd/mtd_uboot.c
+++ b/drivers/mtd/mtd_uboot.c
@@ -222,8 +222,8 @@ int mtd_probe_devices(void)
        while (mtdparts[0] != '\0') {
                char mtd_name[MTD_NAME_MAX_LEN], *colon;
                struct mtd_partition *parts;
-               int mtd_name_len, nparts;
-               int ret;
+               unsigned int mtd_name_len;
+               int nparts, ret;
 
                colon = strchr(mtdparts, ':');
                if (!colon) {
@@ -231,7 +231,12 @@ int mtd_probe_devices(void)
                        return -EINVAL;
                }
 
-               mtd_name_len = colon - mtdparts;
+               mtd_name_len = (unsigned int)(colon - mtdparts);
+               if (mtd_name_len + 1 > sizeof(mtd_name)) {
+                       printf("MTD name too long: %s\n", mtdparts);
+                       return -EINVAL;
+               }
+
                strncpy(mtd_name, mtdparts, mtd_name_len);
                mtd_name[mtd_name_len] = '\0';
                /* Move the pointer forward (including the ':') */