disk: efi: buffer overflow in part_get_info_efi()

In part_get_info_efi() we use the output of print_efiname() to set
info->name[]. The size of info->name is PART_NAME_LEN = 32 but
print_efiname() returns a string with a maximum length of
PARTNAME_SZ + 1 = 37.

Use snprintf() instead of sprintf() to avoid buffer overflow.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>

diff --git a/disk/part_efi.c b/disk/part_efi.c
index c0fa753339c80216e45fd8f9d3e33093db0cb19c..3e026697dbe9911002db37635fa610dc75338ba5 100644 (file)
--- a/disk/part_efi.c
+++ b/disk/part_efi.c
@@ -313,8 +313,8 @@ int part_get_info_efi(struct blk_desc *dev_desc, int part,
                     - info->start;
        info->blksz = dev_desc->blksz;
 
-       sprintf((char *)info->name, "%s",
-                       print_efiname(&gpt_pte[part - 1]));
+       snprintf((char *)info->name, sizeof(info->name), "%s",
+                print_efiname(&gpt_pte[part - 1]));
        strcpy((char *)info->type, "U-Boot");
        info->bootable = is_bootable(&gpt_pte[part - 1]);
 #if CONFIG_IS_ENABLED(PARTITION_UUIDS)