tcpci/usb_pd_fuzz: Avoid using unitialized data in payload

Found with MSAN fuzzer: usb_pd_protocol.c may use payload data
that is not initialized.

Fix the test by copying over the whole payload, which is what
tcpci.c's version does.

Also, in tcpci.c, clear cached_messages head before using
get_message_raw to fill it up, to make sure that we do not
accidentally use older data in the queue.

BRANCH=none
BUG=chromium:963076
TEST=make TEST_MSAN=y host-usb_pd_fuzz -j
     MSAN_OPTIONS=log_path=stderr:exitcode=0 \
        build/host/usb_pd_fuzz/usb_pd_fuzz.exe \
        clusterfuzz-testcase-minimized-ec_usb_pd_fuzzer-5716775969357824

Change-Id: I74c38538440cb5a01d1714657b9e2d63e5b80cea
Signed-off-by: Nicolas Boichat <drinkcat@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1610163
Reviewed-by: Daisuke Nojiri <dnojiri@chromium.org>
Reviewed-by: Aaron Durbin <adurbin@chromium.org>

driver/tcpm/tcpci.c

@@ -451,6 +451,8 @@ int tcpm_enqueue_message(const int port)
 		return EC_ERROR_OVERFLOW;
 	}
 
+	/* Blank any old message, just in case. */
+	memset(head, 0, sizeof(*head));
 	/* Call the raw driver without caching */
 	rv = tcpc_config[port].drv->get_message_raw(port, head->payload,
 						    &head->header);

fuzz/usb_pd_fuzz.c

@@ -88,7 +88,11 @@ int tcpm_dequeue_message(const int port, uint32_t *const payload,
 
 	*header = m->header;
 
-	memcpy(payload, m->payload, m->cnt - 3);
+	/*
+	 * This mirrors what tcpci.c:tcpm_dequeue_message does: always copy the
+	 * whole payload to destination.
+	 */
+	memcpy(payload, m->payload, sizeof(m->payload));
 
 	pending--;
 	return EC_SUCCESS;