diff options
| author | Zdenek Styblik <stybla@turnovfree.net> | 2014-05-29 20:19:37 +0200 |
|---|---|---|
| committer | Zdenek Styblik <stybla@turnovfree.net> | 2014-05-29 20:19:37 +0200 |
| commit | d79b0e05af2d9ae1c3d5493d0941cc00792da74b (patch) | |
| tree | 8a4574bd145a2edd3ea0d3db3a818ed6a50e24f3 | |
| parent | 3b15a7c0e22dab95decc1abf08763491ea1eaae5 (diff) | |
| download | ipmitool-d79b0e05af2d9ae1c3d5493d0941cc00792da74b.tar.gz | |
ID: 318 - ipmi_tsol.c: fix buffer overflow
Commit fixes buffer over-flow in ipmi_tsol caused by mis-calculation in buffer
size, resp. using wrong variables completely.
| -rw-r--r-- | lib/ipmi_tsol.c | 14 |
1 files changed, 10 insertions, 4 deletions
diff --git a/lib/ipmi_tsol.c b/lib/ipmi_tsol.c index c900ffd..b4e3cc1 100644 --- a/lib/ipmi_tsol.c +++ b/lib/ipmi_tsol.c @@ -372,7 +372,8 @@ ipmi_tsol_main(struct ipmi_intf *intf, int argc, char **argv) struct sockaddr_in sin, myaddr, *sa_in; socklen_t mylen; char *recvip = NULL; - char out_buff[IPMI_BUF_SIZE * 8], in_buff[IPMI_BUF_SIZE]; + char in_buff[IPMI_BUF_SIZE]; + char out_buff[IPMI_BUF_SIZE * 8]; char buff[IPMI_BUF_SIZE + 4]; int fd_socket, result, i; int out_buff_fill, in_buff_fill; @@ -524,7 +525,6 @@ ipmi_tsol_main(struct ipmi_intf *intf, int argc, char **argv) out_buff_fill = 0; in_buff_fill = 0; fds = fds_wait; - for (;;) { result = poll(fds, 3, 15 * 1000); if (result < 0) { @@ -536,9 +536,15 @@ ipmi_tsol_main(struct ipmi_intf *intf, int argc, char **argv) if ((fds[0].revents & POLLIN) && (sizeof(out_buff) > out_buff_fill)) { socklen_t sin_len = sizeof(sin); - /* Note - buffer over-flow here */ + int buff_size = sizeof(buff); + if ((sizeof(out_buff) - out_buff_fill + 4) < buff_size) { + buff_size = (sizeof(out_buff) - out_buff_fill) + 4; + if ((buff_size - 4) <= 0) { + buff_size = 0; + } + } result = recvfrom(fd_socket, buff, - sizeof(out_buff) - out_buff_fill + 4, 0, + buff_size, 0, (struct sockaddr *)&sin, &sin_len); /* read the data from udp socket, * skip some bytes in the head |