channel: Fix buffer overflow

Partial fix for CVE-2020-5208, see https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp The `ipmi_get_channel_cipher_suites` function does not properly check the final response’s `data_len`, which can lead to stack buffer overflow on the final copy.
author: Chrostoper Ertl <chertl@microsoft.com> 2019-11-28 16:56:38 +0000
committer: Alexander Amelkin <alexander@amelkin.msk.ru> 2020-02-04 14:59:52 +0300
commit: 9452be87181a6e83cfcc768b3ed8321763db50e4 (patch)
tree: cfa52a966b0559afc2af9dee07740da2cdc3edb3
parent: 41d7026946fafbd4d1ec0bcaca3ea30a6e8eed22 (diff)
download: ipmitool-9452be87181a6e83cfcc768b3ed8321763db50e4.tar.gz
1 files changed, 4 insertions, 1 deletions
diff --git a/lib/ipmi_channel.c b/lib/ipmi_channel.c
index a6a6a42..433c4d3 100644
--- a/lib/ipmi_channel.c
+++ b/lib/ipmi_channel.c
@@ -498,7 +498,10 @@ ipmi_get_channel_cipher_suites(struct ipmi_intf *intf,
 			lprintf(LOG_ERR, "Unable to Get Channel Cipher Suites");
 			return -1;
 		}
-		if (rsp->ccode || rsp->data_len < 1) {
+		if (rsp->ccode
+		    || rsp->data_len < 1
+		    || rsp->data_len > sizeof(uint8_t) + MAX_CIPHER_SUITE_DATA_LEN)
+		{
 			lprintf(LOG_ERR, "Get Channel Cipher Suites failed: %s",
 					val2str(rsp->ccode, completion_code_vals));
 			return -1;
author	Chrostoper Ertl <chertl@microsoft.com>	2019-11-28 16:56:38 +0000
committer	Alexander Amelkin <alexander@amelkin.msk.ru>	2020-02-04 14:59:52 +0300
commit	9452be87181a6e83cfcc768b3ed8321763db50e4 (patch)
tree	cfa52a966b0559afc2af9dee07740da2cdc3edb3
parent	41d7026946fafbd4d1ec0bcaca3ea30a6e8eed22 (diff)
download	ipmitool-9452be87181a6e83cfcc768b3ed8321763db50e4.tar.gz