diff options
author | Chrostoper Ertl <chertl@microsoft.com> | 2019-11-28 16:56:38 +0000 |
---|---|---|
committer | Alexander Amelkin <alexander@amelkin.msk.ru> | 2020-02-04 14:59:52 +0300 |
commit | 9452be87181a6e83cfcc768b3ed8321763db50e4 (patch) | |
tree | cfa52a966b0559afc2af9dee07740da2cdc3edb3 | |
parent | 41d7026946fafbd4d1ec0bcaca3ea30a6e8eed22 (diff) | |
download | ipmitool-9452be87181a6e83cfcc768b3ed8321763db50e4.tar.gz |
channel: Fix buffer overflow
Partial fix for CVE-2020-5208, see
https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp
The `ipmi_get_channel_cipher_suites` function does not properly check
the final response’s `data_len`, which can lead to stack buffer overflow
on the final copy.
-rw-r--r-- | lib/ipmi_channel.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/lib/ipmi_channel.c b/lib/ipmi_channel.c index a6a6a42..433c4d3 100644 --- a/lib/ipmi_channel.c +++ b/lib/ipmi_channel.c @@ -498,7 +498,10 @@ ipmi_get_channel_cipher_suites(struct ipmi_intf *intf, lprintf(LOG_ERR, "Unable to Get Channel Cipher Suites"); return -1; } - if (rsp->ccode || rsp->data_len < 1) { + if (rsp->ccode + || rsp->data_len < 1 + || rsp->data_len > sizeof(uint8_t) + MAX_CIPHER_SUITE_DATA_LEN) + { lprintf(LOG_ERR, "Get Channel Cipher Suites failed: %s", val2str(rsp->ccode, completion_code_vals)); return -1; |