diff options
author | Chrostoper Ertl <chertl@microsoft.com> | 2019-11-28 17:06:39 +0000 |
---|---|---|
committer | Alexander Amelkin <alexander@amelkin.msk.ru> | 2020-02-04 14:59:55 +0300 |
commit | d45572d71e70840e0d4c50bf48218492b79c1a10 (patch) | |
tree | 8b1a20cdda81d36ccd59782040416b7a19513f98 | |
parent | 9452be87181a6e83cfcc768b3ed8321763db50e4 (diff) | |
download | ipmitool-d45572d71e70840e0d4c50bf48218492b79c1a10.tar.gz |
lanp: Fix buffer overflows in get_lan_param_select
Partial fix for CVE-2020-5208, see
https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp
The `get_lan_param_select` function is missing a validation check on the
response’s `data_len`, which it then returns to caller functions, where
stack buffer overflow can occur.
-rw-r--r-- | lib/ipmi_lanp.c | 14 |
1 files changed, 7 insertions, 7 deletions
diff --git a/lib/ipmi_lanp.c b/lib/ipmi_lanp.c index 1be0e9a..9101ebd 100644 --- a/lib/ipmi_lanp.c +++ b/lib/ipmi_lanp.c @@ -1865,7 +1865,7 @@ ipmi_lan_alert_set(struct ipmi_intf * intf, uint8_t chan, uint8_t alert, if (!p) { return (-1); } - memcpy(data, p->data, p->data_len); + memcpy(data, p->data, __min(p->data_len, sizeof(data))); /* set new ipaddr */ memcpy(data+3, temp, 4); printf("Setting LAN Alert %d IP Address to %d.%d.%d.%d\n", alert, @@ -1880,7 +1880,7 @@ ipmi_lan_alert_set(struct ipmi_intf * intf, uint8_t chan, uint8_t alert, if (!p) { return (-1); } - memcpy(data, p->data, p->data_len); + memcpy(data, p->data, __min(p->data_len, sizeof(data))); /* set new macaddr */ memcpy(data+7, temp, 6); printf("Setting LAN Alert %d MAC Address to " @@ -1894,7 +1894,7 @@ ipmi_lan_alert_set(struct ipmi_intf * intf, uint8_t chan, uint8_t alert, if (!p) { return (-1); } - memcpy(data, p->data, p->data_len); + memcpy(data, p->data, __min(p->data_len, sizeof(data))); if (strncasecmp(argv[1], "def", 3) == 0 || strncasecmp(argv[1], "default", 7) == 0) { @@ -1920,7 +1920,7 @@ ipmi_lan_alert_set(struct ipmi_intf * intf, uint8_t chan, uint8_t alert, if (!p) { return (-1); } - memcpy(data, p->data, p->data_len); + memcpy(data, p->data, __min(p->data_len, sizeof(data))); if (strncasecmp(argv[1], "on", 2) == 0 || strncasecmp(argv[1], "yes", 3) == 0) { @@ -1945,7 +1945,7 @@ ipmi_lan_alert_set(struct ipmi_intf * intf, uint8_t chan, uint8_t alert, if (!p) { return (-1); } - memcpy(data, p->data, p->data_len); + memcpy(data, p->data, __min(p->data_len, sizeof(data))); if (strncasecmp(argv[1], "pet", 3) == 0) { printf("Setting LAN Alert %d destination to PET Trap\n", alert); @@ -1973,7 +1973,7 @@ ipmi_lan_alert_set(struct ipmi_intf * intf, uint8_t chan, uint8_t alert, if (!p) { return (-1); } - memcpy(data, p->data, p->data_len); + memcpy(data, p->data, __min(p->data_len, sizeof(data))); if (str2uchar(argv[1], &data[2]) != 0) { lprintf(LOG_ERR, "Invalid time: %s", argv[1]); @@ -1989,7 +1989,7 @@ ipmi_lan_alert_set(struct ipmi_intf * intf, uint8_t chan, uint8_t alert, if (!p) { return (-1); } - memcpy(data, p->data, p->data_len); + memcpy(data, p->data, __min(p->data_len, sizeof(data))); if (str2uchar(argv[1], &data[3]) != 0) { lprintf(LOG_ERR, "Invalid retry: %s", argv[1]); |