diff options
author | pjdhpe <44778156+pjdhpe@users.noreply.github.com> | 2018-11-28 07:27:29 -0600 |
---|---|---|
committer | Alexander Amelkin <mocbuhtig@amelkin.msk.ru> | 2018-12-06 12:41:22 +0300 |
commit | 9ec2232321a7bca7e1fb8f939d071f12c8dfa7fd (patch) | |
tree | fd5be9d462e617b072367f49ca6e1608b590e4fb | |
parent | 64727f59c4a1412fdb73e092fb838ae66e2aad1a (diff) | |
download | ipmitool-9ec2232321a7bca7e1fb8f939d071f12c8dfa7fd.tar.gz |
lanplus: Fix segfault for truncated dcmi response
On occasion a dcmi power reading will return error C6, and a
truncated response payload. As the decrypted payload is shorter
than the expected length, lanplus_decrypt_aes_cbc_128() adjusts
the payload_size downward by one byte. In ipmi_lan_poll_single()
the calculation to determine if the payload size has increased
erroniously sets extra_data_length to -1, with a subsequent
segv when calling a memmove to shift response data.
The fix is to check for a positive value in the extra_data_length.
Resolves ipmitool/ipmitool#72
-rw-r--r-- | src/plugins/lanplus/lanplus.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/src/plugins/lanplus/lanplus.c b/src/plugins/lanplus/lanplus.c index aabcf94..28cb31c 100644 --- a/src/plugins/lanplus/lanplus.c +++ b/src/plugins/lanplus/lanplus.c @@ -790,7 +790,7 @@ ipmi_lan_poll_single(struct ipmi_intf * intf) * rsp->data_len becomes the length of that data */ extra_data_length = payload_size - (offset - payload_start) - 1; - if (extra_data_length) { + if (extra_data_length > 0) { rsp->data_len = extra_data_length; memmove(rsp->data, rsp->data + offset, extra_data_length); } else { @@ -844,7 +844,7 @@ ipmi_lan_poll_single(struct ipmi_intf * intf) } read_sol_packet(rsp, &offset); extra_data_length = payload_size - (offset - payload_start); - if (extra_data_length) { + if (extra_data_length > 0) { rsp->data_len = extra_data_length; memmove(rsp->data, rsp->data + offset, extra_data_length); } else { |