diff options
| author | Tom Tung <shes050117@gmail.com> | 2022-08-12 16:47:27 +0800 |
|---|---|---|
| committer | Alexander Amelkin <mocbuhtig@amelkin.msk.ru> | 2023-01-05 17:51:26 +0300 |
| commit | 8f0946a81eb22c14823d726afc486139bb2094ca (patch) | |
| tree | 3e0ad246a403ac7eb82f08f01426326b319b4563 | |
| parent | 63d59a50a6809e415cd7d8915533f236f28865f3 (diff) | |
| download | ipmitool-8f0946a81eb22c14823d726afc486139bb2094ca.tar.gz | |
lanplus: Realloc the msg if the payload_length gets updated
It's possible the payload_length gets updated in
lanplus_encrypt_payload. If it's updated, the memory of msg should be
updated.
Tested: use ipmitool with lanplus with similar STR and there is no
memory stomping issue.
Resolved: ipmitool/ipmitool#351
Signed-off-by: Tom Tung <shes050117@gmail.com>
| -rw-r--r-- | src/plugins/lanplus/lanplus.c | 19 | ||||
| -rw-r--r-- | src/plugins/lanplus/lanplus.h | 2 |
2 files changed, 21 insertions, 0 deletions
diff --git a/src/plugins/lanplus/lanplus.c b/src/plugins/lanplus/lanplus.c index ed41380..7a9162c 100644 --- a/src/plugins/lanplus/lanplus.c +++ b/src/plugins/lanplus/lanplus.c @@ -1727,6 +1727,7 @@ ipmi_lanplus_build_v2x_msg( */ if (session->v2_data.session_state == LANPLUS_STATE_ACTIVE) { + uint16_t old_payload_length = payload->payload_length; /* Payload len is adjusted as necessary by lanplus_encrypt_payload */ lanplus_encrypt_payload(session->v2_data.crypt_alg, /* input */ session->v2_data.k2, /* input */ @@ -1735,6 +1736,24 @@ ipmi_lanplus_build_v2x_msg( msg + IPMI_LANPLUS_OFFSET_PAYLOAD, /* output */ &(payload->payload_length)); /* output */ + if (old_payload_length != payload->payload_length) + { + len = + IPMI_LANPLUS_OFFSET_PAYLOAD + + payload->payload_length + + IPMI_MAX_INTEGRITY_PAD_SIZE + + IPMI_LANPLUS_PAD_LENGTH_SIZE + + IPMI_LANPLUS_NEXT_HEADER_SIZE + + IPMI_MAX_AUTH_CODE_SIZE; + + uint8_t * new_msg = realloc(msg, len); + if (!new_msg) { + free(msg); + lprintf(LOG_ERR, "ipmitool: realloc failure"); + return; + } + msg = new_msg; + } } /* Now we know the payload length */ diff --git a/src/plugins/lanplus/lanplus.h b/src/plugins/lanplus/lanplus.h index 3e287ae..94bd56a 100644 --- a/src/plugins/lanplus/lanplus.h +++ b/src/plugins/lanplus/lanplus.h @@ -86,6 +86,8 @@ #define IPMI_LANPLUS_OFFSET_PAYLOAD_SIZE 0x0E #define IPMI_LANPLUS_OFFSET_PAYLOAD 0x10 +#define IPMI_LANPLUS_PAD_LENGTH_SIZE 1 +#define IPMI_LANPLUS_NEXT_HEADER_SIZE 1 #define IPMI_GET_CHANNEL_AUTH_CAP 0x38 |