From b52e8e2538b2b48ef6b63bff12b5cc9e2d52eff1 Mon Sep 17 00:00:00 2001
From: Corey Minyard <minyard@acm.org>
Date: Mon, 29 Apr 2024 12:46:23 -0500
Subject: [PATCH] lanserv: Check some bounds on incoming messages
 
Signed-off-by: Corey Minyard <minyard@acm.org>
 
Reference:https://sourceforge.net/p/openipmi/code/ci/b52e8e2538b2b48ef6b63bff12b5cc9e2d52eff1/
Conflict:NA
 
---
 lanserv/lanserv_ipmi.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/lanserv/lanserv_ipmi.c b/lanserv/lanserv_ipmi.c
index ccd6001..0ee6451 100644
--- a/lanserv/lanserv_ipmi.c
+++ b/lanserv/lanserv_ipmi.c
@@ -882,6 +882,12 @@ handle_temp_session(lanserv_data_t *lan, msg_t *msg)
     }
 
     auth = msg->data[0] & 0xf;
+    if (auth >= MAX_IPMI_AUTHS) {
+       lan->sysinfo->log(lan->sysinfo, NEW_SESSION_FAILED, msg,
+                "Activate session failed: Invalid auth: 0x%x", auth);
+       return;
+    }
+
     user = &(lan->users[user_idx]);
     if (! (user->valid)) {
 	lan->sysinfo->log(lan->sysinfo, NEW_SESSION_FAILED, msg,
@@ -3034,6 +3040,11 @@ ipmi_handle_lan_msg(lanserv_data_t *lan,
     }
 
     msg.authtype = data[4];
+    if (msg.authtype >= MAX_IPMI_AUTHS) {
+       lan->sysinfo->log(lan->sysinfo, LAN_ERR, &msg,
+                "LAN msg failure: Invalid authtype");
+       return;
+    }
     msg.data = data+5;
     msg.len = len - 5;
     msg.channel = lan->channel.channel_num;
-- 
2.43.0