packages/OpenIPMI
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
OpenIPMI/backport-0002-CVE-2024-42934.patch
yangl777 1283a3cb97 fix CVE-2024-42934
2024-10-11 12:08:08 +00:00

72 lines
2.0 KiB
Diff
Raw Blame History

From 663e3cd3b6d1d9fc82267c7d7474320cb67e03a4 Mon Sep 17 00:00:00 2001
From: Corey Minyard <minyard@acm.org>
Date: Sun, 2 Jun 2024 14:11:16 -0500
Subject: [PATCH] lanserv: Fix an issue logging an error on a message
A message structure was passed to the log, but it was not sufficiently
initialized and the logging program crashed. Rework the initialization
to make the message data ready and legal for the logging calls.
Found-by: Fabio Massimo Di Nitto
Signed-off-by: Corey Minyard <minyard@acm.org>
Reference:https://sourceforge.net/p/openipmi/code/ci/663e3cd3b6d1d9fc82267c7d7474320cb67e03a4/
Conflict:NA
---
lanserv/lanserv_ipmi.c | 20 ++++++++++++++++----
1 file changed, 16 insertions(+), 4 deletions(-)
diff --git a/lanserv/lanserv_ipmi.c b/lanserv/lanserv_ipmi.c
index 0ee6451..1ef5710 100644
--- a/lanserv/lanserv_ipmi.c
+++ b/lanserv/lanserv_ipmi.c
@@ -3022,17 +3022,33 @@ ipmi_handle_lan_msg(lanserv_data_t *lan,
{
msg_t msg;
+ memset(&msg, 0, sizeof(msg));
+
msg.src_addr = from_addr;
msg.src_len = from_len;
msg.oem_data = 0;
+ msg.channel = lan->channel.channel_num;
+ msg.orig_channel = &lan->channel;
+
+ /*
+ * Initialize the data so the log won't crash if it gets called, and
+ * so the log might have useful info.
+ */
+ msg.data = data;
+ msg.len = len;
+
if (len < 5) {
lan->sysinfo->log(lan->sysinfo, LAN_ERR, &msg,
"LAN msg failure: message too short");
return;
}
+ /* Length is at least marginally correct, skip the first part now. */
+ msg.data = data + 5;
+ msg.len = len - 5;
+
if (data[2] != 0xff) {
lan->sysinfo->log(lan->sysinfo, LAN_ERR, &msg,
"LAN msg failure: seq not ff");
@@ -3045,10 +3061,6 @@ ipmi_handle_lan_msg(lanserv_data_t *lan,
"LAN msg failure: Invalid authtype");
return;
}
- msg.data = data+5;
- msg.len = len - 5;
- msg.channel = lan->channel.channel_num;
- msg.orig_channel = &lan->channel;
if (msg.authtype == IPMI_AUTHTYPE_RMCP_PLUS) {
ipmi_handle_rmcpp_msg(lan, &msg);
--
2.43.0
Reference in New Issue View Git Blame Copy Permalink