From fa993fa14de4d7031b89f703b612017b0db9f190 Mon Sep 17 00:00:00 2001
From: t_feng <fengtao40@huawei.com>
Date: Fri, 13 Mar 2020 22:06:06 +0800
Subject: [PATCH] update

---
 ...uffer-overflow-in-ipmi_spd_print_fru.patch | 67 +++++++++----------
 1 file changed, 31 insertions(+), 36 deletions(-)

diff --git a/ipmitool-CVE-2020-5208-Fix-buffer-overflow-in-ipmi_spd_print_fru.patch b/ipmitool-CVE-2020-5208-Fix-buffer-overflow-in-ipmi_spd_print_fru.patch
index aa19f8f..444c3d4 100644
--- a/ipmitool-CVE-2020-5208-Fix-buffer-overflow-in-ipmi_spd_print_fru.patch
+++ b/ipmitool-CVE-2020-5208-Fix-buffer-overflow-in-ipmi_spd_print_fru.patch
@@ -1,44 +1,39 @@
-From 5ab6d04b43ebdce0b7de62cae051cd554e9a52a1 Mon Sep 17 00:00:00 2001
+From 6989c8413f80429b6c82d1fef4c8d0a79daf6d7b Mon Sep 17 00:00:00 2001
 From: fengtao40 <fengtao40@huawei.com>
-Date: Tue, 11 Feb 2020 21:08:07 -0500
-Subject: [PATCH] Fix buffer overflow in ipmi_get_session_info
+Date: Tue, 11 Feb 2020 21:05:31 -0500
+Subject: [PATCH] Fix buffer overflow in ipmi_spd_print_fru
 
 ---
- lib/ipmi_session.c | 14 +++++++++-----
- 1 file changed, 9 insertions(+), 5 deletions(-)
+ lib/dimm_spd.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
 
-diff --git a/lib/ipmi_session.c b/lib/ipmi_session.c
-index 141f0f4..01d3c24 100644
---- a/lib/ipmi_session.c
-+++ b/lib/ipmi_session.c
-@@ -309,8 +309,10 @@ ipmi_get_session_info(struct ipmi_intf         * intf,
- 		}
- 		else
- 		{
--			memcpy(&session_info,  rsp->data, rsp->data_len);
--			print_session_info(&session_info, rsp->data_len);
-+			memcpy(&session_info,  rsp->data,
-+			       __min(rsp->data_len, sizeof(session_info)));
-+			print_session_info(&session_info,
-+			                   __min(rsp->data_len, sizeof(session_info)));
- 		}
- 		break;
- 		
-@@ -341,9 +343,11 @@ ipmi_get_session_info(struct ipmi_intf         * intf,
- 				break;
- 			}
+diff --git a/lib/dimm_spd.c b/lib/dimm_spd.c
+index 41e30db..68f3b4f 100644
+--- a/lib/dimm_spd.c
++++ b/lib/dimm_spd.c
+@@ -1621,7 +1621,7 @@ ipmi_spd_print_fru(struct ipmi_intf * intf, uint8_t id)
+ 	struct ipmi_rq req;
+ 	struct fru_info fru;
+ 	uint8_t *spd_data, msg_data[4];
+-	int len, offset;
++	uint32_t len, offset;
  
--			memcpy(&session_info,  rsp->data, rsp->data_len);
--			print_session_info(&session_info, rsp->data_len);
--			
-+			memcpy(&session_info,  rsp->data,
-+			       __min(rsp->data_len, sizeof(session_info)));
-+			print_session_info(&session_info,
-+			                   __min(rsp->data_len, sizeof(session_info)));
-+
- 		} while (i <= session_info.session_slot_count);
- 		break;
- 	}
+ 	msg_data[0] = id;
+ 
+@@ -1697,6 +1697,13 @@ ipmi_spd_print_fru(struct ipmi_intf * intf, uint8_t id)
+ 		}
+ 
+ 		len = rsp->data[0];
++		if(rsp->data_len < 1
++		   || len > rsp->data_len - 1
++		   || len > fru.size - offset)
++		{
++			printf(" Not enough buffer size");
++			return -1;
++		}
+ 		memcpy(&spd_data[offset], rsp->data + 1, len);
+ 		offset += len;
+ 	} while (offset < fru.size);
 -- 
 2.19.1