From 2d516d6f1193a55c89a95b59b7d58fec6210e996 Mon Sep 17 00:00:00 2001 From: fengtao40 Date: Tue, 11 Feb 2020 21:02:08 -0500 Subject: [PATCH] Fix buffer overflow vulnerabilities --- lib/ipmi_fru.c | 35 ++++++++++++++++++++++++++++++++--- 1 file changed, 32 insertions(+), 3 deletions(-) diff --git a/lib/ipmi_fru.c b/lib/ipmi_fru.c index ad99ebe..7911bae 100644 --- a/lib/ipmi_fru.c +++ b/lib/ipmi_fru.c @@ -614,7 +614,10 @@ int read_fru_area(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id, uint32_t offset, uint32_t length, uint8_t *frubuf) { - uint32_t off = offset, tmp, finish; + uint32_t off = offset; + uint32_t tmp; + uint32_t finish; + uint32_t size_left_in_buffer; struct ipmi_rs * rsp; struct ipmi_rq req; uint8_t msg_data[4]; @@ -627,10 +630,12 @@ read_fru_area(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id, finish = offset + length; if (finish > fru->size) { + memset(frubuf + fru->size, 0, length - fru->size); finish = fru->size; lprintf(LOG_NOTICE, "Read FRU Area length %d too large, " "Adjusting to %d", offset + length, finish - offset); + length = finish - offset; } memset(&req, 0, sizeof(req)); @@ -666,6 +671,7 @@ read_fru_area(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id, } } + size_left_in_buffer = length; do { tmp = fru->access ? off >> 1 : off; msg_data[0] = id; @@ -706,9 +712,18 @@ read_fru_area(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id, } tmp = fru->access ? rsp->data[0] << 1 : rsp->data[0]; + if(rsp->data_len < 1 + || tmp > rsp->data_len - 1 + || tmp > size_left_in_buffer) + { + printf(" Not enough buffer size"); + return -1; + } + memcpy(frubuf, rsp->data + 1, tmp); off += tmp; frubuf += tmp; + size_left_in_buffer -= tmp; /* sometimes the size returned in the Info command * is too large. return 0 so higher level function * still attempts to parse what was returned */ @@ -741,7 +756,9 @@ read_fru_area_section(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id, uint32_t offset, uint32_t length, uint8_t *frubuf) { static uint32_t fru_data_rqst_size = 20; - uint32_t off = offset, tmp, finish; + uint32_t off = offset; + uint32_t tmp, finish; + uint32_t size_left_in_buffer; struct ipmi_rs * rsp; struct ipmi_rq req; uint8_t msg_data[4]; @@ -753,11 +770,13 @@ read_fru_area_section(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id, } finish = offset + length; - if (finish > fru->size) { + if (finish > fru->size) { + memset(frubuf + fru->size, 0, length - fru->size); finish = fru->size; lprintf(LOG_NOTICE, "Read FRU Area length %d too large, " "Adjusting to %d", offset + length, finish - offset); + length = finish - offset; } memset(&req, 0, sizeof(req)); @@ -772,6 +791,8 @@ read_fru_area_section(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id, if (fru->access && fru_data_rqst_size > 16) #endif fru_data_rqst_size = 16; + + size_left_in_buffer = length; do { tmp = fru->access ? off >> 1 : off; msg_data[0] = id; @@ -803,8 +824,16 @@ read_fru_area_section(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id, } tmp = fru->access ? rsp->data[0] << 1 : rsp->data[0]; + if(rsp->data_len < 1 + || tmp > rsp->data_len - 1 + || tmp > size_left_in_buffer) + { + printf(" Not enough buffer size"); + return -1; + } memcpy((frubuf + off)-offset, rsp->data + 1, tmp); off += tmp; + size_left_in_buffer -= tmp; /* sometimes the size returned in the Info command * is too large. return 0 so higher level function -- 2.19.1