121 lines
3.6 KiB
Diff
121 lines
3.6 KiB
Diff
From 2d516d6f1193a55c89a95b59b7d58fec6210e996 Mon Sep 17 00:00:00 2001
|
|
From: fengtao40 <fengtao40@huawei.com>
|
|
Date: Tue, 11 Feb 2020 21:02:08 -0500
|
|
Subject: [PATCH] Fix buffer overflow vulnerabilities
|
|
|
|
---
|
|
lib/ipmi_fru.c | 35 ++++++++++++++++++++++++++++++++---
|
|
1 file changed, 32 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/lib/ipmi_fru.c b/lib/ipmi_fru.c
|
|
index ad99ebe..7911bae 100644
|
|
--- a/lib/ipmi_fru.c
|
|
+++ b/lib/ipmi_fru.c
|
|
@@ -614,7 +614,10 @@ int
|
|
read_fru_area(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id,
|
|
uint32_t offset, uint32_t length, uint8_t *frubuf)
|
|
{
|
|
- uint32_t off = offset, tmp, finish;
|
|
+ uint32_t off = offset;
|
|
+ uint32_t tmp;
|
|
+ uint32_t finish;
|
|
+ uint32_t size_left_in_buffer;
|
|
struct ipmi_rs * rsp;
|
|
struct ipmi_rq req;
|
|
uint8_t msg_data[4];
|
|
@@ -627,10 +630,12 @@ read_fru_area(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id,
|
|
|
|
finish = offset + length;
|
|
if (finish > fru->size) {
|
|
+ memset(frubuf + fru->size, 0, length - fru->size);
|
|
finish = fru->size;
|
|
lprintf(LOG_NOTICE, "Read FRU Area length %d too large, "
|
|
"Adjusting to %d",
|
|
offset + length, finish - offset);
|
|
+ length = finish - offset;
|
|
}
|
|
|
|
memset(&req, 0, sizeof(req));
|
|
@@ -666,6 +671,7 @@ read_fru_area(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id,
|
|
}
|
|
}
|
|
|
|
+ size_left_in_buffer = length;
|
|
do {
|
|
tmp = fru->access ? off >> 1 : off;
|
|
msg_data[0] = id;
|
|
@@ -706,9 +712,18 @@ read_fru_area(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id,
|
|
}
|
|
|
|
tmp = fru->access ? rsp->data[0] << 1 : rsp->data[0];
|
|
+ if(rsp->data_len < 1
|
|
+ || tmp > rsp->data_len - 1
|
|
+ || tmp > size_left_in_buffer)
|
|
+ {
|
|
+ printf(" Not enough buffer size");
|
|
+ return -1;
|
|
+ }
|
|
+
|
|
memcpy(frubuf, rsp->data + 1, tmp);
|
|
off += tmp;
|
|
frubuf += tmp;
|
|
+ size_left_in_buffer -= tmp;
|
|
/* sometimes the size returned in the Info command
|
|
* is too large. return 0 so higher level function
|
|
* still attempts to parse what was returned */
|
|
@@ -741,7 +756,9 @@ read_fru_area_section(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id,
|
|
uint32_t offset, uint32_t length, uint8_t *frubuf)
|
|
{
|
|
static uint32_t fru_data_rqst_size = 20;
|
|
- uint32_t off = offset, tmp, finish;
|
|
+ uint32_t off = offset;
|
|
+ uint32_t tmp, finish;
|
|
+ uint32_t size_left_in_buffer;
|
|
struct ipmi_rs * rsp;
|
|
struct ipmi_rq req;
|
|
uint8_t msg_data[4];
|
|
@@ -753,11 +770,13 @@ read_fru_area_section(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id,
|
|
}
|
|
|
|
finish = offset + length;
|
|
- if (finish > fru->size) {
|
|
+ if (finish > fru->size) {
|
|
+ memset(frubuf + fru->size, 0, length - fru->size);
|
|
finish = fru->size;
|
|
lprintf(LOG_NOTICE, "Read FRU Area length %d too large, "
|
|
"Adjusting to %d",
|
|
offset + length, finish - offset);
|
|
+ length = finish - offset;
|
|
}
|
|
|
|
memset(&req, 0, sizeof(req));
|
|
@@ -772,6 +791,8 @@ read_fru_area_section(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id,
|
|
if (fru->access && fru_data_rqst_size > 16)
|
|
#endif
|
|
fru_data_rqst_size = 16;
|
|
+
|
|
+ size_left_in_buffer = length;
|
|
do {
|
|
tmp = fru->access ? off >> 1 : off;
|
|
msg_data[0] = id;
|
|
@@ -803,8 +824,16 @@ read_fru_area_section(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id,
|
|
}
|
|
|
|
tmp = fru->access ? rsp->data[0] << 1 : rsp->data[0];
|
|
+ if(rsp->data_len < 1
|
|
+ || tmp > rsp->data_len - 1
|
|
+ || tmp > size_left_in_buffer)
|
|
+ {
|
|
+ printf(" Not enough buffer size");
|
|
+ return -1;
|
|
+ }
|
|
memcpy((frubuf + off)-offset, rsp->data + 1, tmp);
|
|
off += tmp;
|
|
+ size_left_in_buffer -= tmp;
|
|
|
|
/* sometimes the size returned in the Info command
|
|
* is too large. return 0 so higher level function
|
|
--
|
|
2.19.1
|
|
|