You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

32 lines
1.1 KiB

  1. From 743dd4faa302f22950e4438cf684e1e398eb47eb Mon Sep 17 00:00:00 2001
  2. From: Chrostoper Ertl <chertl@microsoft.com>
  3. Date: Thu, 28 Nov 2019 16:56:38 +0000
  4. Subject: [PATCH 09/11] channel: Fix buffer overflow
  5. MIME-Version: 1.0
  6. Content-Type: text/plain; charset=UTF-8
  7. Content-Transfer-Encoding: 8bit
  8. Partial fix for CVE-2020-5208, see
  9. https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp
  10. The `ipmi_get_channel_cipher_suites` function does not properly check
  11. the final response’s `data_len`, which can lead to stack buffer overflow
  12. on the final copy.
  13. ---
  14. lib/ipmi_channel.c | 5 ++++-
  15. 1 file changed, 4 insertions(+), 1 deletion(-)
  16. --- a/lib/ipmi_channel.c
  17. +++ b/lib/ipmi_channel.c
  18. @@ -413,7 +413,10 @@ ipmi_get_channel_cipher_suites(struct ip
  19. lprintf(LOG_ERR, "Unable to Get Channel Cipher Suites");
  20. return -1;
  21. }
  22. - if (rsp->ccode > 0) {
  23. + if (rsp->ccode
  24. + || rsp->data_len < 1
  25. + || rsp->data_len > sizeof(uint8_t) + 0x10)
  26. + {
  27. lprintf(LOG_ERR, "Get Channel Cipher Suites failed: %s",
  28. val2str(rsp->ccode, completion_code_vals));
  29. return -1;