From 5177966867dee31fa65e982190198a82143d25a5 Mon Sep 17 00:00:00 2001 From: Zdenek Styblik Date: Fri, 16 Aug 2013 09:36:17 +0000 Subject: [PATCH] ID: 267 - Corruption in "lan alert print" output Commit fixes corruption in 'lan alert print' output. This bug comes from two consecutive calls to get_lan_param_select() which returns pointer to struct. In the end, the second call would over-write data from the first one, as 'ptype' and 'paddr' were pointing at the same address. Thanks to Rob Swindell for logging this bug and testing the patch. --- ipmitool/ChangeLog | 1 + ipmitool/lib/ipmi_lanp.c | 50 +++++++++++++++++++++++++--------------- 2 files changed, 32 insertions(+), 19 deletions(-) diff --git a/ipmitool/ChangeLog b/ipmitool/ChangeLog index 9d01b95..bc4bd9d 100644 --- a/ipmitool/ChangeLog +++ b/ipmitool/ChangeLog @@ -118,6 +118,7 @@ version 1.8.13rc0 2013-08-09 * ID: 212 - 'lib/ipmi_dcmi.c' - possible int *flow * ID: 264 - incorrect array index in get_lan_param_select() * ID: 269 - Fixes for configure.in for cross compilation + * ID: 267 - Corruption in "lan alert print" output version 1.8.12 released 2012-08-09 diff --git a/ipmitool/lib/ipmi_lanp.c b/ipmitool/lib/ipmi_lanp.c index 2f8072d..060e753 100644 --- a/ipmitool/lib/ipmi_lanp.c +++ b/ipmitool/lib/ipmi_lanp.c @@ -1772,26 +1772,38 @@ is_alert_destination(struct ipmi_intf * intf, uint8_t channel, uint8_t alert) static int ipmi_lan_alert_print(struct ipmi_intf * intf, uint8_t channel, uint8_t alert) { - struct lan_param * ptype, * paddr; +# define PTYPE_LEN 4 +# define PADDR_LEN 13 + struct lan_param *lp_ptr = NULL; int isack = 0; + uint8_t ptype[PTYPE_LEN]; + uint8_t paddr[PADDR_LEN]; - ptype = get_lan_param_select(intf, channel, IPMI_LANP_DEST_TYPE, alert); - paddr = get_lan_param_select(intf, channel, IPMI_LANP_DEST_ADDR, alert); - if (ptype == NULL || paddr == NULL) - return -1; - if (ptype->data == NULL || paddr->data == NULL) - return -1; + lp_ptr = get_lan_param_select(intf, channel, IPMI_LANP_DEST_TYPE, alert); + if (lp_ptr == NULL || lp_ptr->data == NULL + || lp_ptr->data_len < PTYPE_LEN) { + return (-1); + } + memcpy(ptype, lp_ptr->data, PTYPE_LEN); + + lp_ptr = get_lan_param_select(intf, channel, IPMI_LANP_DEST_ADDR, alert); + if (lp_ptr == NULL || lp_ptr->data == NULL + || lp_ptr->data_len < PADDR_LEN) { + return (-1); + } + memcpy(paddr, lp_ptr->data, PADDR_LEN); printf("%-24s: %d\n", "Alert Destination", - ptype->data[0]); + ptype[0]); - if (ptype->data[1] & 0x80) + if (ptype[1] & 0x80) { isack = 1; + } printf("%-24s: %s\n", "Alert Acknowledge", - isack ? "Acknowledged" : "Unacknowledged"); + isack ? "Acknowledged" : "Unacknowledged"); printf("%-24s: ", "Destination Type"); - switch (ptype->data[1] & 0x7) { + switch (ptype[1] & 0x7) { case 0: printf("PET Trap\n"); break; @@ -1807,27 +1819,27 @@ ipmi_lan_alert_print(struct ipmi_intf * intf, uint8_t channel, uint8_t alert) } printf("%-24s: %d\n", - isack ? "Acknowledge Timeout" : "Retry Interval", - ptype->data[2]); + isack ? "Acknowledge Timeout" : "Retry Interval", + ptype[2]); printf("%-24s: %d\n", "Number of Retries", - ptype->data[3] & 0x7); + ptype[3] & 0x7); - if ((paddr->data[1] & 0xf0) != 0) { + if ((paddr[1] & 0xf0) != 0) { /* unknown address format */ printf("\n"); return 0; } printf("%-24s: %s\n", "Alert Gateway", - (paddr->data[2] & 1) ? "Backup" : "Default"); + (paddr[2] & 1) ? "Backup" : "Default"); printf("%-24s: %d.%d.%d.%d\n", "Alert IP Address", - paddr->data[3], paddr->data[4], paddr->data[5], paddr->data[6]); + paddr[3], paddr[4], paddr[5], paddr[6]); printf("%-24s: %02x:%02x:%02x:%02x:%02x:%02x\n", "Alert MAC Address", - paddr->data[7], paddr->data[8], paddr->data[9], - paddr->data[10], paddr->data[11], paddr->data[12]); + paddr[7], paddr[8], paddr[9], + paddr[10], paddr[11], paddr[12]); printf("\n"); return 0;