deepblue/ipmitool
1
0
Fork 0
mirror of https://github.com/ipmitool/ipmitool.git synced 2025-05-10 18:47:22 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

fru: Fix buffer overflow in ipmi_spd_print_fru

Browse Source 
Partial fix for CVE-2020-5208, see
https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp

The `ipmi_spd_print_fru` function has a similar issue as the one fixed
by the previous commit in `read_fru_area_section`. An initial request is
made to get the `fru.size`, which is used as the size for the allocation
of `spd_data`. Inside a loop, further requests are performed to get the
copy sizes which are not checked before being used as the size for a
copy into the buffer.
This commit is contained in:
Chrostoper Ertl 2019-11-28 16:44:18 +00:00 committed by Alexander Amelkin
parent e824c23316
commit 840fb1cbb4
No known key found for this signature in database
GPG Key ID: E893587B5B74178D
1 changed files with 8 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
lib/dimm_spd.c
View File

@ -1621,7 +1621,7 @@ ipmi_spd_print_fru(struct ipmi_intf * intf, uint8_t id)
struct ipmi_rq req; struct ipmi_rq req;
struct fru_info fru; struct fru_info fru;
uint8_t *spd_data, msg_data[4]; uint8_t *spd_data, msg_data[4];
int len, offset; uint32_t len, offset;
msg_data[0] = id; msg_data[0] = id;
@ -1697,6 +1697,13 @@ ipmi_spd_print_fru(struct ipmi_intf * intf, uint8_t id)
} }
len = rsp->data[0]; len = rsp->data[0];
if(rsp->data_len < 1
|| len > rsp->data_len - 1
|| len > fru.size - offset)
{
printf(" Not enough buffer size");
return -1;
}
memcpy(&spd_data[offset], rsp->data + 1, len); memcpy(&spd_data[offset], rsp->data + 1, len);
offset += len; offset += len;
} while (offset < fru.size); } while (offset < fru.size);