From 8f0946a81eb22c14823d726afc486139bb2094ca Mon Sep 17 00:00:00 2001
From: Tom Tung <shes050117@gmail.com>
Date: Fri, 12 Aug 2022 16:47:27 +0800
Subject: [PATCH] lanplus: Realloc the msg if the payload_length gets updated

It's possible the payload_length gets updated in
lanplus_encrypt_payload. If it's updated, the memory of msg should be
updated.

Tested: use ipmitool with lanplus with similar STR  and there is no
memory stomping issue.

Resolved: ipmitool/ipmitool#351
Signed-off-by: Tom Tung <shes050117@gmail.com>
---
 src/plugins/lanplus/lanplus.c | 19 +++++++++++++++++++
 src/plugins/lanplus/lanplus.h |  2 ++
 2 files changed, 21 insertions(+)

diff --git a/src/plugins/lanplus/lanplus.c b/src/plugins/lanplus/lanplus.c
index ed41380..7a9162c 100644
--- a/src/plugins/lanplus/lanplus.c
+++ b/src/plugins/lanplus/lanplus.c
@@ -1727,6 +1727,7 @@ ipmi_lanplus_build_v2x_msg(
 	 */
 	if (session->v2_data.session_state == LANPLUS_STATE_ACTIVE)
 	{
+		uint16_t old_payload_length = payload->payload_length;
 		/* Payload len is adjusted as necessary by lanplus_encrypt_payload */
 		lanplus_encrypt_payload(session->v2_data.crypt_alg,        /* input  */
 								session->v2_data.k2,               /* input  */
@@ -1735,6 +1736,24 @@ ipmi_lanplus_build_v2x_msg(
 								msg + IPMI_LANPLUS_OFFSET_PAYLOAD, /* output */
 								&(payload->payload_length));       /* output */
 
+		if (old_payload_length != payload->payload_length)
+		{
+			len =
+				IPMI_LANPLUS_OFFSET_PAYLOAD   +
+				payload->payload_length       +
+				IPMI_MAX_INTEGRITY_PAD_SIZE   +
+				IPMI_LANPLUS_PAD_LENGTH_SIZE  +
+				IPMI_LANPLUS_NEXT_HEADER_SIZE +
+				IPMI_MAX_AUTH_CODE_SIZE;
+
+			uint8_t * new_msg = realloc(msg, len);
+			if (!new_msg) {
+				free(msg);
+				lprintf(LOG_ERR, "ipmitool: realloc failure");
+				return;
+			}
+			msg = new_msg;
+		}
 	}
 
 	/* Now we know the payload length */
diff --git a/src/plugins/lanplus/lanplus.h b/src/plugins/lanplus/lanplus.h
index 3e287ae..94bd56a 100644
--- a/src/plugins/lanplus/lanplus.h
+++ b/src/plugins/lanplus/lanplus.h
@@ -86,6 +86,8 @@
 #define IPMI_LANPLUS_OFFSET_PAYLOAD_SIZE 0x0E
 #define IPMI_LANPLUS_OFFSET_PAYLOAD      0x10
 
+#define IPMI_LANPLUS_PAD_LENGTH_SIZE  1
+#define IPMI_LANPLUS_NEXT_HEADER_SIZE 1
 
 #define IPMI_GET_CHANNEL_AUTH_CAP 0x38