deepblue/ipmitool
1
0
Fork 0
mirror of https://github.com/ipmitool/ipmitool.git synced 2025-05-10 10:37:22 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

lanplus: Fix segfault for truncated dcmi response

Browse Source 
On occasion a dcmi power reading will return error C6, and a
truncated response payload. As the decrypted payload is shorter
than the expected length, lanplus_decrypt_aes_cbc_128() adjusts
the payload_size downward by one byte. In ipmi_lan_poll_single()
the calculation to determine if the payload size has increased
erroniously sets extra_data_length to -1, with a subsequent
segv when calling a memmove to shift response data.
The fix is to check for a positive value in the extra_data_length.

Resolves ipmitool/ipmitool#72
This commit is contained in:
pjdhpe 2018-11-28 07:27:29 -06:00 committed by Alexander Amelkin
parent 64727f59c4
commit 9ec2232321
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/plugins/lanplus/lanplus.c
View File

@ -790,7 +790,7 @@ ipmi_lan_poll_single(struct ipmi_intf * intf)
* rsp->data_len becomes the length of that data * rsp->data_len becomes the length of that data
*/ */
extra_data_length = payload_size - (offset - payload_start) - 1; extra_data_length = payload_size - (offset - payload_start) - 1;
if (extra_data_length) { if (extra_data_length > 0) {
rsp->data_len = extra_data_length; rsp->data_len = extra_data_length;
memmove(rsp->data, rsp->data + offset, extra_data_length); memmove(rsp->data, rsp->data + offset, extra_data_length);
} else { } else {
@ -844,7 +844,7 @@ ipmi_lan_poll_single(struct ipmi_intf * intf)
} }
read_sol_packet(rsp, &offset); read_sol_packet(rsp, &offset);
extra_data_length = payload_size - (offset - payload_start); extra_data_length = payload_size - (offset - payload_start);
if (extra_data_length) { if (extra_data_length > 0) {
rsp->data_len = extra_data_length; rsp->data_len = extra_data_length;
memmove(rsp->data, rsp->data + offset, extra_data_length); memmove(rsp->data, rsp->data + offset, extra_data_length);
} else { } else {