From afd015709bae58a63cc6ba8ba5e9a5c4ff3b2bf3 Mon Sep 17 00:00:00 2001 From: Zdenek Styblik Date: Mon, 12 Aug 2013 18:03:10 +0000 Subject: [PATCH] ID: 212 - 'lib/ipmi_dcmi.c' - possible int *flow Commit replaces strtol() calls with appropriate str2*() ones in order to prevent possible integer *flow via user input. --- ipmitool/lib/ipmi_dcmi.c | 99 ++++++++++++++++++++++++++++++++++------ 1 file changed, 84 insertions(+), 15 deletions(-) diff --git a/ipmitool/lib/ipmi_dcmi.c b/ipmitool/lib/ipmi_dcmi.c index a770995..be55856 100755 --- a/ipmitool/lib/ipmi_dcmi.c +++ b/ipmitool/lib/ipmi_dcmi.c @@ -1477,9 +1477,15 @@ ipmi_dcmi_pwr_slimit(struct ipmi_intf * intf, const char * option, struct ipmi_rq req; /* ipmi request (to send) */ struct power_limit val; uint8_t msg_data[15]; /* number of request data bytes */ - uint32_t lvalue = strtol(value, NULL, 10); + uint32_t lvalue = 0; int i; + if (str2uint(value, &lvalue) != 0) { + lprintf(LOG_ERR, "Given %s '%s' is invalid.", + option, value); + return (-1); + } + rsp = ipmi_dcmi_pwr_glimit(intf); /* get the power limit settings */ # if 0 { @@ -1694,6 +1700,9 @@ ipmi_dcmi_main(struct ipmi_intf * intf, int argc, char **argv) /* Let`s initialize dcmi power parameters */ struct ipmi_rq req; uint8_t data[256]; + uint16_t sample = 0; + uint16_t limit = 0; + uint32_t correction = 0; memset(data, 0, sizeof(data)); memset(&req, 0, sizeof(req)); @@ -1724,13 +1733,36 @@ ipmi_dcmi_main(struct ipmi_intf * intf, int argc, char **argv) return -1; } /* limit */ - *(uint16_t*)(&data[5]) = strtol(argv[4], NULL, 10); + if (str2ushort(argv[4], &limit) != 0) { + lprintf(LOG_ERR, + "Given Limit '%s' is invalid.", + argv[4]); + return (-1); + } + data[5] = limit >> 0; + data[6] = limit >> 8; /* correction */ - *(uint32_t*)(&data[7]) = strtol(argv[6], NULL, 10); + if (str2uint(argv[6], &correction) != 0) { + lprintf(LOG_ERR, + "Given Correction '%s' is invalid.", + argv[6]); + return (-1); + } + data[7] = correction >> 0; + data[8] = correction >> 8; + data[9] = correction >> 16; + data[10] = correction >> 24; data[11] = 0x00; /* reserved */ data[12] = 0x00; /* reserved */ /* sample */ - *(uint16_t*)(&data[13]) = strtol(argv[8], NULL, 10); + if (str2ushort(argv[8], &sample) != 0) { + lprintf(LOG_ERR, + "Given Sample '%s' is invalid.", + argv[8]); + return (-1); + } + data[13] = sample >> 0; + data[14] = sample >> 8; rsp = intf->sendrecv(intf, &req); if (chk_rsp(rsp)) { @@ -1836,14 +1868,15 @@ ipmi_dcmi_main(struct ipmi_intf * intf, int argc, char **argv) /* end set management controller identifier string */ case 0x07: { - uint8_t entityID, entityInst; + uint8_t entityID = 0; + uint8_t entityInst = 0; uint8_t persistanceFlag; uint8_t actionHardPowerOff; uint8_t actionLogToSEL; - uint8_t tempLimit; - uint16_t samplingTime; + uint8_t tempLimit = 0; uint8_t samplingTimeLSB; uint8_t samplingTimeMSB; + uint16_t samplingTime = 0; /* Thermal policy get/set */ /* dcmitool dcmi thermalpolicy get */ switch (str2val2(argv[1], dcmi_thermalpolicy_vals)) { @@ -1852,8 +1885,18 @@ ipmi_dcmi_main(struct ipmi_intf * intf, int argc, char **argv) lprintf(LOG_NOTICE, "Get "); return -1; } - entityID = (uint8_t)strtol(argv[2], NULL,0); - entityInst = (uint8_t)strtol(argv[3], NULL, 0); + if (str2uchar(argv[2], &entityID) != 0) { + lprintf(LOG_ERR, + "Given Entity ID '%s' is invalid.", + argv[2]); + return (-1); + } + if (str2uchar(argv[3], &entityInst) != 0) { + lprintf(LOG_ERR, + "Given Instance ID '%s' is invalid.", + argv[3]); + return (-1); + } rc = ipmi_dcmi_getthermalpolicy(intf, entityID, entityInst); break; case 0x01: @@ -1869,14 +1912,33 @@ ipmi_dcmi_main(struct ipmi_intf * intf, int argc, char **argv) -1, 0); return -1; } - entityID = (uint8_t)strtol(argv[2],NULL, 0); - entityInst = (uint8_t)strtol(argv[3], NULL, 0); - + if (str2uchar(argv[2], &entityID) != 0) { + lprintf(LOG_ERR, + "Given Entity ID '%s' is invalid.", + argv[2]); + return (-1); + } + if (str2uchar(argv[3], &entityInst) != 0) { + lprintf(LOG_ERR, + "Given Instance ID '%s' is invalid.", + argv[3]); + return (-1); + } persistanceFlag = (uint8_t) str2val2(argv[4], dcmi_thermalpolicy_set_parameters_vals); actionHardPowerOff = (uint8_t) str2val2(argv[5], dcmi_thermalpolicy_set_parameters_vals); actionLogToSEL = (uint8_t) str2val2(argv[6], dcmi_thermalpolicy_set_parameters_vals); - tempLimit = (uint8_t) strtol(argv[7], NULL, 0); - samplingTime = (uint16_t) strtol(argv[8], NULL, 0); + if (str2uchar(argv[7], &tempLimit) != 0) { + lprintf(LOG_ERR, + "Given Temp Limit '%s' is invalid.", + argv[7]); + return (-1); + } + if (str2ushort(argv[8], &samplingTime) != 0) { + lprintf(LOG_ERR, + "Given Sampling Time '%s' is invalid.", + argv[8]); + return (-1); + } samplingTimeLSB = (samplingTime & 0xFF); samplingTimeMSB = ((samplingTime & 0xFF00) >> 8); @@ -1933,9 +1995,16 @@ ipmi_dcmi_main(struct ipmi_intf * intf, int argc, char **argv) if (strncmp(argv[1], "activate_dhcp", 13) == 0) { rsp = ipmi_dcmi_setconfparam(intf, 1, 1); } else { + uint16_t tmp_val = 0; + if (str2ushort(argv[2], &tmp_val) != 0) { + lprintf(LOG_ERR, + "Given %s '%s' is invalid.", + argv[1], argv[2]); + return (-1); + } rsp = ipmi_dcmi_setconfparam(intf, str2val2(argv[1], dcmi_conf_param_vals), - (uint16_t)strtol(argv[2], NULL, 0)); + tmp_val); } if (chk_rsp(rsp)) { lprintf(LOG_ERR,