From c5324e879c8fcfb09d483f1542b69b68201a5d17 Mon Sep 17 00:00:00 2001
From: Zdenek Styblik <zdenek.styblik@gmail.com>
Date: Wed, 22 May 2013 09:45:30 +0000
Subject: [PATCH] ID: 3528371 - 'lib/ipmi_sensor.c' - possible int *flow

Commit replaces strtod() calls with str2double() ones in order to mitigate
possible *flow via user input.

Reported-by: Dune Idaho
---
 ipmitool/lib/ipmi_sensor.c | 43 +++++++++++++++++++++++++++++++-------
 1 file changed, 36 insertions(+), 7 deletions(-)

diff --git a/ipmitool/lib/ipmi_sensor.c b/ipmitool/lib/ipmi_sensor.c
index 9abac00..31adf1f 100644
--- a/ipmitool/lib/ipmi_sensor.c
+++ b/ipmitool/lib/ipmi_sensor.c
@@ -567,9 +567,21 @@ ipmi_sensor_set_threshold(struct ipmi_intf *intf, int argc, char **argv)
 			return -1;
 		}
 		allUpper = 1;
-		setting1 = (double) strtod(argv[2], NULL);
-		setting2 = (double) strtod(argv[3], NULL);
-		setting3 = (double) strtod(argv[4], NULL);
+		if (str2double(argv[2], &setting1) != 0) {
+			lprintf(LOG_ERR, "Given unc '%s' is invalid.",
+					argv[2]);
+			return (-1);
+		}
+		if (str2double(argv[3], &setting2) != 0) {
+			lprintf(LOG_ERR, "Given ucr '%s' is invalid.",
+					argv[3]);
+			return (-1);
+		}
+		if (str2double(argv[4], &setting3) != 0) {
+			lprintf(LOG_ERR, "Given unr '%s' is invalid.",
+					argv[4]);
+			return (-1);
+		}
 	} else if (strncmp(thresh, "lower", 5) == 0) {
 		if (argc < 5) {
 			lprintf(LOG_ERR,
@@ -577,11 +589,22 @@ ipmi_sensor_set_threshold(struct ipmi_intf *intf, int argc, char **argv)
 			return -1;
 		}
 		allLower = 1;
-		setting1 = (double) strtod(argv[2], NULL);
-		setting2 = (double) strtod(argv[3], NULL);
-		setting3 = (double) strtod(argv[4], NULL);
+		if (str2double(argv[2], &setting1) != 0) {
+			lprintf(LOG_ERR, "Given lnc '%s' is invalid.",
+					argv[2]);
+			return (-1);
+		}
+		if (str2double(argv[3], &setting2) != 0) {
+			lprintf(LOG_ERR, "Given lcr '%s' is invalid.",
+					argv[3]);
+			return (-1);
+		}
+		if (str2double(argv[4], &setting3) != 0) {
+			lprintf(LOG_ERR, "Given lnr '%s' is invalid.",
+					argv[4]);
+			return (-1);
+		}
 	} else {
-		setting1 = (double) atof(argv[2]);
 		if (strncmp(thresh, "unr", 3) == 0)
 			settingMask = UPPER_NON_RECOV_SPECIFIED;
 		else if (strncmp(thresh, "ucr", 3) == 0)
@@ -600,6 +623,12 @@ ipmi_sensor_set_threshold(struct ipmi_intf *intf, int argc, char **argv)
 				thresh, id);
 			return -1;
 		}
+		if (str2double(argv[2], &setting1) != 0) {
+			lprintf(LOG_ERR,
+					"Given %s threshold value '%s' is invalid.",
+					thresh, argv[2]);
+			return (-1);
+		}
 	}
 
 	printf("Locating sensor record '%s'...\n", id);