From d57bf326686311a8d564f3949f6ce3d34f647b91 Mon Sep 17 00:00:00 2001
From: Zdenek Styblik <stybla@turnovfree.net>
Date: Tue, 12 Apr 2016 21:09:52 +0200
Subject: [PATCH] Check rsp->data_len in ipmi_sel_get_info()

Commit adds check of response's data_len in ipmi_sel_get_info() as returned data
length is unconditional. If incorrect, resp. short, data_len is returned, we
might end up reading memory at places we're not supposed to.
---
 lib/ipmi_sel.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/lib/ipmi_sel.c b/lib/ipmi_sel.c
index 1127929..b6629a2 100644
--- a/lib/ipmi_sel.c
+++ b/lib/ipmi_sel.c
@@ -1469,11 +1469,14 @@ ipmi_sel_get_info(struct ipmi_intf * intf)
 	if (rsp == NULL) {
 		lprintf(LOG_ERR, "Get SEL Info command failed");
 		return -1;
-	}
-	if (rsp->ccode > 0) {
+	} else if (rsp->ccode > 0) {
 		lprintf(LOG_ERR, "Get SEL Info command failed: %s",
 		       val2str(rsp->ccode, completion_code_vals));
 		return -1;
+	} else if (rsp->data_len != 14) {
+		lprintf(LOG_ERR, "Get SEL Info command failed: "
+			"Invalid data length %d", rsp->data_len);
+		return (-1);
 	}
 	if (verbose > 2)
 		printbuf(rsp->data, rsp->data_len, "sel_info");