From d82a29d81348a50437f765ee4ceb87a995c98967 Mon Sep 17 00:00:00 2001
From: Zdenek Styblik <zdenek.styblik@gmail.com>
Date: Wed, 22 May 2013 09:50:10 +0000
Subject: [PATCH] ID: 3528308 - 'lib/ipmi_hpmfwupg.c' - possible int *flow

Commit replaces strtol() calls with str2uchar() ones in order to mitigate
possible *flow via user input.
Also, limits are applied to 'Component ID' and 'Properties selector' now.

Reported-by: Dune Idaho
---
 ipmitool/lib/ipmi_hpmfwupg.c | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/ipmitool/lib/ipmi_hpmfwupg.c b/ipmitool/lib/ipmi_hpmfwupg.c
index fb4179d..8da7a17 100644
--- a/ipmitool/lib/ipmi_hpmfwupg.c
+++ b/ipmitool/lib/ipmi_hpmfwupg.c
@@ -3826,8 +3826,19 @@ int ipmi_hpmfwupg_main(struct ipmi_intf * intf, int argc, char ** argv)
    else if ( (argc == 3) && (strcmp(argv[0], "compprop") == 0) )
    {
       struct HpmfwupgGetComponentPropertiesCtx cmdCtx;
-      cmdCtx.req.componentId = strtol(argv[1], NULL, 0);
-      cmdCtx.req.selector    = strtol(argv[2], NULL, 0);
+      if (str2uchar(argv[1], &(cmdCtx.req.componentId)) != 0
+              || cmdCtx.req.componentId > 7) {
+          lprintf(LOG_ERR, "Given Component ID '%s' is invalid.", argv[1]);
+          lprintf(LOG_ERR, "Valid Compoment ID is: <0..7>");
+          return (-1);
+      }
+      if (str2uchar(argv[2], &(cmdCtx.req.selector)) != 0
+              || cmdCtx.req.selector > 4) {
+          lprintf(LOG_ERR, "Given Properties selector '%s' is invalid.",
+                  argv[2]);
+          lprintf(LOG_ERR, "Valid Properties selector is: <0..4>");
+          return (-1);
+      }
       verbose++;
       rc = HpmfwupgGetComponentProperties(intf, &cmdCtx);
    }