From f907245d39374a94c87226fb10b0ad185a44e868 Mon Sep 17 00:00:00 2001 From: Jim Mankovich Date: Mon, 30 Apr 2012 12:43:17 +0000 Subject: [PATCH] Constrain setting of the username to no greater than 16 characters per the IPMI specification. ID 3001519 --- ipmitool/lib/ipmi_user.c | 25 +++++++++++++++++-------- 1 file changed, 17 insertions(+), 8 deletions(-) diff --git a/ipmitool/lib/ipmi_user.c b/ipmitool/lib/ipmi_user.c index 0475dd5..c163746 100644 --- a/ipmitool/lib/ipmi_user.c +++ b/ipmitool/lib/ipmi_user.c @@ -334,17 +334,23 @@ ipmi_user_set_username( struct ipmi_rq req; uint8_t msg_data[17]; + /* + * Ensure there is space for the name in the request message buffer + */ + if (strlen(name) >= sizeof(msg_data)) { + return -1; + } + memset(&req, 0, sizeof(req)); req.msg.netfn = IPMI_NETFN_APP; /* 0x06 */ req.msg.cmd = IPMI_SET_USER_NAME; /* 0x45 */ req.msg.data = msg_data; - req.msg.data_len = 17; - + req.msg.data_len = sizeof(msg_data); + memset(msg_data, 0, sizeof(msg_data)); /* The channel number will remain constant throughout this function */ msg_data[0] = user_id; - memset(msg_data + 1, 0, 16); - strcpy((char *)(msg_data + 1), name); + strncpy((char *)(msg_data + 1), name, strlen(name)); rsp = intf->sendrecv(intf, &req); @@ -421,13 +427,10 @@ ipmi_user_set_password( { struct ipmi_rs * rsp; struct ipmi_rq req; - uint8_t * msg_data; + uint8_t msg_data[22]; int password_length = (is_twenty_byte_password? 20 : 16); - msg_data = (uint8_t*)malloc(password_length + 2); - - memset(&req, 0, sizeof(req)); req.msg.netfn = IPMI_NETFN_APP; /* 0x06 */ req.msg.cmd = IPMI_SET_USER_PASSWORD; /* 0x47 */ @@ -746,6 +749,12 @@ ipmi_user_main(struct ipmi_intf * intf, int argc, char ** argv) if (get_ipmi_user_id(argv[2], &user_id)) return (-1); + if (strlen(argv[3]) > 16) + { + lprintf(LOG_ERR, "Username is too long (> 16 bytes)"); + return -1; + } + retval = ipmi_user_set_username(intf, user_id, argv[3]); } else