From ff80a188f3dc1eef105b2915361b1fce30ee4e4c Mon Sep 17 00:00:00 2001 From: Zdenek Styblik Date: Mon, 27 Jul 2015 06:37:37 +0200 Subject: [PATCH] ID:382 - Fix memcpy() params in HpmFwupgActionUploadFirmware() The 'bufLength' variable holds a constant chunk size. If the actual data length is less than the 'bufLength', then it crashes IPMITool. The code was already there to calculate the remaining data length, but was not used in memcpy(). We changed it to use the 'count' variable which holds the proper available data length. Commit for: Viswanathan Swaminathan --- lib/ipmi_hpmfwupg.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/ipmi_hpmfwupg.c b/lib/ipmi_hpmfwupg.c index 2a4925c..8ada69b 100644 --- a/lib/ipmi_hpmfwupg.c +++ b/lib/ipmi_hpmfwupg.c @@ -1199,7 +1199,7 @@ HpmFwupgActionUploadFirmware(struct HpmfwupgComponentBitMask components, } else { count = (unsigned short)((pDataTemp+lengthOfBlock) - pData); } - memcpy(&uploadCmd.req->data, pData, bufLength); + memcpy(&uploadCmd.req->data, pData, count); imageOffset = 0x00; blockLength = 0x00; numTxPkts++;