projects / feed / packages.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Merge pull request #11353 from kvuorine/fwknop-fixes
[feed/packages.git] / admin / ipmitool / patches / 0010-CVE-2020-5208-lanp-Fix-buffer-overflows-in-get_lan_param_select.patch
1 From e048e9c65a52f0879d482531e70735c1d314d43a Mon Sep 17 00:00:00 2001
2 From: Chrostoper Ertl <chertl@microsoft.com>
3 Date: Thu, 28 Nov 2019 17:06:39 +0000
4 Subject: [PATCH 10/11] lanp: Fix buffer overflows in get_lan_param_select
5 MIME-Version: 1.0
6 Content-Type: text/plain; charset=UTF-8
7 Content-Transfer-Encoding: 8bit
8
9 Partial fix for CVE-2020-5208, see
10 https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp
11
12 The `get_lan_param_select` function is missing a validation check on the
13 response’s `data_len`, which it then returns to caller functions, where
14 stack buffer overflow can occur.
15 ---
16 lib/ipmi_lanp.c | 14 +++++++-------
17 1 file changed, 7 insertions(+), 7 deletions(-)
18
19 diff --git a/lib/ipmi_lanp.c b/lib/ipmi_lanp.c
20 index 65d881bc5890..022c7f1605ed 100644
21 --- a/lib/ipmi_lanp.c
22 +++ b/lib/ipmi_lanp.c
23 @@ -1809,7 +1809,7 @@ ipmi_lan_alert_set(struct ipmi_intf * intf, uint8_t chan, uint8_t alert,
24 if (p == NULL) {
25 return (-1);
26 }
27 - memcpy(data, p->data, p->data_len);
28 + memcpy(data, p->data, __min(p->data_len, sizeof(data)));
29 /* set new ipaddr */
30 memcpy(data+3, temp, 4);
31 printf("Setting LAN Alert %d IP Address to %d.%d.%d.%d\n", alert,
32 @@ -1824,7 +1824,7 @@ ipmi_lan_alert_set(struct ipmi_intf * intf, uint8_t chan, uint8_t alert,
33 if (p == NULL) {
34 return (-1);
35 }
36 - memcpy(data, p->data, p->data_len);
37 + memcpy(data, p->data, __min(p->data_len, sizeof(data)));
38 /* set new macaddr */
39 memcpy(data+7, temp, 6);
40 printf("Setting LAN Alert %d MAC Address to "
41 @@ -1838,7 +1838,7 @@ ipmi_lan_alert_set(struct ipmi_intf * intf, uint8_t chan, uint8_t alert,
42 if (p == NULL) {
43 return (-1);
44 }
45 - memcpy(data, p->data, p->data_len);
46 + memcpy(data, p->data, __min(p->data_len, sizeof(data)));
47
48 if (strncasecmp(argv[1], "def", 3) == 0 ||
49 strncasecmp(argv[1], "default", 7) == 0) {
50 @@ -1864,7 +1864,7 @@ ipmi_lan_alert_set(struct ipmi_intf * intf, uint8_t chan, uint8_t alert,
51 if (p == NULL) {
52 return (-1);
53 }
54 - memcpy(data, p->data, p->data_len);
55 + memcpy(data, p->data, __min(p->data_len, sizeof(data)));
56
57 if (strncasecmp(argv[1], "on", 2) == 0 ||
58 strncasecmp(argv[1], "yes", 3) == 0) {
59 @@ -1889,7 +1889,7 @@ ipmi_lan_alert_set(struct ipmi_intf * intf, uint8_t chan, uint8_t alert,
60 if (p == NULL) {
61 return (-1);
62 }
63 - memcpy(data, p->data, p->data_len);
64 + memcpy(data, p->data, __min(p->data_len, sizeof(data)));
65
66 if (strncasecmp(argv[1], "pet", 3) == 0) {
67 printf("Setting LAN Alert %d destination to PET Trap\n", alert);
68 @@ -1917,7 +1917,7 @@ ipmi_lan_alert_set(struct ipmi_intf * intf, uint8_t chan, uint8_t alert,
69 if (p == NULL) {
70 return (-1);
71 }
72 - memcpy(data, p->data, p->data_len);
73 + memcpy(data, p->data, __min(p->data_len, sizeof(data)));
74
75 if (str2uchar(argv[1], &data[2]) != 0) {
76 lprintf(LOG_ERR, "Invalid time: %s", argv[1]);
77 @@ -1933,7 +1933,7 @@ ipmi_lan_alert_set(struct ipmi_intf * intf, uint8_t chan, uint8_t alert,
78 if (p == NULL) {
79 return (-1);
80 }
81 - memcpy(data, p->data, p->data_len);
82 + memcpy(data, p->data, __min(p->data_len, sizeof(data)));
83
84 if (str2uchar(argv[1], &data[3]) != 0) {
85 lprintf(LOG_ERR, "Invalid retry: %s", argv[1]);
86 --
87 2.27.0
88
Mirror of packages feed