0011-channel-Fix-buffer-overflow.patch 1.5 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546
  1. From 1d479fc61feacc64adea64da9601f3dfcf6f74b3 Mon Sep 17 00:00:00 2001
  2. From: Chrostoper Ertl <chertl@microsoft.com>
  3. Date: Thu, 28 Nov 2019 16:56:38 +0000
  4. Subject: [PATCH] channel: Fix buffer overflow
  5. MIME-Version: 1.0
  6. Content-Type: text/plain; charset=UTF-8
  7. Content-Transfer-Encoding: 8bit
  8. Partial fix for CVE-2020-5208, see
  9. https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp
  10. The `ipmi_get_channel_cipher_suites` function does not properly check
  11. the final response’s `data_len`, which can lead to stack buffer overflow
  12. on the final copy.
  13. [Retrieve from:
  14. https://github.com/ipmitool/ipmitool/commit/9452be87181a6e83cfcc768b3ed8321763db50e4
  15. The patch is slightly modified manually. The define
  16. (MAX_CIPHER_SUITE_DATA_LEN) was introduced upstream in another patch.
  17. Replace the define by the value 0x10.]
  18. Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
  19. ---
  20. lib/ipmi_channel.c | 5 ++++-
  21. 1 file changed, 4 insertions(+), 1 deletion(-)
  22. diff --git a/lib/ipmi_channel.c b/lib/ipmi_channel.c
  23. index fab2e54..59ac227 100644
  24. --- a/lib/ipmi_channel.c
  25. +++ b/lib/ipmi_channel.c
  26. @@ -413,7 +413,10 @@ ipmi_get_channel_cipher_suites(struct ipmi_intf *intf, const char *payload_type,
  27. lprintf(LOG_ERR, "Unable to Get Channel Cipher Suites");
  28. return -1;
  29. }
  30. - if (rsp->ccode > 0) {
  31. + if (rsp->ccode
  32. + || rsp->data_len < 1
  33. + || rsp->data_len > sizeof(uint8_t) + 0x10)
  34. + {
  35. lprintf(LOG_ERR, "Get Channel Cipher Suites failed: %s",
  36. val2str(rsp->ccode, completion_code_vals));
  37. return -1;
  38. --
  39. 2.20.1