ipmitool/trunk/9452be87181a6e83cfcc768b3ed8321763db50e4-edited.patch

   1 NOTE: This diff has been adjusted to apply to 1.8.18.
   2
   3
   4 From 9452be87181a6e83cfcc768b3ed8321763db50e4 Mon Sep 17 00:00:00 2001
   5 From: Chrostoper Ertl <chertl@microsoft.com>
   6 Date: Thu, 28 Nov 2019 16:56:38 +0000
   7 Subject: [PATCH] channel: Fix buffer overflow
   8 MIME-Version: 1.0
   9 Content-Type: text/plain; charset=UTF-8
  10 Content-Transfer-Encoding: 8bit
  11
  12 Partial fix for CVE-2020-5208, see
  13 https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp
  14
  15 The `ipmi_get_channel_cipher_suites` function does not properly check
  16 the final response’s `data_len`, which can lead to stack buffer overflow
  17 on the final copy.
  18 ---
  19  lib/ipmi_channel.c | 5 ++++-
  20  1 file changed, 4 insertions(+), 1 deletion(-)
  21
  22 diff --git a/lib/ipmi_channel.c b/lib/ipmi_channel.c
  23 index a6a6a424..433c4d36 100644
  24 --- a/lib/ipmi_channel.c
  25 +++ b/lib/ipmi_channel.c
  26 @@ -498,7 +498,10 @@ ipmi_get_channel_cipher_suites(struct ipmi_intf *intf,
  27                         lprintf(LOG_ERR, "Unable to Get Channel Cipher Suites");
  28                         return -1;
  29                 }
  30 -               if (rsp->ccode > 0) {
  31 +               if (rsp->ccode
  32 +                   || rsp->data_len < 1
  33 +                   || rsp->data_len > sizeof(uint8_t) + MAX_CIPHER_SUITE_DATA_LEN)
  34 +               {
  35                         lprintf(LOG_ERR, "Get Channel Cipher Suites failed: %s",
  36                                         val2str(rsp->ccode, completion_code_vals));
  37                         return -1;