37c5e903a7
Add several upstream patches that are made to fix this CVE. Since there is still no dated plan to release a new version add this bunch of patches. Cc: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
42 lines
1.4 KiB
Diff
42 lines
1.4 KiB
Diff
From 1d479fc61feacc64adea64da9601f3dfcf6f74b3 Mon Sep 17 00:00:00 2001
|
||
From: Chrostoper Ertl <chertl@microsoft.com>
|
||
Date: Thu, 28 Nov 2019 16:56:38 +0000
|
||
Subject: [PATCH] channel: Fix buffer overflow
|
||
MIME-Version: 1.0
|
||
Content-Type: text/plain; charset=UTF-8
|
||
Content-Transfer-Encoding: 8bit
|
||
|
||
Partial fix for CVE-2020-5208, see
|
||
https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp
|
||
|
||
The `ipmi_get_channel_cipher_suites` function does not properly check
|
||
the final response’s `data_len`, which can lead to stack buffer overflow
|
||
on the final copy.
|
||
|
||
[Retrieve from:
|
||
https://github.com/ipmitool/ipmitool/commit/9452be87181a6e83cfcc768b3ed8321763db50e4]
|
||
Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
|
||
---
|
||
lib/ipmi_channel.c | 5 ++++-
|
||
1 file changed, 4 insertions(+), 1 deletion(-)
|
||
|
||
diff --git a/lib/ipmi_channel.c b/lib/ipmi_channel.c
|
||
index fab2e54..59ac227 100644
|
||
--- a/lib/ipmi_channel.c
|
||
+++ b/lib/ipmi_channel.c
|
||
@@ -413,7 +413,10 @@ ipmi_get_channel_cipher_suites(struct ipmi_intf *intf, const char *payload_type,
|
||
lprintf(LOG_ERR, "Unable to Get Channel Cipher Suites");
|
||
return -1;
|
||
}
|
||
- if (rsp->ccode > 0) {
|
||
+ if (rsp->ccode
|
||
+ || rsp->data_len < 1
|
||
+ || rsp->data_len > sizeof(uint8_t) + MAX_CIPHER_SUITE_DATA_LEN)
|
||
+ {
|
||
lprintf(LOG_ERR, "Get Channel Cipher Suites failed: %s",
|
||
val2str(rsp->ccode, completion_code_vals));
|
||
return -1;
|
||
--
|
||
2.20.1
|
||
|