Skip to content

Commit

Permalink
channel: Fix buffer overflow
Browse files Browse the repository at this point in the history 
Partial fix for CVE-2020-5208, see
GHSA-g659-9qxw-p7cp

The `ipmi_get_channel_cipher_suites` function does not properly check
the final response’s `data_len`, which can lead to stack buffer overflow
on the final copy.
  • Loading branch information
@chertl @AlexanderAmelkin
chertl authored and AlexanderAmelkin committed Feb 4, 2020
1 parent 41d7026 commit 9452be8
Showing 1 changed file with 4 additions and 1 deletion.
5 changes: 4 additions & 1 deletion lib/ipmi_channel.c
View file
Expand Up @@ -498,7 +498,10 @@ ipmi_get_channel_cipher_suites(struct ipmi_intf *intf,
lprintf(LOG_ERR, "Unable to Get Channel Cipher Suites");
return -1;
}
if (rsp->ccode || rsp->data_len < 1) {
if (rsp->ccode
|| rsp->data_len < 1
|| rsp->data_len > sizeof(uint8_t) + MAX_CIPHER_SUITE_DATA_LEN)
{
lprintf(LOG_ERR, "Get Channel Cipher Suites failed: %s",
val2str(rsp->ccode, completion_code_vals));
return -1;
Expand Down

0 comments on commit 9452be8

Please sign in to comment.