1From 5057761e30e3a7682edab60f98f631616392ddc6 Mon Sep 17 00:00:00 2001 2From: Chrostoper Ertl <chertl@microsoft.com> 3Date: Thu, 28 Nov 2019 16:56:38 +0000 4Subject: [PATCH 3/3] channel: Fix buffer overflow 5MIME-Version: 1.0 6Content-Type: text/plain; charset=UTF-8 7Content-Transfer-Encoding: 8bit 8 9Partial fix for CVE-2020-5208, see 10https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp 11 12The `ipmi_get_channel_cipher_suites` function does not properly check 13the final response’s `data_len`, which can lead to stack buffer overflow 14on the final copy. 15 16Upstream-Status: Backport[https://github.com/ipmitool/ipmitool/commit/9452be87181a6e83cfcc768b3ed8321763db50e4] 17CVE: CVE-2020-5208 18 19[Make some changes to apply it] 20Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com> 21--- 22 include/ipmitool/ipmi_channel.h | 2 ++ 23 lib/ipmi_channel.c | 10 ++++++++-- 24 2 files changed, 10 insertions(+), 2 deletions(-) 25 26diff --git a/include/ipmitool/ipmi_channel.h b/include/ipmitool/ipmi_channel.h 27index b138c26..d7cce5e 100644 28--- a/include/ipmitool/ipmi_channel.h 29+++ b/include/ipmitool/ipmi_channel.h 30@@ -77,6 +77,8 @@ struct channel_access_t { 31 uint8_t user_level_auth; 32 }; 33 34+#define MAX_CIPHER_SUITE_DATA_LEN 0x10 35+ 36 /* 37 * The Get Authentication Capabilities response structure 38 * From table 22-15 of the IPMI v2.0 spec 39diff --git a/lib/ipmi_channel.c b/lib/ipmi_channel.c 40index fab2e54..76ecdcd 100644 41--- a/lib/ipmi_channel.c 42+++ b/lib/ipmi_channel.c 43@@ -378,7 +378,10 @@ ipmi_get_channel_cipher_suites(struct ipmi_intf *intf, const char *payload_type, 44 lprintf(LOG_ERR, "Unable to Get Channel Cipher Suites"); 45 return -1; 46 } 47- if (rsp->ccode > 0) { 48+ if (rsp->ccode 49+ || rsp->data_len < 1 50+ || rsp->data_len > sizeof(uint8_t) + MAX_CIPHER_SUITE_DATA_LEN) 51+ { 52 lprintf(LOG_ERR, "Get Channel Cipher Suites failed: %s", 53 val2str(rsp->ccode, completion_code_vals)); 54 return -1; 55@@ -413,7 +416,10 @@ ipmi_get_channel_cipher_suites(struct ipmi_intf *intf, const char *payload_type, 56 lprintf(LOG_ERR, "Unable to Get Channel Cipher Suites"); 57 return -1; 58 } 59- if (rsp->ccode > 0) { 60+ if (rsp->ccode 61+ || rsp->data_len < 1 62+ || rsp->data_len > sizeof(uint8_t) + MAX_CIPHER_SUITE_DATA_LEN) 63+ { 64 lprintf(LOG_ERR, "Get Channel Cipher Suites failed: %s", 65 val2str(rsp->ccode, completion_code_vals)); 66 return -1; 67-- 682.18.1 69 70