1From cd785a7fe4f42ab59bcefcf01b9175f039af29b5 Mon Sep 17 00:00:00 2001 2From: Chrostoper Ertl <chertl@microsoft.com> 3Date: Thu, 28 Nov 2019 16:51:49 +0000 4Subject: [PATCH] session: Fix buffer overflow in ipmi_get_session_info 5 6Partial fix for CVE-2020-5208, see 7https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp 8 9The `ipmi_get_session_info` function does not properly check the 10response `data_len`, which is used as a copy size, allowing stack buffer 11overflow. 12 13[Retrieve from: 14https://github.com/ipmitool/ipmitool/commit/41d7026946fafbd4d1ec0bcaca3ea30a6e8eed22] 15Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com> 16--- 17 lib/ipmi_session.c | 12 ++++++++---- 18 1 file changed, 8 insertions(+), 4 deletions(-) 19 20diff --git a/lib/ipmi_session.c b/lib/ipmi_session.c 21index 141f0f4..b9af1fd 100644 22--- a/lib/ipmi_session.c 23+++ b/lib/ipmi_session.c 24@@ -309,8 +309,10 @@ ipmi_get_session_info(struct ipmi_intf * intf, 25 } 26 else 27 { 28- memcpy(&session_info, rsp->data, rsp->data_len); 29- print_session_info(&session_info, rsp->data_len); 30+ memcpy(&session_info, rsp->data, 31+ __min(rsp->data_len, sizeof(session_info))); 32+ print_session_info(&session_info, 33+ __min(rsp->data_len, sizeof(session_info))); 34 } 35 break; 36 37@@ -341,8 +343,10 @@ ipmi_get_session_info(struct ipmi_intf * intf, 38 break; 39 } 40 41- memcpy(&session_info, rsp->data, rsp->data_len); 42- print_session_info(&session_info, rsp->data_len); 43+ memcpy(&session_info, rsp->data, 44+ __min(rsp->data_len, sizeof(session_info))); 45+ print_session_info(&session_info, 46+ __min(rsp->data_len, sizeof(session_info))); 47 48 } while (i <= session_info.session_slot_count); 49 break; 50-- 512.20.1 52 53