1From 1d479fc61feacc64adea64da9601f3dfcf6f74b3 Mon Sep 17 00:00:00 2001 2From: Chrostoper Ertl <chertl@microsoft.com> 3Date: Thu, 28 Nov 2019 16:56:38 +0000 4Subject: [PATCH] channel: Fix buffer overflow 5MIME-Version: 1.0 6Content-Type: text/plain; charset=UTF-8 7Content-Transfer-Encoding: 8bit 8 9Partial fix for CVE-2020-5208, see 10https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp 11 12The `ipmi_get_channel_cipher_suites` function does not properly check 13the final response’s `data_len`, which can lead to stack buffer overflow 14on the final copy. 15 16[Retrieve from: 17https://github.com/ipmitool/ipmitool/commit/9452be87181a6e83cfcc768b3ed8321763db50e4 18 19The patch is slightly modified manually. The define 20(MAX_CIPHER_SUITE_DATA_LEN) was introduced upstream in another patch. 21Replace the define by the value 0x10.] 22 23Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com> 24--- 25 lib/ipmi_channel.c | 5 ++++- 26 1 file changed, 4 insertions(+), 1 deletion(-) 27 28diff --git a/lib/ipmi_channel.c b/lib/ipmi_channel.c 29index fab2e54..59ac227 100644 30--- a/lib/ipmi_channel.c 31+++ b/lib/ipmi_channel.c 32@@ -413,7 +413,10 @@ ipmi_get_channel_cipher_suites(struct ipmi_intf *intf, const char *payload_type, 33 lprintf(LOG_ERR, "Unable to Get Channel Cipher Suites"); 34 return -1; 35 } 36- if (rsp->ccode > 0) { 37+ if (rsp->ccode 38+ || rsp->data_len < 1 39+ || rsp->data_len > sizeof(uint8_t) + 0x10) 40+ { 41 lprintf(LOG_ERR, "Get Channel Cipher Suites failed: %s", 42 val2str(rsp->ccode, completion_code_vals)); 43 return -1; 44-- 452.20.1 46 47