1From 81144cfba131b4ddbfcf9c530274b23bfc7e0ea8 Mon Sep 17 00:00:00 2001 2From: Chrostoper Ertl <chertl@microsoft.com> 3Date: Thu, 28 Nov 2019 16:51:49 +0000 4Subject: [PATCH 2/5] session: Fix buffer overflow in ipmi_get_session_info 5 6Partial fix for CVE-2020-5208, see 7https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp 8 9The `ipmi_get_session_info` function does not properly check the 10response `data_len`, which is used as a copy size, allowing stack buffer 11overflow. 12 13Upstream-Status: Backport[https://github.com/ipmitool/ipmitool/commit/41d7026946fafbd4d1ec0bcaca3ea30a6e8eed22] 14CVE: CVE-2020-5208 15 16Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com> 17--- 18 lib/ipmi_session.c | 12 ++++++++---- 19 1 file changed, 8 insertions(+), 4 deletions(-) 20 21diff --git a/lib/ipmi_session.c b/lib/ipmi_session.c 22index 4855bc4..71bef4c 100644 23--- a/lib/ipmi_session.c 24+++ b/lib/ipmi_session.c 25@@ -319,8 +319,10 @@ ipmi_get_session_info(struct ipmi_intf * intf, 26 } 27 else 28 { 29- memcpy(&session_info, rsp->data, rsp->data_len); 30- print_session_info(&session_info, rsp->data_len); 31+ memcpy(&session_info, rsp->data, 32+ __min(rsp->data_len, sizeof(session_info))); 33+ print_session_info(&session_info, 34+ __min(rsp->data_len, sizeof(session_info))); 35 } 36 break; 37 38@@ -351,8 +353,10 @@ ipmi_get_session_info(struct ipmi_intf * intf, 39 break; 40 } 41 42- memcpy(&session_info, rsp->data, rsp->data_len); 43- print_session_info(&session_info, rsp->data_len); 44+ memcpy(&session_info, rsp->data, 45+ __min(rsp->data_len, sizeof(session_info))); 46+ print_session_info(&session_info, 47+ __min(rsp->data_len, sizeof(session_info))); 48 49 } while (i <= session_info.session_slot_count); 50 break; 51-- 521.9.1 53 54