package/ipmitool/0011-channel-Fix-buffer-overflow.patch - buildroot - Git at Google

 From 1d479fc61feacc64adea64da9601f3dfcf6f74b3 Mon Sep 17 00:00:00 2001
 From: Chrostoper Ertl <chertl@microsoft.com>
 Date: Thu, 28 Nov 2019 16:56:38 +0000
 Subject: [PATCH] channel: Fix buffer overflow
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit

 Partial fix for CVE-2020-5208, see
 https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp

 The `ipmi_get_channel_cipher_suites` function does not properly check
 the final response’s `data_len`, which can lead to stack buffer overflow
 on the final copy.

 [Retrieve from:
 https://github.com/ipmitool/ipmitool/commit/9452be87181a6e83cfcc768b3ed8321763db50e4

 The patch is slightly modified manually. The define
 (MAX_CIPHER_SUITE_DATA_LEN) was introduced upstream in another patch.
 Replace the define by the value 0x10.]

 Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
 ---
  lib/ipmi_channel.c | 5 ++++-
  1 file changed, 4 insertions(+), 1 deletion(-)

 diff --git a/lib/ipmi_channel.c b/lib/ipmi_channel.c
 index fab2e54..59ac227 100644
 --- a/lib/ipmi_channel.c
 +++ b/lib/ipmi_channel.c
 @@ -413,7 +413,10 @@ ipmi_get_channel_cipher_suites(struct ipmi_intf *intf, const char *payload_type,
  			lprintf(LOG_ERR, "Unable to Get Channel Cipher Suites");
  			return -1;
  		}
 -		if (rsp->ccode > 0) {
 +		if (rsp->ccode
 +		    || rsp->data_len < 1
 +		    || rsp->data_len > sizeof(uint8_t) + 0x10)
 +		{
  			lprintf(LOG_ERR, "Get Channel Cipher Suites failed: %s",
  					val2str(rsp->ccode, completion_code_vals));
  			return -1;
 --
 2.20.1
	From 1d479fc61feacc64adea64da9601f3dfcf6f74b3 Mon Sep 17 00:00:00 2001
	From: Chrostoper Ertl <chertl@microsoft.com>
	Date: Thu, 28 Nov 2019 16:56:38 +0000
	Subject: [PATCH] channel: Fix buffer overflow
	MIME-Version: 1.0
	Content-Type: text/plain; charset=UTF-8
	Content-Transfer-Encoding: 8bit

	Partial fix for CVE-2020-5208, see
	https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp

	The `ipmi_get_channel_cipher_suites` function does not properly check
	the final response’s `data_len`, which can lead to stack buffer overflow
	on the final copy.

	[Retrieve from:
	https://github.com/ipmitool/ipmitool/commit/9452be87181a6e83cfcc768b3ed8321763db50e4

	The patch is slightly modified manually. The define
	(MAX_CIPHER_SUITE_DATA_LEN) was introduced upstream in another patch.
	Replace the define by the value 0x10.]

	Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
	---
	lib/ipmi_channel.c \| 5 ++++-
	1 file changed, 4 insertions(+), 1 deletion(-)

	diff --git a/lib/ipmi_channel.c b/lib/ipmi_channel.c
	index fab2e54..59ac227 100644
	--- a/lib/ipmi_channel.c
	+++ b/lib/ipmi_channel.c
	@@ -413,7 +413,10 @@ ipmi_get_channel_cipher_suites(struct ipmi_intf intf, const char payload_type,
	lprintf(LOG_ERR, "Unable to Get Channel Cipher Suites");
	return -1;
	}
	- if (rsp->ccode > 0) {
	+ if (rsp->ccode
	+ \|\| rsp->data_len < 1
	+ \|\| rsp->data_len > sizeof(uint8_t) + 0x10)
	+ {
	lprintf(LOG_ERR, "Get Channel Cipher Suites failed: %s",
	val2str(rsp->ccode, completion_code_vals));
	return -1;
	--
	2.20.1