package/ipmitool/0010-session-Fix-buffer-overflow-in-ipmi_get_session_info.patch - buildroot - Git at Google

 From cd785a7fe4f42ab59bcefcf01b9175f039af29b5 Mon Sep 17 00:00:00 2001
 From: Chrostoper Ertl <chertl@microsoft.com>
 Date: Thu, 28 Nov 2019 16:51:49 +0000
 Subject: [PATCH] session: Fix buffer overflow in ipmi_get_session_info

 Partial fix for CVE-2020-5208, see
 https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp

 The `ipmi_get_session_info` function does not properly check the
 response `data_len`, which is used as a copy size, allowing stack buffer
 overflow.

 [Retrieve from:
 https://github.com/ipmitool/ipmitool/commit/41d7026946fafbd4d1ec0bcaca3ea30a6e8eed22]
 Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
 ---
  lib/ipmi_session.c | 12 ++++++++----
  1 file changed, 8 insertions(+), 4 deletions(-)

 diff --git a/lib/ipmi_session.c b/lib/ipmi_session.c
 index 141f0f4..b9af1fd 100644
 --- a/lib/ipmi_session.c
 +++ b/lib/ipmi_session.c
 @@ -309,8 +309,10 @@ ipmi_get_session_info(struct ipmi_intf         * intf,
  		}
  		else
  		{
 -			memcpy(&session_info,  rsp->data, rsp->data_len);
 -			print_session_info(&session_info, rsp->data_len);
 +			memcpy(&session_info,  rsp->data,
 +			       __min(rsp->data_len, sizeof(session_info)));
 +			print_session_info(&session_info,
 +			                   __min(rsp->data_len, sizeof(session_info)));
  		}
  		break;

 @@ -341,8 +343,10 @@ ipmi_get_session_info(struct ipmi_intf         * intf,
  				break;
  			}

 -			memcpy(&session_info,  rsp->data, rsp->data_len);
 -			print_session_info(&session_info, rsp->data_len);
 +			memcpy(&session_info,  rsp->data,
 +			       __min(rsp->data_len, sizeof(session_info)));
 +			print_session_info(&session_info,
 +			                   __min(rsp->data_len, sizeof(session_info)));

  		} while (i <= session_info.session_slot_count);
  		break;
 --
 2.20.1
	From cd785a7fe4f42ab59bcefcf01b9175f039af29b5 Mon Sep 17 00:00:00 2001
	From: Chrostoper Ertl <chertl@microsoft.com>
	Date: Thu, 28 Nov 2019 16:51:49 +0000
	Subject: [PATCH] session: Fix buffer overflow in ipmi_get_session_info

	Partial fix for CVE-2020-5208, see
	https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp

	The `ipmi_get_session_info` function does not properly check the
	response `data_len`, which is used as a copy size, allowing stack buffer
	overflow.

	[Retrieve from:
	https://github.com/ipmitool/ipmitool/commit/41d7026946fafbd4d1ec0bcaca3ea30a6e8eed22]
	Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
	---
	lib/ipmi_session.c \| 12 ++++++++----
	1 file changed, 8 insertions(+), 4 deletions(-)

	diff --git a/lib/ipmi_session.c b/lib/ipmi_session.c
	index 141f0f4..b9af1fd 100644
	--- a/lib/ipmi_session.c
	+++ b/lib/ipmi_session.c
	@@ -309,8 +309,10 @@ ipmi_get_session_info(struct ipmi_intf * intf,
	}
	else
	{
	- memcpy(&session_info, rsp->data, rsp->data_len);
	- print_session_info(&session_info, rsp->data_len);
	+ memcpy(&session_info, rsp->data,
	+ __min(rsp->data_len, sizeof(session_info)));
	+ print_session_info(&session_info,
	+ __min(rsp->data_len, sizeof(session_info)));
	}
	break;

	@@ -341,8 +343,10 @@ ipmi_get_session_info(struct ipmi_intf * intf,
	break;
	}

	- memcpy(&session_info, rsp->data, rsp->data_len);
	- print_session_info(&session_info, rsp->data_len);
	+ memcpy(&session_info, rsp->data,
	+ __min(rsp->data_len, sizeof(session_info)));
	+ print_session_info(&session_info,
	+ __min(rsp->data_len, sizeof(session_info)));

	} while (i <= session_info.session_slot_count);
	break;
	--
	2.20.1