File lanserv-Check-some-bounds-on-incoming-messages.patch of Package OpenIPMI.35910
From: Corey Minyard <minyard@acm.org>
Subject: lanserv: Check some bounds on incoming messages
References: 1229910
Patch-Mainline: v2.0.35
Git-commit: b52e8e2538b2b48ef6b63bff12b5cc9e2d52eff1
Git-repo: ssh://watologo1@git.code.sf.net/u/watologo1/openipmi.git
Signed-off-by: Corey Minyard <minyard@acm.org>
Signed-off-by: <trenn@suse.com>
Index: OpenIPMI-2.0.31/lanserv/lanserv_ipmi.c
===================================================================
--- OpenIPMI-2.0.31.orig/lanserv/lanserv_ipmi.c
+++ OpenIPMI-2.0.31/lanserv/lanserv_ipmi.c
@@ -882,6 +882,12 @@ handle_temp_session(lanserv_data_t *lan,
}
auth = msg->data[0] & 0xf;
+ if (auth >= MAX_IPMI_AUTHS) {
+ lan->sysinfo->log(lan->sysinfo, NEW_SESSION_FAILED, msg,
+ "Activate session failed: Invalid auth: 0x%x", auth);
+ return;
+ }
+
user = &(lan->users[user_idx]);
if (! (user->valid)) {
lan->sysinfo->log(lan->sysinfo, NEW_SESSION_FAILED, msg,
@@ -3034,6 +3040,11 @@ ipmi_handle_lan_msg(lanserv_data_t *lan,
}
msg.authtype = data[4];
+ if (msg.authtype >= MAX_IPMI_AUTHS) {
+ lan->sysinfo->log(lan->sysinfo, LAN_ERR, &msg,
+ "LAN msg failure: Invalid authtype");
+ return;
+ }
msg.data = data+5;
msg.len = len - 5;
msg.channel = lan->channel.channel_num;