Overview

File channel-Fix-buffer-overflow.patch of Package ipmitool.14274

From: Chrostoper Ertl <chertl@microsoft.com>
Subject: channel: Fix buffer overflow
References: bsc#1163026, CVE-2020-5208
Patch-Mainline: 
Git-commit: 9452be87181a6e83cfcc768b3ed8321763db50e4
Git-repo: https://github.com/ipmitool/ipmitool.git.git

Partial fix for CVE-2020-5208, see
https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp

The `ipmi_get_channel_cipher_suites` function does not properly check
the final response’s `data_len`, which can lead to stack buffer overflow
on the final copy.


Signed-off-by:  <trenn@suse.com>
---
 include/ipmitool/ipmi_channel.h |    2 ++
 lib/ipmi_channel.c              |    5 ++++-
 2 files changed, 6 insertions(+), 1 deletion(-)

--- a/include/ipmitool/ipmi_channel.h
+++ b/include/ipmitool/ipmi_channel.h
@@ -56,6 +56,8 @@
 #define IPMI_CHANNEL_SESSION_MULTI 0x80
 #define IPMI_CHANNEL_SESSION_BASED 0xC0
 
+#define MAX_CIPHER_SUITE_DATA_LEN 0x10
+
 /* (22.24) Get Channel Info */
 struct channel_info_t {
 	uint8_t channel;
--- a/lib/ipmi_channel.c
+++ b/lib/ipmi_channel.c
@@ -378,7 +378,10 @@
 		lprintf(LOG_ERR, "Unable to Get Channel Cipher Suites");
 		return -1;
 	}
-	if (rsp->ccode > 0) {
+	if (rsp->ccode
+	    || rsp->data_len < 1
+	    || rsp->data_len > sizeof(uint8_t) + MAX_CIPHER_SUITE_DATA_LEN)
+	{
 		lprintf(LOG_ERR, "Get Channel Cipher Suites failed: %s",
 			val2str(rsp->ccode, completion_code_vals));
 		return -1;
openSUSE Build Service is sponsored by
Places