blob: cae9ddd390633d0d097c71551a70f16ff0b043ca (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
|
Subject: [PATCH 4/6] channel: Fix buffer overflow
Partial fix for CVE-2020-5208, see
https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp
.
The `ipmi_get_channel_cipher_suites` function does not properly check
the final response’s `data_len`, which can lead to stack buffer overflow
on the final copy.
From 9452be87181a6e83cfcc768b3ed8321763db50e4 Mon Sep 17 00:00:00 2001
From: Chrostoper Ertl <chertl@microsoft.com>
Date: Thu, 28 Nov 2019 16:56:38 +0000
Last-Update: 2021-02-08
--- ipmitool-1.8.18.orig/lib/ipmi_channel.c
+++ ipmitool-1.8.18/lib/ipmi_channel.c
@@ -413,7 +413,10 @@ ipmi_get_channel_cipher_suites(struct ip
lprintf(LOG_ERR, "Unable to Get Channel Cipher Suites");
return -1;
}
- if (rsp->ccode > 0) {
+ if (rsp->ccode
+ || rsp->data_len < 1
+ || rsp->data_len > sizeof(uint8_t) + MAX_CIPHER_SUITE_DATA_LEN)
+ {
lprintf(LOG_ERR, "Get Channel Cipher Suites failed: %s",
val2str(rsp->ccode, completion_code_vals));
return -1;
--- a/include/ipmitool/ipmi_channel.h 2016-05-29 21:46:53.000000000 +0200
+++ b/include/ipmitool/ipmi_channel.h 2021-02-08 23:45:10.598535426 +0100
@@ -77,6 +77,8 @@
uint8_t user_level_auth;
};
+#define MAX_CIPHER_SUITE_DATA_LEN 0x10
+
/*
* The Get Authentication Capabilities response structure
* From table 22-15 of the IPMI v2.0 spec
|
