buildroot/package/ipmitool/0011-channel-Fix-buffer-overflow.patch
Heiko Thiery 3b81307162 package/ipmitool: fix 0011-channel-Fix-buffer-overflow.patch
The previous commit to this package
(37c5e903a7) introduced a bunch of patches
to fix a CVE. Unfortunatly only applying of the patches was tested but
not building the package.

This commit replaces a define that was introduced in a previous patch
upstream and caused the build failure.

Tested:

                             br-arm-full [1/6]: OK
                  br-arm-cortex-a9-glibc [2/6]: OK
                   br-arm-cortex-m4-full [3/6]: SKIPPED
                          br-x86-64-musl [4/6]: OK
                      br-arm-full-static [5/6]: OK
                            sourcery-arm [6/6]: OK

Fixes:
 - http://autobuild.buildroot.net/results/3f7fe8ad181318153c459ba5e1afbbc8b49d541c/
 - and more

Cc: Peter Korsgaard <peter@korsgaard.com>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-09-17 22:21:53 +02:00

47 lines
1.5 KiB
Diff
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

From 1d479fc61feacc64adea64da9601f3dfcf6f74b3 Mon Sep 17 00:00:00 2001
From: Chrostoper Ertl <chertl@microsoft.com>
Date: Thu, 28 Nov 2019 16:56:38 +0000
Subject: [PATCH] channel: Fix buffer overflow
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Partial fix for CVE-2020-5208, see
https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp
The `ipmi_get_channel_cipher_suites` function does not properly check
the final responses `data_len`, which can lead to stack buffer overflow
on the final copy.
[Retrieve from:
https://github.com/ipmitool/ipmitool/commit/9452be87181a6e83cfcc768b3ed8321763db50e4
The patch is slightly modified manually. The define
(MAX_CIPHER_SUITE_DATA_LEN) was introduced upstream in another patch.
Replace the define by the value 0x10.]
Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
---
lib/ipmi_channel.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/lib/ipmi_channel.c b/lib/ipmi_channel.c
index fab2e54..59ac227 100644
--- a/lib/ipmi_channel.c
+++ b/lib/ipmi_channel.c
@@ -413,7 +413,10 @@ ipmi_get_channel_cipher_suites(struct ipmi_intf *intf, const char *payload_type,
lprintf(LOG_ERR, "Unable to Get Channel Cipher Suites");
return -1;
}
- if (rsp->ccode > 0) {
+ if (rsp->ccode
+ || rsp->data_len < 1
+ || rsp->data_len > sizeof(uint8_t) + 0x10)
+ {
lprintf(LOG_ERR, "Get Channel Cipher Suites failed: %s",
val2str(rsp->ccode, completion_code_vals));
return -1;
--
2.20.1