rpms / ipmitool

Clone
Source Code
GIT

Blame SOURCES/0013-lanplus-Cleanup.-Refix-6dec83ff-fix-be2c0c4b.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   b8da7a277ca9ec3ebbae05436c3dddb4488b3f69
  2.   SOURCES
  3.   0013-lanplus-Cleanup.-Refix-6dec83ff-fix-be2c0c4b.patch
Blob History Raw
b8da7a 
From 646160e2175f9e0ba33e4f2bda12d84555e9c30e Mon Sep 17 00:00:00 2001
b8da7a 
From: Alexander Amelkin <alexander@amelkin.msk.ru>
b8da7a 
Date: Thu, 29 Nov 2018 13:10:53 +0300
b8da7a 
Subject: [PATCH] lanplus: Cleanup. Refix 6dec83ff, fix be2c0c4b
b8da7a
b8da7a 
This is a cleanup commit.
b8da7a
b8da7a 
Commit 6dec83ff removed assignment of `rsp` pointer
b8da7a 
in SOL-processing block of ipmi_lan_poll_single(),
b8da7a 
but left the check for the pointer validity in place.
b8da7a 
Although that has effectively fixed the bug of potentially
b8da7a 
accessing the null `rsp` pointer in the `else` block introduced
b8da7a 
with be2c0c4b, the resulting if/else looked suspicious and left
b8da7a 
and impression that a NULL pointer could still be accessed.
b8da7a
b8da7a 
This commit removes the check for `rsp` from the `if`
b8da7a 
as it is checked at the start of the function where `rsp`
b8da7a 
is initialized (and that is the only place where it is ever changed).
b8da7a
b8da7a 
Signed-off-by: Alexander Amelkin <alexander@amelkin.msk.ru>
b8da7a 
(cherry picked from commit 64727f59c4a1412fdb73e092fb838ae66e2aad1a)
b8da7a
b8da7a 
lanplus: Fix segfault for truncated dcmi response
b8da7a
b8da7a 
On occasion a dcmi power reading will return error C6, and a
b8da7a 
truncated response payload. As the decrypted payload is shorter
b8da7a 
than the expected length, lanplus_decrypt_aes_cbc_128() adjusts
b8da7a 
the payload_size downward by one byte. In ipmi_lan_poll_single()
b8da7a 
the calculation to determine if the payload size has increased
b8da7a 
erroniously sets extra_data_length to -1, with a subsequent
b8da7a 
segv when calling a memmove to shift response data.
b8da7a 
The fix is to check for a positive value in the extra_data_length.
b8da7a
b8da7a 
Resolves ipmitool/ipmitool#72
b8da7a
b8da7a 
(cherry picked from commit 9ec2232321a7bca7e1fb8f939d071f12c8dfa7fd)
b8da7a 
---
b8da7a 
 src/plugins/lanplus/lanplus.c | 4 ++--
b8da7a 
 1 file changed, 2 insertions(+), 2 deletions(-)
b8da7a
b8da7a 
diff --git a/src/plugins/lanplus/lanplus.c b/src/plugins/lanplus/lanplus.c
b8da7a 
index c442c0e..ef132f6 100644
b8da7a 
--- a/src/plugins/lanplus/lanplus.c
b8da7a 
+++ b/src/plugins/lanplus/lanplus.c
b8da7a 
@@ -819,7 +819,7 @@ ipmi_lan_poll_single(struct ipmi_intf * intf)
b8da7a 
 			 * rsp->data_len becomes the length of that data
b8da7a 
 			 */
b8da7a 
 			extra_data_length = payload_size - (offset - payload_start) - 1;
b8da7a 
-			if (extra_data_length) {
b8da7a 
+			if (extra_data_length > 0) {
b8da7a 
 				rsp->data_len = extra_data_length;
b8da7a 
 				memmove(rsp->data, rsp->data + offset, extra_data_length);
b8da7a 
 			} else {
b8da7a 
@@ -873,7 +873,7 @@ ipmi_lan_poll_single(struct ipmi_intf *
b8da7a 
 		}
b8da7a 
 		read_sol_packet(rsp, &offset);
b8da7a 
 		extra_data_length = payload_size - (offset - payload_start);
b8da7a 
-		if (rsp && extra_data_length) {
b8da7a 
+		if (extra_data_length > 0) {
b8da7a 
 			rsp->data_len = extra_data_length;
b8da7a 
 			memmove(rsp->data, rsp->data + offset, extra_data_length);
b8da7a 
 		} else {
b8da7a 
--
b8da7a 
2.26.3
b8da7a

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation