diff --git a/SOURCES/0013-lanplus-Cleanup.-Refix-6dec83ff-fix-be2c0c4b.patch b/SOURCES/0013-lanplus-Cleanup.-Refix-6dec83ff-fix-be2c0c4b.patch new file mode 100644 index 0000000..eca7a46 --- /dev/null +++ b/SOURCES/0013-lanplus-Cleanup.-Refix-6dec83ff-fix-be2c0c4b.patch @@ -0,0 +1,65 @@ +From 646160e2175f9e0ba33e4f2bda12d84555e9c30e Mon Sep 17 00:00:00 2001 +From: Alexander Amelkin +Date: Thu, 29 Nov 2018 13:10:53 +0300 +Subject: [PATCH] lanplus: Cleanup. Refix 6dec83ff, fix be2c0c4b + +This is a cleanup commit. + +Commit 6dec83ff removed assignment of `rsp` pointer +in SOL-processing block of ipmi_lan_poll_single(), +but left the check for the pointer validity in place. +Although that has effectively fixed the bug of potentially +accessing the null `rsp` pointer in the `else` block introduced +with be2c0c4b, the resulting if/else looked suspicious and left +and impression that a NULL pointer could still be accessed. + +This commit removes the check for `rsp` from the `if` +as it is checked at the start of the function where `rsp` +is initialized (and that is the only place where it is ever changed). + +Signed-off-by: Alexander Amelkin +(cherry picked from commit 64727f59c4a1412fdb73e092fb838ae66e2aad1a) + +lanplus: Fix segfault for truncated dcmi response + +On occasion a dcmi power reading will return error C6, and a +truncated response payload. As the decrypted payload is shorter +than the expected length, lanplus_decrypt_aes_cbc_128() adjusts +the payload_size downward by one byte. In ipmi_lan_poll_single() +the calculation to determine if the payload size has increased +erroniously sets extra_data_length to -1, with a subsequent +segv when calling a memmove to shift response data. +The fix is to check for a positive value in the extra_data_length. + +Resolves ipmitool/ipmitool#72 + +(cherry picked from commit 9ec2232321a7bca7e1fb8f939d071f12c8dfa7fd) +--- + src/plugins/lanplus/lanplus.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/plugins/lanplus/lanplus.c b/src/plugins/lanplus/lanplus.c +index c442c0e..ef132f6 100644 +--- a/src/plugins/lanplus/lanplus.c ++++ b/src/plugins/lanplus/lanplus.c +@@ -819,7 +819,7 @@ ipmi_lan_poll_single(struct ipmi_intf * intf) + * rsp->data_len becomes the length of that data + */ + extra_data_length = payload_size - (offset - payload_start) - 1; +- if (extra_data_length) { ++ if (extra_data_length > 0) { + rsp->data_len = extra_data_length; + memmove(rsp->data, rsp->data + offset, extra_data_length); + } else { +@@ -873,7 +873,7 @@ ipmi_lan_poll_single(struct ipmi_intf * + } + read_sol_packet(rsp, &offset); + extra_data_length = payload_size - (offset - payload_start); +- if (rsp && extra_data_length) { ++ if (extra_data_length > 0) { + rsp->data_len = extra_data_length; + memmove(rsp->data, rsp->data + offset, extra_data_length); + } else { +-- +2.26.3 + diff --git a/SPECS/ipmitool.spec b/SPECS/ipmitool.spec index 1cf36c2..e7ee740 100644 --- a/SPECS/ipmitool.spec +++ b/SPECS/ipmitool.spec @@ -3,7 +3,7 @@ Name: ipmitool Summary: Utility for IPMI control Version: 1.8.18 -Release: 9%{?dist} +Release: 10%{?dist} License: BSD Group: System Environment/Base URL: http://ipmitool.sourceforge.net/ @@ -33,6 +33,7 @@ Patch4: 0004-ipmitool-1.8.11-set-kg-key.patch.patch Patch7: 0007-ipmitool-1.8.11-remove-umask0.patch.patch Patch9: 0009-ipmitool-1.8.11-bz1126333-slowswid.patch.patch Patch10: 0010-ipmitool-1.8.11-bz878614-overname.patch.patch +Patch13: 0013-lanplus-Cleanup.-Refix-6dec83ff-fix-be2c0c4b.patch Patch15: 0015-ID-390-Support-for-new-Communication-Interface-USB-M.patch Patch16: 0016-ipmitool-1.8.18-verbose.patch Patch17: 0017-ipmitool-1.8.18-check-input-values.patch @@ -94,6 +95,7 @@ for the host OS to use. %patch7 -p1 %patch9 -p1 %patch10 -p1 +%patch13 -p1 %patch15 -p1 %patch16 -p1 %patch17 -p1 @@ -192,6 +194,12 @@ install -Dm 755 contrib/bmc-snmp-proxy %{buildroot}%{_libexecdir}/bmc-sn %{_libexecdir}/bmc-snmp-proxy %changelog +* Fri Dec 17 2021 Pavel Cahyna - 0:1.8.18-10 +- Protect against negative values to memmove that caused + "ipmitool sol activate" to crash against an IBM DataPower appliance + (#1951480) and IP-131 Dayton blades in a SGI ICE-X (#2025519) + Cherry-picked from upstream PR#78. + * Wed Mar 04 2020 Václav Doležal - 0:1.8.18-9 - Disable -fstrict-aliasing (RPMDiff issue)