master

分支 (26)

标签 (21)

管理

管理

master

openEuler-24.03-LTS-Next

openEuler-24.03-LTS-SP1

openEuler-24.03-LTS

openEuler-24.09

openEuler-25.03

openEuler-22.03-LTS

openEuler-20.03-LTS-SP1

openEuler-20.03-LTS-SP3

openEuler-20.03-LTS-SP4

openEuler-22.03-LTS-Next

openEuler-22.03-LTS-SP3

openEuler-22.03-LTS-SP4

openEuler-22.03-LTS-SP1

openEuler-22.03-LTS-SP2

openEuler-23.09

openEuler-23.03

openEuler-22.09

openEuler-21.09

openEuler-20.03-LTS-Next

openEuler-24.03-LTS-SP1-release

openEuler-22.03-LTS-SP4-release

openEuler-24.09-release

openEuler-24.03-LTS-release

openEuler-22.03-LTS-SP3-release

openEuler-23.09-rc5

openEuler-22.03-LTS-SP1-release

openEuler-22.09-release

openEuler-22.09-rc5

openEuler-22.09-20220829

openEuler-22.03-LTS-20220331

openEuler-22.03-LTS-round5

openEuler-22.03-LTS-round3

openEuler-22.03-LTS-round2

openEuler-22.03-LTS-round1

openEuler-20.03-LTS-SP3-release

openEuler-20.03-LTS-SP2-20210624

openEuler-21.03-20210330

openEuler-20.09-20200929

openEuler-20.03-LTS-20200606

ipmitool_1
/
backport-lanplus-Realloc-the-msg-if-t...

From 8f0946a81eb22c14823d726afc486139bb2094ca Mon Sep 17 00:00:00 2001
From: Tom Tung <shes050117@gmail.com>
Date: Fri, 12 Aug 2022 16:47:27 +0800
Subject: [PATCH] lanplus: Realloc the msg if the payload_length gets updated

It's possible the payload_length gets updated in
lanplus_encrypt_payload. If it's updated, the memory of msg should be
updated.

Tested: use ipmitool with lanplus with similar STR  and there is no
memory stomping issue.

Resolved: ipmitool/ipmitool#351
Signed-off-by: Tom Tung <shes050117@gmail.com>
---
 src/plugins/lanplus/lanplus.c | 19 +++++++++++++++++++
 src/plugins/lanplus/lanplus.h |  2 ++
 2 files changed, 21 insertions(+)

diff --git a/src/plugins/lanplus/lanplus.c b/src/plugins/lanplus/lanplus.c
index ed41380..7a9162c 100644
--- a/src/plugins/lanplus/lanplus.c
+++ b/src/plugins/lanplus/lanplus.c
@@ -1727,6 +1727,7 @@ ipmi_lanplus_build_v2x_msg(
 	 */
 	if (session->v2_data.session_state == LANPLUS_STATE_ACTIVE)
 	{
+		uint16_t old_payload_length = payload->payload_length;
 		/* Payload len is adjusted as necessary by lanplus_encrypt_payload */
 		lanplus_encrypt_payload(session->v2_data.crypt_alg,        /* input  */
 								session->v2_data.k2,               /* input  */
@@ -1735,6 +1736,24 @@ ipmi_lanplus_build_v2x_msg(
 								msg + IPMI_LANPLUS_OFFSET_PAYLOAD, /* output */
 								&(payload->payload_length));       /* output */

+		if (old_payload_length != payload->payload_length)
+		{
+			len =
+				IPMI_LANPLUS_OFFSET_PAYLOAD   +
+				payload->payload_length       +
+				IPMI_MAX_INTEGRITY_PAD_SIZE   +
+				IPMI_LANPLUS_PAD_LENGTH_SIZE  +
+				IPMI_LANPLUS_NEXT_HEADER_SIZE +
+				IPMI_MAX_AUTH_CODE_SIZE;
+
+			uint8_t * new_msg = realloc(msg, len);
+			if (!new_msg) {
+				free(msg);
+				lprintf(LOG_ERR, "ipmitool: realloc failure");
+				return;
+			}
+			msg = new_msg;
+		}
 	}

 	/* Now we know the payload length */
diff --git a/src/plugins/lanplus/lanplus.h b/src/plugins/lanplus/lanplus.h
index 3e287ae..94bd56a 100644
--- a/src/plugins/lanplus/lanplus.h
+++ b/src/plugins/lanplus/lanplus.h
@@ -86,6 +86,8 @@
 #define IPMI_LANPLUS_OFFSET_PAYLOAD_SIZE 0x0E
 #define IPMI_LANPLUS_OFFSET_PAYLOAD      0x10

+#define IPMI_LANPLUS_PAD_LENGTH_SIZE  1
+#define IPMI_LANPLUS_NEXT_HEADER_SIZE 1

 #define IPMI_GET_CHANNEL_AUTH_CAP 0x38

--
2.27.0