代码拉取完成,页面将自动刷新
同步操作将从 src-openEuler/ipmitool 强制同步,此操作会覆盖自 Fork 仓库以来所做的任何修改,且无法恢复!!!
确定后同步将在后台操作,完成时将刷新页面,请耐心等待。
From 2d516d6f1193a55c89a95b59b7d58fec6210e996 Mon Sep 17 00:00:00 2001
From: fengtao40 <fengtao40@huawei.com>
Date: Tue, 11 Feb 2020 21:02:08 -0500
Subject: [PATCH] Fix buffer overflow vulnerabilities
---
lib/ipmi_fru.c | 35 ++++++++++++++++++++++++++++++++---
1 file changed, 32 insertions(+), 3 deletions(-)
diff --git a/lib/ipmi_fru.c b/lib/ipmi_fru.c
index ad99ebe..7911bae 100644
--- a/lib/ipmi_fru.c
+++ b/lib/ipmi_fru.c
@@ -614,7 +614,10 @@ int
read_fru_area(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id,
uint32_t offset, uint32_t length, uint8_t *frubuf)
{
- uint32_t off = offset, tmp, finish;
+ uint32_t off = offset;
+ uint32_t tmp;
+ uint32_t finish;
+ uint32_t size_left_in_buffer;
struct ipmi_rs * rsp;
struct ipmi_rq req;
uint8_t msg_data[4];
@@ -627,10 +630,12 @@ read_fru_area(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id,
finish = offset + length;
if (finish > fru->size) {
+ memset(frubuf + fru->size, 0, length - fru->size);
finish = fru->size;
lprintf(LOG_NOTICE, "Read FRU Area length %d too large, "
"Adjusting to %d",
offset + length, finish - offset);
+ length = finish - offset;
}
memset(&req, 0, sizeof(req));
@@ -666,6 +671,7 @@ read_fru_area(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id,
}
}
+ size_left_in_buffer = length;
do {
tmp = fru->access ? off >> 1 : off;
msg_data[0] = id;
@@ -706,9 +712,18 @@ read_fru_area(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id,
}
tmp = fru->access ? rsp->data[0] << 1 : rsp->data[0];
+ if(rsp->data_len < 1
+ || tmp > rsp->data_len - 1
+ || tmp > size_left_in_buffer)
+ {
+ printf(" Not enough buffer size");
+ return -1;
+ }
+
memcpy(frubuf, rsp->data + 1, tmp);
off += tmp;
frubuf += tmp;
+ size_left_in_buffer -= tmp;
/* sometimes the size returned in the Info command
* is too large. return 0 so higher level function
* still attempts to parse what was returned */
@@ -741,7 +756,9 @@ read_fru_area_section(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id,
uint32_t offset, uint32_t length, uint8_t *frubuf)
{
static uint32_t fru_data_rqst_size = 20;
- uint32_t off = offset, tmp, finish;
+ uint32_t off = offset;
+ uint32_t tmp, finish;
+ uint32_t size_left_in_buffer;
struct ipmi_rs * rsp;
struct ipmi_rq req;
uint8_t msg_data[4];
@@ -753,11 +770,13 @@ read_fru_area_section(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id,
}
finish = offset + length;
- if (finish > fru->size) {
+ if (finish > fru->size) {
+ memset(frubuf + fru->size, 0, length - fru->size);
finish = fru->size;
lprintf(LOG_NOTICE, "Read FRU Area length %d too large, "
"Adjusting to %d",
offset + length, finish - offset);
+ length = finish - offset;
}
memset(&req, 0, sizeof(req));
@@ -772,6 +791,8 @@ read_fru_area_section(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id,
if (fru->access && fru_data_rqst_size > 16)
#endif
fru_data_rqst_size = 16;
+
+ size_left_in_buffer = length;
do {
tmp = fru->access ? off >> 1 : off;
msg_data[0] = id;
@@ -803,8 +824,16 @@ read_fru_area_section(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id,
}
tmp = fru->access ? rsp->data[0] << 1 : rsp->data[0];
+ if(rsp->data_len < 1
+ || tmp > rsp->data_len - 1
+ || tmp > size_left_in_buffer)
+ {
+ printf(" Not enough buffer size");
+ return -1;
+ }
memcpy((frubuf + off)-offset, rsp->data + 1, tmp);
off += tmp;
+ size_left_in_buffer -= tmp;
/* sometimes the size returned in the Info command
* is too large. return 0 so higher level function
--
2.19.1
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。
马建仓 AI 助手