We check if response is the right size but if it's not we jump
to return_unspecified which creates a response of size 3.
We need size 4 to prevent OOB in handle_ipmb_direct_rcv_rsp().
Was this supposed to override the message type, too?
Fixes: 059747c245f0 ("ipmi: Add support for IPMB direct messages")
Signed-off-by: Jakub Kicinski <[email protected]>
---
Dunno if this is the right fix, but the bug is pretty clearly there.
---
drivers/char/ipmi/ipmi_msghandler.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/char/ipmi/ipmi_msghandler.c
b/drivers/char/ipmi/ipmi_msghandler.c
index f0b18c25cbb1..0011b04f43c9 100644
--- a/drivers/char/ipmi/ipmi_msghandler.c
+++ b/drivers/char/ipmi/ipmi_msghandler.c
@@ -4453,6 +4453,7 @@ static int handle_one_recv_msg(struct ipmi_smi *intf,
msg->rsp[0] = msg->data[0] | (1 << 2);
msg->rsp[1] = msg->data[1];
msg->rsp[2] = IPMI_ERR_UNSPECIFIED;
+ msg->type = IPMI_SMI_MSG_TYPE_NORMAL;
msg->rsp_size = 3;
} else if (msg->type == IPMI_SMI_MSG_TYPE_IPMB_DIRECT) {
/* commands must have at least 3 bytes, responses 4. */
--
2.31.1
_______________________________________________
Openipmi-developer mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openipmi-developer
