On Wed, Nov 24, 2021 at 01:04:13PM -0800, Jakub Kicinski wrote:
> We check if response is the right size but if it's not we jump
> to return_unspecified which creates a response of size 3.
> We need size 4 to prevent OOB in handle_ipmb_direct_rcv_rsp().
> Was this supposed to override the message type, too?
>
> Fixes: 059747c245f0 ("ipmi: Add support for IPMB direct messages")
> Signed-off-by: Jakub Kicinski <[email protected]>
> ---
> Dunno if this is the right fix, but the bug is pretty clearly there.
Yeah, not the right fix, but clearly a bug. A proper response with an
error needs to be formatted for IPMB mode. Also, the sizes were wrong.
The format of these messages is described in include/linux/ipmi_smi.h.
The formatting was changed during the design and this was missed.
I'll send out a patch for this.
-corey
> ---
> drivers/char/ipmi/ipmi_msghandler.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/drivers/char/ipmi/ipmi_msghandler.c
> b/drivers/char/ipmi/ipmi_msghandler.c
> index f0b18c25cbb1..0011b04f43c9 100644
> --- a/drivers/char/ipmi/ipmi_msghandler.c
> +++ b/drivers/char/ipmi/ipmi_msghandler.c
> @@ -4453,6 +4453,7 @@ static int handle_one_recv_msg(struct ipmi_smi *intf,
> msg->rsp[0] = msg->data[0] | (1 << 2);
> msg->rsp[1] = msg->data[1];
> msg->rsp[2] = IPMI_ERR_UNSPECIFIED;
> + msg->type = IPMI_SMI_MSG_TYPE_NORMAL;
> msg->rsp_size = 3;
> } else if (msg->type == IPMI_SMI_MSG_TYPE_IPMB_DIRECT) {
> /* commands must have at least 3 bytes, responses 4. */
> --
> 2.31.1
>
_______________________________________________
Openipmi-developer mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openipmi-developer
