[bug #68141] [SECURITY][BUG][freeipmi-1.6.16] Response length validation flaw in ipmi_oem_dell_get_last_post_code

Tue, 10 Mar 2026 20:48:53 -0700 

URL:
  <https://savannah.gnu.org/bugs/?68141>

                 Summary: [SECURITY][BUG][freeipmi-1.6.16] Response length
validation flaw in ipmi_oem_dell_get_last_post_code
                   Group: GNU FreeIPMI
               Submitter: chnzzh
               Submitted: Wed 11 Mar 2026 03:48:30 AM UTC
                Category: ipmi-oem
                Severity: 3 - Normal
                Priority: 5 - Normal
              Item Group: Improper Behaviour
                  Status: None
                 Privacy: Private
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Unlocked
        Operating System: None


    _______________________________________________________

Follow-up Comments:


-------------------------------------------------------
Date: Wed 11 Mar 2026 03:48:30 AM UTC By: Zhihan Zheng <chnzzh>
Hello FreeIPMI developers,

I am reporting a response length validation vulnerability in FreeIPMI 1.6.16.

## Vulnerability Summary
- Component: ipmi-oem
- Function: ipmi_oem_dell_get_last_post_code
- Type: improper response length validation
- CWE: CWE-130, CWE-125

## Affected Scope
- Upstream: freeipmi-1.6.16
- Also reproduced on apt-installed system package build:
  - package: freeipmi-tools 1.6.13-3
  - binary: /usr/sbin/ipmi-oem

## Reproduction
A self-contained reproduction package is attached (4 files):
- advisory.md  — detailed write-up
- build.sh     — builds freeipmi-1.6.16 with ASAN
- poc_run.sh       — starts PoC server and drives the vulnerable code path
- poc_server.py    — minimal IPMI response server that sends the crafted
payload

Observed:
1. Source path: malformed short payload is accepted as success.
2. apt path: `/usr/sbin/ipmi-oem ... dell get-last-post-code` returns `rc=0`
and still prints `Post Code AAh :` for the malformed response.

Please confirm receipt. I am happy to coordinate on a CVE assignment and patch
timeline.

Report date: 2026-03-11

Best regards,
Zhihan Zheng






    _______________________________________________________
File Attachments:

Name: advisory.md                    Size: 2.0KiB
Name: poc_run.sh                     Size: 489B
Name: poc_server.py                  Size: 4.4KiB
Name: build.sh                       Size: 424B

    _______________________________________________________

Reply to this item at:

  <https://savannah.gnu.org/bugs/?68141>

_______________________________________________
Message sent via Savannah
https://savannah.gnu.org/

Attachment: signature.asc
Description: PGP signature

Reply via email to