[bug #68142] SECURITY][BUG][freeipmi-1.6.16] Length-consistency validation failure in ipmi_oem_wistron_read_proprietary_string

Zhihan Zheng Tue, 10 Mar 2026 20:52:35 -0700

URL:
  <https://savannah.gnu.org/bugs/?68142>


                 Summary: SECURITY][BUG][freeipmi-1.6.16] Length-consistency
validation failure in ipmi_oem_wistron_read_proprietary_string
                   Group: GNU FreeIPMI
               Submitter: chnzzh
               Submitted: Wed 11 Mar 2026 03:52:03 AM UTC
                Category: ipmi-oem
                Severity: 3 - Normal
                Priority: 5 - Normal
              Item Group: Improper Behaviour
                  Status: None
                 Privacy: Private
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Unlocked
        Operating System: None


    _______________________________________________________

Follow-up Comments:


-------------------------------------------------------
Date: Wed 11 Mar 2026 03:52:03 AM UTC By: Zhihan Zheng <chnzzh>
Hello FreeIPMI developers,

I am reporting a response length validation vulnerability in FreeIPMI 1.6.16.

## Vulnerability Summary
- Component: ipmi-oem
- Function: ipmi_oem_wistron_read_proprietary_string
- Type: improper response length validation
- CWE: CWE-130, CWE-200

## Affected Scope
- Upstream: freeipmi-1.6.16
- Also reproduced on apt-installed system package build:
  - package: freeipmi-tools 1.6.13-3
  - binary: /usr/sbin/ipmi-oem

## Reproduction
A self-contained reproduction package is attached (4 files):
- advisory.md  — detailed write-up
- build.sh     — builds freeipmi-1.6.16 with ASAN
- poc_run.sh       — starts PoC server and drives the vulnerable code path
- poc_server.py    — minimal IPMI response server that sends the crafted
payload

Observed:
1. Source path: malformed short response is accepted as success.
2. apt path: `/usr/sbin/ipmi-oem ... wistron read-proprietary-string` returns
`rc=0` on malformed response.

Please confirm receipt. I am happy to coordinate on a CVE assignment and patch
timeline.

Report date: 2026-03-11

Best regards,
Zhihan Zheng






    _______________________________________________________
File Attachments:

Name: advisory.md                    Size: 2.2KiB
Name: build.sh                       Size: 424B
Name: poc_run.sh                     Size: 585B
Name: poc_server.py                  Size: 4.4KiB

    _______________________________________________________

Reply to this item at:

  <https://savannah.gnu.org/bugs/?68142>

_______________________________________________
Message sent via Savannah
https://savannah.gnu.org/

signature.asc
Description: PGP signature

[bug #68142] SECURITY][BUG][freeipmi-1.6.16] Length-consistency validation failure in ipmi_oem_wistron_read_proprietary_string

Reply via email to