[Ipmitool-devel] [PATCH] Fix buffer overflow when receiving tsol packet

Jan Safranek Thu, 21 Jan 2010 06:47:23 -0800

recv() in processing of tsol data packets provides buffer 'buff' of size
IPMI_BUF_SIZE+4, but claims it's size is 'sizeof(out_buff)+4', which is
IPMI_BUF_SIZE*8+4 -> potential buffer overflow.


Signed-off-by: Jan Safranek <jsafr...@redhat.com>
---

 lib/ipmi_tsol.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/lib/ipmi_tsol.c b/lib/ipmi_tsol.c
index cca2436..8a75762 100644
--- a/lib/ipmi_tsol.c
+++ b/lib/ipmi_tsol.c
@@ -385,7 +385,7 @@ ipmi_tsol_main(struct ipmi_intf * intf, int argc, char ** 
argv)
        socklen_t mylen;
        char *recvip = NULL;
        char out_buff[IPMI_BUF_SIZE * 8], in_buff[IPMI_BUF_SIZE];
-       char buff[IPMI_BUF_SIZE + 4];
+       char buff[IPMI_BUF_SIZE * 8 + 4];
        int fd_socket, result, i;
        int out_buff_fill, in_buff_fill;
        int ip1, ip2, ip3, ip4;


------------------------------------------------------------------------------
Throughout its 18-year history, RSA Conference consistently attracts the
world's best and brightest in the field, creating opportunities for Conference
attendees to learn about information security's most important issues through
interactions with peers, luminaries and emerging and established companies.
http://p.sf.net/sfu/rsaconf-dev2dev
_______________________________________________
Ipmitool-devel mailing list
Ipmitool-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ipmitool-devel

[Ipmitool-devel] [PATCH] Fix buffer overflow when receiving tsol packet

Reply via email to