[Ipmitool-devel] Constrain username to 16 characters

[Jim Mankovich]

All,

I've attached a patch to constrain the username argument to 16 characters.   I 
also fixed a
memory leak that I noticed in the the user set password function.   This 
initial bug report
can be found via the following url.

http://sourceforge.net/tracker/?func=detail&aid=3001519&group_id=95200&atid=610550

Any/All comments appreciate
Jim

--
-- Jim Mankovich | jm...@hp.com --


>From d5afa560309dadd4a20e97144b38262dbe72478d Mon Sep 17 00:00:00 2001
From: Jim Mankovich <jm...@hp.com>
Date: Tue, 24 Apr 2012 12:35:28 -0600
Subject: [PATCH] Constrain username to 16 characters


Signed-off-by: Jim Mankovich <jm...@hp.com>
---
 lib/ipmi_user.c |   24 ++++++++++++++++--------
 1 files changed, 16 insertions(+), 8 deletions(-)

diff --git a/lib/ipmi_user.c b/lib/ipmi_user.c
index 81fe735..9a75a87 100644
--- a/lib/ipmi_user.c
+++ b/lib/ipmi_user.c
@@ -312,17 +312,23 @@ ipmi_user_set_username(
 	struct ipmi_rq	       req;
 	uint8_t	       msg_data[17];
 
+	/*
+	 * Ensure there is space for the name in the request message buffer
+	 */
+	if (strlen(name) >= sizeof(msg_data)) {
+		return -1;
+	}
+
 	memset(&req, 0, sizeof(req));
 	req.msg.netfn    = IPMI_NETFN_APP;	     /* 0x06 */
 	req.msg.cmd	     = IPMI_SET_USER_NAME;   /* 0x45 */
 	req.msg.data     = msg_data;
-	req.msg.data_len = 17;
-
+	req.msg.data_len = sizeof(msg_data);
+	memset(msg_data, 0, sizeof(msg_data));
 
 	/* The channel number will remain constant throughout this function */
 	msg_data[0] = user_id;
-	memset(msg_data + 1, 0, 16);
-	strcpy((char *)(msg_data + 1), name);
+	strncpy((char *)(msg_data + 1), name, strlen(name));
 
 	rsp = intf->sendrecv(intf, &req);
 
@@ -399,13 +405,10 @@ ipmi_user_set_password(
 {
 	struct ipmi_rs	     * rsp;
 	struct ipmi_rq	       req;
-	uint8_t	             * msg_data;
+	uint8_t	               msg_data[22];
 
 	int password_length = (is_twenty_byte_password? 20 : 16);
 
-	msg_data = (uint8_t*)malloc(password_length + 2);
-
-
 	memset(&req, 0, sizeof(req));
 	req.msg.netfn    = IPMI_NETFN_APP;	    /* 0x06 */
 	req.msg.cmd	 = IPMI_SET_USER_PASSWORD;  /* 0x47 */
@@ -732,6 +735,11 @@ ipmi_user_main(struct ipmi_intf * intf, int argc, char ** argv)
 				lprintf(LOG_ERR, "Invalid user ID: %s", argv[2]);
 				return (-1);
 			}
+			if (strlen(argv[3]) > 16)
+			{
+				lprintf(LOG_ERR, "Username is too long (> 16 bytes)");
+				return -1;
+			}
 			retval = ipmi_user_set_username(intf, user_id, argv[3]);
 		}
 		else
-- 
1.7.5.4


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Ipmitool-devel mailing list
Ipmitool-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ipmitool-devel