[Ipmitool-devel] Code Review: ID: 318 - ipmi_tsol.c: fix buffer overflow

Sat, 24 May 2014 07:23:16 -0700 

Hello,

attached is a patch for buffer over-flow in TSOL. Is anyone up for code review?

Regards,
Z.

--
Zdenek Styblik
email: zdenek.styb...@gmail.com
jabber: zdenek.styb...@gmail.com

diff --git a/lib/ipmi_tsol.c b/lib/ipmi_tsol.c
index c900ffd..9c85fe3 100644
--- a/lib/ipmi_tsol.c
+++ b/lib/ipmi_tsol.c
@@ -372,7 +372,8 @@ ipmi_tsol_main(struct ipmi_intf *intf, int argc, char **argv)
 	struct sockaddr_in sin, myaddr, *sa_in;
 	socklen_t mylen;
 	char *recvip = NULL;
-	char out_buff[IPMI_BUF_SIZE * 8], in_buff[IPMI_BUF_SIZE];
+	char in_buff[IPMI_BUF_SIZE];
+	char out_buff[IPMI_BUF_SIZE * 8];
 	char buff[IPMI_BUF_SIZE + 4];
 	int fd_socket, result, i;
 	int out_buff_fill, in_buff_fill;
@@ -524,7 +525,6 @@ ipmi_tsol_main(struct ipmi_intf *intf, int argc, char **argv)
 	out_buff_fill = 0;
 	in_buff_fill = 0;
 	fds = fds_wait;
-
 	for (;;) {
 		result = poll(fds, 3, 15 * 1000);
 		if (result < 0) {
@@ -536,9 +536,16 @@ ipmi_tsol_main(struct ipmi_intf *intf, int argc, char **argv)
 
 		if ((fds[0].revents & POLLIN) && (sizeof(out_buff) > out_buff_fill)) {
 			socklen_t sin_len = sizeof(sin);
+			int buff_size = sizeof(buff);
+			if ((sizeof(out_buff) - out_buff_fill + 4) < buff_size) {
+				buff_size = (sizeof(out_buff) - out_buff_fill) + 4;
+				if ((buff_size - 4) <= 0) {
+					buff_size = 0;
+				}
+			}
 			/* Note - buffer over-flow here */
 			result = recvfrom(fd_socket, buff,
-					sizeof(out_buff) - out_buff_fill + 4, 0,
+					buff_size, 0,
 					(struct sockaddr *)&sin, &sin_len);
 			/* read the data from udp socket,
 			 * skip some bytes in the head

------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
Ipmitool-devel mailing list
Ipmitool-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ipmitool-devel

Reply via email to