Here is a patch for fixing the ipmidirect plug-in segmentation fault
when it receives a message with 0 length data bytes. A new check is
added to ReadResponse() to check if data[13] is zero. Without this
check, later on in this routine, it tries to make an invalid reference
and seg faults.
Here is the svn diff output:
--- ipmi_con_lan.cpp (revision 6918)
+++ ipmi_con_lan.cpp (working copy)
@@ -931,6 +931,13 @@
stdlog << "Dropped message because too small(2)\n";
return eResponseTypeError;
}
+ // no data bytes
+ if ( data[13] <= 0 )
+ {
+ // Not enough data was supplied, reject the message.
+ stdlog << "Dropped message because data len is <=0 \n";
+ return eResponseTypeError;
+ }
data_len = data[13];
}
Please review and give me comments.
-- Shuah
------------------------------------------------------------------------------
SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada.
The future of the web can't happen without you. Join us at MIX09 to help
pave the way to the Next Web now. Learn more and register at
http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/
_______________________________________________
Openhpi-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openhpi-devel
