[Openipmi-developer] [PATCH] ipmi: fix IPMI_SMI_MSG_TYPE_IPMB_DIRECT response length checking

[Jakub Kicinski]

We check if response is the right size but if it's not we jump
to return_unspecified which creates a response of size 3.
We need size 4 to prevent OOB in handle_ipmb_direct_rcv_rsp().
Was this supposed to override the message type, too?

Fixes: 059747c245f0 ("ipmi: Add support for IPMB direct messages")
Signed-off-by: Jakub Kicinski <k...@kernel.org>
---
Dunno if this is the right fix, but the bug is pretty clearly there.
---
 drivers/char/ipmi/ipmi_msghandler.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/char/ipmi/ipmi_msghandler.c 
b/drivers/char/ipmi/ipmi_msghandler.c
index f0b18c25cbb1..0011b04f43c9 100644
--- a/drivers/char/ipmi/ipmi_msghandler.c
+++ b/drivers/char/ipmi/ipmi_msghandler.c
@@ -4453,6 +4453,7 @@ static int handle_one_recv_msg(struct ipmi_smi *intf,
                msg->rsp[0] = msg->data[0] | (1 << 2);
                msg->rsp[1] = msg->data[1];
                msg->rsp[2] = IPMI_ERR_UNSPECIFIED;
+               msg->type = IPMI_SMI_MSG_TYPE_NORMAL;
                msg->rsp_size = 3;
        } else if (msg->type == IPMI_SMI_MSG_TYPE_IPMB_DIRECT) {
                /* commands must have at least 3 bytes, responses 4. */
-- 
2.31.1



_______________________________________________
Openipmi-developer mailing list
Openipmi-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openipmi-developer