add size checking for input payload data
verify input data size before accessing to prevent out of bound access.
Tested:
ipmitool with lanplus works same as without the change.
ipmitool -I lanplus -U xx -P xx -H ip -C 17 sol info
ipmitool -I lanplus -U xx -P xx -H ip -C 17 sensor list
ipmitool -I lanplus -U xx -P xx -H ip -C 17 sdr list
ipmitool -I lanplus -U xx -P xx -H ip -C 17 user list 1
Signed-off-by: Zhikui Ren <zhikui.ren@intel.com>
Change-Id: I5025aa2666c8873b7c63f8323a932c0480b59304
diff --git a/command/payload_cmds.cpp b/command/payload_cmds.cpp
index c5d64fb..c8e682e 100644
--- a/command/payload_cmds.cpp
+++ b/command/payload_cmds.cpp
@@ -20,19 +20,18 @@
std::vector<uint8_t> activatePayload(const std::vector<uint8_t>& inPayload,
const message::Handler& handler)
{
- std::vector<uint8_t> outPayload(sizeof(ActivatePayloadResponse));
auto request =
reinterpret_cast<const ActivatePayloadRequest*>(inPayload.data());
+ if (inPayload.size() != sizeof(*request))
+ {
+ std::vector<uint8_t> errorPayload{IPMI_CC_REQ_DATA_LEN_INVALID};
+ return errorPayload;
+ }
+
+ std::vector<uint8_t> outPayload(sizeof(ActivatePayloadResponse));
auto response =
reinterpret_cast<ActivatePayloadResponse*>(outPayload.data());
- if (inPayload.size() != sizeof(ActivatePayloadRequest))
- {
- response->completionCode = ipmi::ccReqDataLenInvalid;
- outPayload.resize(sizeof(response->completionCode));
- return outPayload;
- }
-
response->completionCode = IPMI_CC_OK;
// SOL is the payload currently supported for activation.
@@ -113,20 +112,19 @@
std::vector<uint8_t> deactivatePayload(const std::vector<uint8_t>& inPayload,
const message::Handler& handler)
{
- std::vector<uint8_t> outPayload(sizeof(DeactivatePayloadResponse));
auto request =
reinterpret_cast<const DeactivatePayloadRequest*>(inPayload.data());
+ if (inPayload.size() != sizeof(*request))
+ {
+ std::vector<uint8_t> errorPayload{IPMI_CC_REQ_DATA_LEN_INVALID};
+ return errorPayload;
+ }
+
+ std::vector<uint8_t> outPayload(sizeof(DeactivatePayloadResponse));
auto response =
reinterpret_cast<DeactivatePayloadResponse*>(outPayload.data());
-
response->completionCode = IPMI_CC_OK;
- if (inPayload.size() != sizeof(DeactivatePayloadRequest))
- {
- response->completionCode = IPMI_CC_REQ_DATA_LEN_INVALID;
- return outPayload;
- }
-
// SOL is the payload currently supported for deactivation
if (static_cast<uint8_t>(message::PayloadType::SOL) != request->payloadType)
{
@@ -187,9 +185,15 @@
std::vector<uint8_t> getPayloadStatus(const std::vector<uint8_t>& inPayload,
const message::Handler& handler)
{
- std::vector<uint8_t> outPayload(sizeof(GetPayloadStatusResponse));
auto request =
reinterpret_cast<const GetPayloadStatusRequest*>(inPayload.data());
+ if (inPayload.size() != sizeof(*request))
+ {
+ std::vector<uint8_t> errorPayload{IPMI_CC_REQ_DATA_LEN_INVALID};
+ return errorPayload;
+ }
+
+ std::vector<uint8_t> outPayload(sizeof(GetPayloadStatusResponse));
auto response =
reinterpret_cast<GetPayloadStatusResponse*>(outPayload.data());
@@ -215,17 +219,19 @@
std::vector<uint8_t> getPayloadInfo(const std::vector<uint8_t>& inPayload,
const message::Handler& handler)
{
- std::vector<uint8_t> outPayload(sizeof(GetPayloadInfoResponse));
auto request =
reinterpret_cast<const GetPayloadInfoRequest*>(inPayload.data());
+
+ if (inPayload.size() != sizeof(*request))
+ {
+ std::vector<uint8_t> errorPayload{IPMI_CC_REQ_DATA_LEN_INVALID};
+ return errorPayload;
+ }
+
+ std::vector<uint8_t> outPayload(sizeof(GetPayloadInfoResponse));
auto response =
reinterpret_cast<GetPayloadInfoResponse*>(outPayload.data());
- if (inPayload.size() != sizeof(GetPayloadInfoRequest))
- {
- response->completionCode = IPMI_CC_REQ_DATA_LEN_INVALID;
- return outPayload;
- }
// SOL is the payload currently supported for payload status & only one
// instance of SOL is supported.
if (static_cast<uint8_t>(message::PayloadType::SOL) !=