commit 2b1edef0b1e395591dcf751d7ccf45a85bb58d4c
author Zhikui Ren <zhikui.ren@intel.com> Fri Jul 24 14:32:13 2020 -0700
committer Zhikui Ren <zhikui.ren@intel.com> Thu Aug 13 12:04:27 2020 -0700
tree c8ca75199dd2643778071c4807ad8aa78db173be
parent f6e7230d9cd45772a4237c024e6c3abf9b4cf7eb

add size checking for input payload data

verify input data size before accessing to prevent out of bound access.

Tested:
ipmitool with lanplus works same as without the change.
ipmitool  -I lanplus -U xx -P xx -H ip -C 17 sol info
ipmitool  -I lanplus -U xx -P xx -H ip -C 17 sensor list
ipmitool  -I lanplus -U xx -P xx -H ip -C 17 sdr list
ipmitool  -I lanplus -U xx -P xx -H ip -C 17 user list 1

Signed-off-by: Zhikui Ren <zhikui.ren@intel.com>
Change-Id: I5025aa2666c8873b7c63f8323a932c0480b59304

command/session_cmds.cpp

diff --git a/command/session_cmds.cpp b/command/session_cmds.cpp
index a08e8f2..945d8d9 100644
--- a/command/session_cmds.cpp
+++ b/command/session_cmds.cpp
@@ -17,10 +17,15 @@
     setSessionPrivilegeLevel(const std::vector<uint8_t>& inPayload,
                              const message::Handler& handler)
 {
-
-    std::vector<uint8_t> outPayload(sizeof(SetSessionPrivLevelResp));
     auto request =
         reinterpret_cast<const SetSessionPrivLevelReq*>(inPayload.data());
+    if (inPayload.size() != sizeof(*request))
+    {
+        std::vector<uint8_t> errorPayload{IPMI_CC_REQ_DATA_LEN_INVALID};
+        return errorPayload;
+    }
+
+    std::vector<uint8_t> outPayload(sizeof(SetSessionPrivLevelResp));
     auto response =
         reinterpret_cast<SetSessionPrivLevelResp*>(outPayload.data());
     response->completionCode = IPMI_CC_OK;
@@ -207,14 +212,29 @@
 std::vector<uint8_t> closeSession(const std::vector<uint8_t>& inPayload,
                                   const message::Handler& handler)
 {
-    std::vector<uint8_t> outPayload(sizeof(CloseSessionResponse));
+    // minimum inPayload size is reqSessionId (uint32_t)
+    // maximum inPayload size is struct CloseSessionRequest
+    if (inPayload.size() != sizeof(uint32_t) &&
+        inPayload.size() != sizeof(CloseSessionRequest))
+    {
+        std::vector<uint8_t> errorPayload{IPMI_CC_REQ_DATA_LEN_INVALID};
+        return errorPayload;
+    }
+
     auto request =
         reinterpret_cast<const CloseSessionRequest*>(inPayload.data());
+
+    std::vector<uint8_t> outPayload(sizeof(CloseSessionResponse));
     auto response = reinterpret_cast<CloseSessionResponse*>(outPayload.data());
     uint32_t reqSessionId = request->sessionID;
     uint8_t ipmiNetworkInstance = 0;
     uint8_t currentSessionPriv = 0;
-    uint8_t reqSessionHandle = request->sessionHandle;
+    uint8_t reqSessionHandle = session::invalidSessionHandle;
+
+    if (inPayload.size() == sizeof(CloseSessionRequest))
+    {
+        reqSessionHandle = request->sessionHandle;
+    }
 
     if (reqSessionId == session::sessionZero &&
         reqSessionHandle == session::invalidSessionHandle)