add size checking for input payload data
verify input data size before accessing to prevent out of bound access.
Tested:
ipmitool with lanplus works same as without the change.
ipmitool -I lanplus -U xx -P xx -H ip -C 17 sol info
ipmitool -I lanplus -U xx -P xx -H ip -C 17 sensor list
ipmitool -I lanplus -U xx -P xx -H ip -C 17 sdr list
ipmitool -I lanplus -U xx -P xx -H ip -C 17 user list 1
Signed-off-by: Zhikui Ren <zhikui.ren@intel.com>
Change-Id: I5025aa2666c8873b7c63f8323a932c0480b59304
diff --git a/message_parsers.cpp b/message_parsers.cpp
index 95fcfaf..6703fc3 100644
--- a/message_parsers.cpp
+++ b/message_parsers.cpp
@@ -82,7 +82,6 @@
std::shared_ptr<Message> unflatten(std::vector<uint8_t>& inPacket)
{
- // Check if the packet has atleast the Session Header
if (inPacket.size() < sizeof(SessionHeader_t))
{
throw std::runtime_error("IPMI1.5 Session Header Missing");
@@ -100,6 +99,13 @@
auto payloadLen = header->payloadLength;
+ // Confirm the number of data bytes received correlates to
+ // the packet length in the header
+ if (inPacket.size() < (sizeof(SessionHeader_t) + payloadLen))
+ {
+ throw std::runtime_error("Invalid data length");
+ }
+
(message->payload)
.assign(inPacket.data() + sizeof(SessionHeader_t),
inPacket.data() + sizeof(SessionHeader_t) + payloadLen);
@@ -275,6 +281,12 @@
auto sessTrailerPos = sizeof(SessionHeader_t) + payloadLen + paddingLen;
+ // verify packet size includes trailer struct starts at sessTrailerPos
+ if (packet.size() < (sessTrailerPos + sizeof(SessionTrailer_t)))
+ {
+ return false;
+ }
+
auto trailer = reinterpret_cast<const SessionTrailer_t*>(packet.data() +
sessTrailerPos);