| Klaus Heinrich Kiwi | d1cd8c5 | 2020-02-27 12:43:47 -0300 | [diff] [blame] | 1 | From 40fd13ec2c7518dc7afa67dae2cf5c460b92997c Mon Sep 17 00:00:00 2001 |
| 2 | From: Maxim Polyakov <m.polyakov@yadro.com> |
| 3 | Date: Mon, 8 Jul 2019 12:12:59 +0300 |
| 4 | Subject: [PATCH 02/18] discover/platform-powerpc: limit mailbox response size |
| 5 | |
| 6 | The maximum size of the mailbox with Boot Initiator info is defined in |
| 7 | the specification (1). The code should not extract data from the IPMI |
| 8 | response message if its size exceeds the maximum limit from the |
| 9 | specification. |
| 10 | |
| 11 | [1] page 398, IPMI Specification v2.0, Revision 1.1, October 1, 2013 |
| 12 | |
| 13 | Signed-off-by: Maxim Polyakov <m.polyakov@yadro.com> |
| 14 | (cherry picked from commit 1088a8ab532bfe008a714613497909d19bcfb8c4) |
| 15 | Signed-off-by: Klaus Heinrich Kiwi <klaus@linux.vnet.ibm.com> |
| 16 | --- |
| 17 | discover/platform-powerpc.c | 31 +++++++++++++++++-------------- |
| 18 | 1 file changed, 17 insertions(+), 14 deletions(-) |
| 19 | |
| 20 | diff --git a/discover/platform-powerpc.c b/discover/platform-powerpc.c |
| 21 | index 6651e3f..1e33bf1 100644 |
| 22 | --- a/discover/platform-powerpc.c |
| 23 | +++ b/discover/platform-powerpc.c |
| 24 | @@ -461,24 +461,27 @@ static int get_ipmi_boot_mailbox_block(struct platform_powerpc *platform, |
| 25 | return -1; |
| 26 | } |
| 27 | |
| 28 | - if (resp_len < sizeof(resp)) { |
| 29 | - if (resp_len < 4) { |
| 30 | - pb_log("platform: unexpected length (%d) in " |
| 31 | - "boot options mailbox response\n", |
| 32 | - resp_len); |
| 33 | - return -1; |
| 34 | - } |
| 35 | + if (resp_len > sizeof(resp)) { |
| 36 | + pb_debug("platform: invalid mailbox response size!\n"); |
| 37 | + return -1; |
| 38 | + } |
| 39 | |
| 40 | - if (resp_len == 4) { |
| 41 | - pb_debug_fn("block %hu empty\n", block); |
| 42 | - return 0; |
| 43 | - } |
| 44 | + if (resp_len < 4) { |
| 45 | + pb_log("platform: unexpected length (%d) in " |
| 46 | + "boot options mailbox response\n", |
| 47 | + resp_len); |
| 48 | + return -1; |
| 49 | + } |
| 50 | |
| 51 | - blocksize = sizeof(resp) - 4; |
| 52 | - pb_debug_fn("Mailbox block %hu returns only %zu bytes in block\n", |
| 53 | - block, blocksize); |
| 54 | + if (resp_len == 4) { |
| 55 | + pb_debug_fn("block %hu empty\n", block); |
| 56 | + return 0; |
| 57 | } |
| 58 | |
| 59 | + blocksize = sizeof(resp) - 4; |
| 60 | + pb_debug_fn("Mailbox block %hu returns only %zu bytes in block\n", |
| 61 | + block, blocksize); |
| 62 | + |
| 63 | debug_buf = format_buffer(platform, resp, resp_len); |
| 64 | pb_debug_fn("IPMI bootdev mailbox block %hu:\n%s\n", block, debug_buf); |
| 65 | talloc_free(debug_buf); |
| 66 | -- |
| 67 | 2.17.1 |
| 68 | |