diff options
author | Emily Shaffer <emilyshaffer@google.com> | 2018-09-27 09:30:41 -0700 |
---|---|---|
committer | Emily Shaffer <emilyshaffer@google.com> | 2018-09-28 13:22:19 -0700 |
commit | 0fbdbce22771dac6fe8d651e4c8155645807b83d (patch) | |
tree | 97e704f7b003a1bea91ebbfd244464686f5ed5b0 /sensorhandler.cpp | |
parent | fdfe501ea71c4acb9464b2076279d794e622d929 (diff) | |
download | phosphor-host-ipmid-0fbdbce22771dac6fe8d651e4c8155645807b83d.tar.gz phosphor-host-ipmid-0fbdbce22771dac6fe8d651e4c8155645807b83d.zip |
sensorhandler: fix buffer overrun in ipmi_fru_get_sdr
Change-Id: Ic12598027a92495e49f7cb06aa28f77c0727be44
Signed-off-by: Emily Shaffer <emilyshaffer@google.com>
Diffstat (limited to 'sensorhandler.cpp')
-rw-r--r-- | sensorhandler.cpp | 17 |
1 files changed, 6 insertions, 11 deletions
diff --git a/sensorhandler.cpp b/sensorhandler.cpp index 9792299..1a44ddb 100644 --- a/sensorhandler.cpp +++ b/sensorhandler.cpp @@ -757,23 +757,18 @@ ipmi_ret_t ipmi_fru_get_sdr(ipmi_request_t request, ipmi_response_t response, (FRU_RECORD_ID_START + fru->first), resp); } - if (req->bytes_to_read > (sizeof(*resp) - req->offset)) + // Check for invalid offset size + if (req->offset > sizeof(record)) { - dataLength = (sizeof(*resp) - req->offset); - } - else - { - dataLength = req->bytes_to_read; + return IPMI_CC_PARM_OUT_OF_RANGE; } - if (dataLength <= 0) - { - return IPMI_CC_REQ_DATA_LEN_INVALID; - } + dataLength = std::min(static_cast<size_t>(req->bytes_to_read), + sizeof(record) - req->offset); std::memcpy(resp->record_data, reinterpret_cast<uint8_t*>(&record) + req->offset, - (dataLength)); + dataLength); *data_len = dataLength; *data_len += 2; // additional 2 bytes for next record ID |