diff options
author | Emily Shaffer <emilyshaffer@google.com> | 2018-09-27 11:04:36 -0700 |
---|---|---|
committer | Emily Shaffer <emilyshaffer@google.com> | 2018-10-01 13:17:49 -0700 |
commit | 6c9ee5196abdcf361e20fcec276b0c188f9ba803 (patch) | |
tree | 22738ac3186e1eaaf96d54044c61ce04948e5cdc /sensorhandler.cpp | |
parent | 0fbdbce22771dac6fe8d651e4c8155645807b83d (diff) | |
download | phosphor-host-ipmid-6c9ee5196abdcf361e20fcec276b0c188f9ba803.tar.gz phosphor-host-ipmid-6c9ee5196abdcf361e20fcec276b0c188f9ba803.zip |
sensorhandler: fix buffer overflow in Get SDR
Change-Id: Id49f6294a506a870696554715b4835c7d7e6207b
Signed-off-by: Emily Shaffer <emilyshaffer@google.com>
Diffstat (limited to 'sensorhandler.cpp')
-rw-r--r-- | sensorhandler.cpp | 20 |
1 files changed, 17 insertions, 3 deletions
diff --git a/sensorhandler.cpp b/sensorhandler.cpp index 1a44ddb..e676c3e 100644 --- a/sensorhandler.cpp +++ b/sensorhandler.cpp @@ -848,9 +848,23 @@ ipmi_ret_t ipmi_sen_get_sdr(ipmi_netfn_t netfn, ipmi_cmd_t cmd, get_sdr::response::set_next_record_id(sensor->first, resp); } - *data_len = sizeof(get_sdr::GetSdrResp) - req->offset; - std::memcpy(resp->record_data, (char*)&record + req->offset, - sizeof(get_sdr::SensorDataFullRecord) - req->offset); + if (req->offset > sizeof(record)) + { + return IPMI_CC_PARM_OUT_OF_RANGE; + } + + // data_len will ultimately be the size of the record, plus + // the size of the next record ID: + *data_len = std::min(static_cast<size_t>(req->bytes_to_read), + sizeof(record) - req->offset); + + std::memcpy(resp->record_data, + reinterpret_cast<uint8_t*>(&record) + req->offset, + *data_len); + + // data_len should include the LSB and MSB: + *data_len += sizeof(resp->next_record_id_lsb) + + sizeof(resp->next_record_id_msb); } return ret; |