From efcd68b23d7dafb4038aa76e4c0914b9a54d0103 Mon Sep 17 00:00:00 2001
From: Tom Joseph <tomjoseph@in.ibm.com>
Date: Thu, 26 Apr 2018 18:46:27 +0530
Subject: Check the offset length in the Read FRU command

The offset length is validated against the size of the FRU area,
before proceeding with populating the response of the Read FRU command.

Resolves openbmc/openbmc#3132

Change-Id: I2bc660b7e389f5c85bac0acc8068dd53ab328a65
Signed-off-by: Tom Joseph <tomjoseph@in.ibm.com>
---
 storagehandler.cpp | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/storagehandler.cpp b/storagehandler.cpp
index 6f97bef..3f1ebe2 100644
--- a/storagehandler.cpp
+++ b/storagehandler.cpp
@@ -652,6 +652,11 @@ ipmi_ret_t ipmi_storage_read_fru_data(
         const auto& fruArea = getFruAreaData(reqptr->fruID);
         auto size = fruArea.size();
 
+        if (offset >= size)
+        {
+            return IPMI_CC_PARM_OUT_OF_RANGE;
+        }
+
         // Write the count of response data.
         if ((offset + reqptr->count) <= size)
         {
-- 
cgit v1.2.1