Wednesday, March 22, 2017

welcome bacl to war! so trying to male a cook here, as sending the raw packet looking as nice as this "there are multiple places this code could segfault, before data_len is validated and/or if it never gets checked as the data_len < 15 is a conditional check."

Bugs item #2414621, was opened at 2008-12-10 12:29
Message generated for change (Comment added) made by sutula
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=532251&aid=2414621&group_id=71730

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: IPMI Direct plugin
>Group: 2.13.2
Status: Closed
>Resolution: Fixed
Priority: 5
Private: No
Submitted By: Shuah Khan (shuah)
Assigned to: Shuah Khan (shuah)
Summary: ipmidirect seg faults when a short pkt is received

Initial Comment:
ipmidirect plug-in segmentation faults when it receives a message with its data lenght field set to 0. ReadResponse() doesn't check if data[13] is zero and later on in this routine, it tries to make an invalid reference and seg faults.

An insufficient data packet could be due to a bug in the carrier mgmt fw that sends a message with data[13] set to 0. (this is how the bug was found)

In ReadResponse() line # 928, data[13] gets extracted and there is a check that is done using the len returned by recvfrom() and comparing (len <  data[13] + 14). If len is less than that, it returns error.
However if data[13] is 0, there will be trouble later on and this logic doesn't catch it. This is no auth message case and there is similar problem with the auth message logic that starts at line # 952 which
takes the data[29] value and then does compares with len < data[29] + 30. Again it doesn't really validate if data[29] is > 0.

So far it is ok, but we are setup for trouble later when tmsg is assigned to data + 30 on line #994 if data[4] != 0 which indicates the msg contains the auth data and to data+14 on line # 997 in no auth case. We are still good, however starting on line # 1033 we start accessing offsets into tmsg and also on line 1051  msg.m_data_len gets set to a negative value if data_len is 0. data_len is not checked until the else
case for bad IPMB msg if conditional that starts at line # 1071. This else case checks if data_len < 15.

I haven't isolated the seg fault to specific line, but looking at the logic after data_len and tmsg are assigned, there are multiple places this code could segfault, before data_len is validated and/or if it never gets checked as the data_len < 15 is a conditional check.

The patch adds checks to no auth and auth case to validate data[13] and data[29] specify a value > 0.
https://sourceforge.net/p/openhpi/mailman/message/21284744/~
AND

Let Intel Pin follow child processes

No comments: