[Ipmitool-devel] [PATCH] Fix buffer overflow when receiving tsol packet

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

recv() in processing of tsol data packets provides buffer 'buff' of size
IPMI_BUF_SIZE+4, but claims it's size is 'sizeof(out_buff)+4', which is
IPMI_BUF_SIZE*8+4 -> potential buffer overflow.

Signed-off-by: Jan Safranek <jsa...@re...>
---

 lib/ipmi_tsol.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/lib/ipmi_tsol.c b/lib/ipmi_tsol.c
index cca2436..8a75762 100644
--- a/lib/ipmi_tsol.c
+++ b/lib/ipmi_tsol.c
@@ -385,7 +385,7 @@ ipmi_tsol_main(struct ipmi_intf * intf, int argc, char ** argv)
 	socklen_t mylen;
 	char *recvip = NULL;
 	char out_buff[IPMI_BUF_SIZE * 8], in_buff[IPMI_BUF_SIZE];
-	char buff[IPMI_BUF_SIZE + 4];
+	char buff[IPMI_BUF_SIZE * 8 + 4];
 	int fd_socket, result, i;
 	int out_buff_fill, in_buff_fill;
 	int ip1, ip2, ip3, ip4;



