From: Jan S. <jsa...@re...> - 2010-01-21 14:46:05
|
recv() in processing of tsol data packets provides buffer 'buff' of size IPMI_BUF_SIZE+4, but claims it's size is 'sizeof(out_buff)+4', which is IPMI_BUF_SIZE*8+4 -> potential buffer overflow. Signed-off-by: Jan Safranek <jsa...@re...> --- lib/ipmi_tsol.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/lib/ipmi_tsol.c b/lib/ipmi_tsol.c index cca2436..8a75762 100644 --- a/lib/ipmi_tsol.c +++ b/lib/ipmi_tsol.c @@ -385,7 +385,7 @@ ipmi_tsol_main(struct ipmi_intf * intf, int argc, char ** argv) socklen_t mylen; char *recvip = NULL; char out_buff[IPMI_BUF_SIZE * 8], in_buff[IPMI_BUF_SIZE]; - char buff[IPMI_BUF_SIZE + 4]; + char buff[IPMI_BUF_SIZE * 8 + 4]; int fd_socket, result, i; int out_buff_fill, in_buff_fill; int ip1, ip2, ip3, ip4; |