From patchwork Wed Jun 26 12:31:41 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Maxim Polyakov <m.polyakov@yadro.com>
X-Patchwork-Id: 1123045
Return-Path: 
 <petitboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from lists.ozlabs.org (lists.ozlabs.org [203.11.71.2])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	key-exchange X25519 server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 45Yyrt4VjWz9s3C
	for <incoming@patchwork.ozlabs.org>;
	Thu, 27 Jun 2019 08:49:34 +1000 (AEST)
Authentication-Results: ozlabs.org;
	dmarc=fail (p=none dis=none) header.from=yadro.com
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (1024-bit key;
	unprotected) header.d=yadro.com header.i=@yadro.com
	header.b="eO50QXwT"; dkim-atps=neutral
Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3])
	by lists.ozlabs.org (Postfix) with ESMTP id 45Yyrt0CWbzDqXD
	for <incoming@patchwork.ozlabs.org>;
	Thu, 27 Jun 2019 08:49:34 +1000 (AEST)
X-Original-To: petitboot@lists.ozlabs.org
Delivered-To: petitboot@lists.ozlabs.org
Authentication-Results: lists.ozlabs.org;
	spf=pass (mailfrom) smtp.mailfrom=yadro.com
	(client-ip=89.207.88.252; helo=mta-01.yadro.com;
	envelope-from=m.polyakov@yadro.com; receiver=<UNKNOWN>)
Authentication-Results: lists.ozlabs.org;
	dmarc=pass (p=none dis=none) header.from=yadro.com
Authentication-Results: lists.ozlabs.org; dkim=pass (1024-bit key;
	unprotected) header.d=yadro.com header.i=@yadro.com
	header.b="eO50QXwT"; dkim-atps=neutral
Received: from mta-01.yadro.com (mta-02.yadro.com [89.207.88.252])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by lists.ozlabs.org (Postfix) with ESMTPS id 45YjLY1hClzDqWb
	for <petitboot@lists.ozlabs.org>;
	Wed, 26 Jun 2019 22:40:52 +1000 (AEST)
Received: from localhost (unknown [127.0.0.1])
	by mta-01.yadro.com (Postfix) with ESMTP id 98DBB41907
	for <petitboot@lists.ozlabs.org>;
	Wed, 26 Jun 2019 12:31:43 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=yadro.com; h=
	user-agent:content-disposition:content-type:content-type
	:mime-version:message-id:subject:subject:from:from:date:date
	:received:received:received; s=mta-01; t=1561552302; x=
	1563366703; bh=SiNKX4dmfEeeV1QHMWEXkGl6R03jl/SMGPc8JLQarGg=; b=e
	O50QXwTEMMBa4y8xWFJ8hv/Ms/RSj1cUd1NW9+vszVJMUwIO3I4whJsYNzJDPq7d
	A8bPOwmQI6w3kGdrjgdDQIio4Cq4EzCehUZeiAPIB4t6ifFkAJq+ibi3qZbgsDXc
	hMmeozWhRggUSodhP560q8xNljV51FjJvth/OM1N94=
X-Virus-Scanned: amavisd-new at yadro.com
Received: from mta-01.yadro.com ([127.0.0.1])
	by localhost (mta-01.yadro.com [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id nuKs88iHLtCY for <petitboot@lists.ozlabs.org>;
	Wed, 26 Jun 2019 15:31:42 +0300 (MSK)
Received: from T-EXCH-02.corp.yadro.com (t-exch-02.corp.yadro.com
	[172.17.10.102])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits))
	(No client certificate requested)
	by mta-01.yadro.com (Postfix) with ESMTPS id 920E6411FF
	for <petitboot@lists.ozlabs.org>;
	Wed, 26 Jun 2019 15:31:42 +0300 (MSK)
Received: from localhost (172.17.15.1) by T-EXCH-02.corp.yadro.com
	(172.17.10.102) with Microsoft SMTP Server (version=TLS1_2,
	cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.669.32;
	Wed, 26 Jun 2019 15:31:41 +0300
Date: Wed, 26 Jun 2019 15:31:41 +0300
From: Maxim Polyakov <m.polyakov@yadro.com>
To: <petitboot@lists.ozlabs.org>
Subject: [PATCH 2/5] discover/platform-powerpc: limit mailbox response size
Message-ID: <20190626123140.GA16248@gmail.com>
MIME-Version: 1.0
Content-Disposition: inline
User-Agent: Mutt/1.5.24 (2015-08-30)
X-Originating-IP: [172.17.15.1]
X-ClientProxiedBy: T-EXCH-01.corp.yadro.com (172.17.10.101) To
	T-EXCH-02.corp.yadro.com (172.17.10.102)
X-Mailman-Approved-At: Thu, 27 Jun 2019 08:48:55 +1000
X-BeenThere: petitboot@lists.ozlabs.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Petitboot bootloader development <petitboot.lists.ozlabs.org>
List-Unsubscribe: <https://lists.ozlabs.org/options/petitboot>,
	<mailto:petitboot-request@lists.ozlabs.org?subject=unsubscribe>
List-Archive: <http://lists.ozlabs.org/pipermail/petitboot/>
List-Post: <mailto:petitboot@lists.ozlabs.org>
List-Help: <mailto:petitboot-request@lists.ozlabs.org?subject=help>
List-Subscribe: <https://lists.ozlabs.org/listinfo/petitboot>,
	<mailto:petitboot-request@lists.ozlabs.org?subject=subscribe>
Errors-To: petitboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org
Sender: "Petitboot"
	<petitboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org>

The maximum size of the mailbox with Boot Initiator info is defined in
the specification (1). The code should not extract data from the IPMI
response message if its size exceeds the maximum limit from the
specification.

[1] page 398, IPMI Specification v2.0, Revision 1.1, October 1, 2013

Signed-off-by: Maxim Polyakov <m.polyakov@yadro.com>
---
 discover/platform-powerpc.c | 31 +++++++++++++++++--------------
 1 file changed, 17 insertions(+), 14 deletions(-)

diff --git a/discover/platform-powerpc.c b/discover/platform-powerpc.c
index 6651e3f..1e33bf1 100644
--- a/discover/platform-powerpc.c
+++ b/discover/platform-powerpc.c
@@ -461,24 +461,27 @@ static int get_ipmi_boot_mailbox_block(struct platform_powerpc *platform,
 		return -1;
 	}
 
-	if (resp_len < sizeof(resp)) {
-		if (resp_len < 4) {
-			pb_log("platform: unexpected length (%d) in "
-					"boot options mailbox response\n",
-					resp_len);
-			return -1;
-		}
+	if (resp_len > sizeof(resp)) {
+		pb_debug("platform: invalid mailbox response size!\n");
+		return -1;
+	}
 
-		if (resp_len == 4) {
-			pb_debug_fn("block %hu empty\n", block);
-			return 0;
-		}
+	if (resp_len < 4) {
+		pb_log("platform: unexpected length (%d) in "
+				"boot options mailbox response\n",
+				resp_len);
+		return -1;
+	}
 
-		blocksize = sizeof(resp) - 4;
-		pb_debug_fn("Mailbox block %hu returns only %zu bytes in block\n",
-				block, blocksize);
+	if (resp_len == 4) {
+		pb_debug_fn("block %hu empty\n", block);
+		return 0;
 	}
 
+	blocksize = sizeof(resp) - 4;
+	pb_debug_fn("Mailbox block %hu returns only %zu bytes in block\n",
+			block, blocksize);
+
 	debug_buf = format_buffer(platform, resp, resp_len);
 	pb_debug_fn("IPMI bootdev mailbox block %hu:\n%s\n", block, debug_buf);
 	talloc_free(debug_buf);