[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Freeipmi-devel] [bug #38790] Invalid "Confidentiality Pad Length" value
From: |
Albert Chu |
Subject: |
[Freeipmi-devel] [bug #38790] Invalid "Confidentiality Pad Length" value in encrypted RMCP+ packets |
Date: |
Thu, 25 Apr 2013 18:27:22 +0000 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130307 Firefox/17.0 |
Update of bug #38790 (project freeipmi):
Assigned to: None => chu11
_______________________________________________________
Follow-up Comment #2:
I was able to reproduce with --set-asset-tag=12313 (not sure why it did not
with your example). I'm surprised this bug lingered so long. I guess most
vendors do not check the pad.
I did a different patch though, and found another location in the code that
needed to be changed. Here's the patch I commited for 1.2.6. I've of course
given credit to you & Broadcom in the ChangeLog for finding the bug and the
fix location.
===================================================================
--- libfreeipmi/interface/ipmi-rmcpplus-interface.c (revision 9608)
+++ libfreeipmi/interface/ipmi-rmcpplus-interface.c (working copy)
@@ -739,7 +739,7 @@
uint8_t iv[IPMI_CRYPT_AES_CBC_128_IV_LENGTH];
int iv_len;
uint8_t payload_buf[IPMI_MAX_PAYLOAD_LENGTH];
- uint8_t pad_len;
+ uint8_t pad_len, pad_tmp;
int payload_len, cipher_keylen, cipher_blocklen, encrypt_len;
/* Note: Confidentiality Key for AES_CBS_128 is K2 */
@@ -808,7 +808,11 @@
/* Pad the data appropriately */
/* +1 is for the pad length field */
- pad_len = IPMI_CRYPT_AES_CBC_128_BLOCK_LENGTH - ((payload_len + 1) %
IPMI_CRYPT_AES_CBC_128_BLOCK_LENGTH);
+ pad_tmp = ((payload_len + 1) % IPMI_CRYPT_AES_CBC_128_BLOCK_LENGTH);
+ if (pad_tmp)
+ pad_len = IPMI_CRYPT_AES_CBC_128_BLOCK_LENGTH - pad_tmp;
+ else
+ pad_len = 0;
if ((payload_len + pad_len + 1) > IPMI_MAX_PAYLOAD_LENGTH)
{
@@ -821,8 +825,8 @@
unsigned int i;
for (i = 0; i < pad_len; i++)
payload_buf[payload_len + i] = i + 1;
- payload_buf[payload_len + pad_len] = pad_len;
}
+ payload_buf[payload_len + pad_len] = pad_len;
/* +1 for pad length field */
if ((encrypt_len = crypt_cipher_encrypt (IPMI_CRYPT_CIPHER_AES,
_______________________________________________________
Reply to this item at:
<http://savannah.gnu.org/bugs/?38790>
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/