ipmitool: segfault fwum upgrade / statically allocated buffer

[AlexanderAmelkin]

Reported by: Jörg Frings-Fürst
Original Ticket: ipmitool/bugs/475

Hello,

I forward this bug from Debian (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=844425):

CU
Jörg

Package: ipmitool
Version: 1.8.18-1

Hi,
i had problems with ipmitool 1.8.14 which segfaulted in fwum upgrade. 
I build 1.8.18 on a Debian/Jessie to try a newer version which also
broke.

Core was generated by `src/ipmitool fwum upgrade /tmp/Linux/X8DT3303.ima'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  KfwumCalculateChecksumPadding (pBuffer=pBuffer@entry=0x7fd813673700 <firmBuf> "P\004U\252\023", totalSize=<optimized out>)
at ipmi_fwum.c:425
425                     sumOfBytes += pBuffer[counter];
(gdb) bt
#0  KfwumCalculateChecksumPadding (pBuffer=pBuffer@entry=0x7fd813673700 <firmBuf> "P\004U\252\023", totalSize=<optimized out>)
at ipmi_fwum.c:425
#1  0x00007fd8133d8f97 in ipmi_fwum_fwupgrade (intf=0x7fd81366f180 <ipmi_open_intf>, file=<optimized out>, action=1)
at ipmi_fwum.c:271
#2  0x00007fd8133defef in ipmi_main (argc=4, argv=0x7ffece162e88, cmdlist=0xff, intflist=0x0) at ipmi_main.c:1004
#3  0x00007fd8133a2c02 in main (argc=<optimized out>, argv=<optimized out>) at ipmitool.c:135

It seems the firmware file buffer is statically allocated on the stack with 512*1024
but then the whole file is read to it.

Flo
-- 
Florian Lohoff                                                 f@zz.de