[Freeipmi-devel] [bug #38790] Invalid "Confidentiality Pad Length" value

freeipmi-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Freeipmi-devel] [bug #38790] Invalid "Confidentiality Pad Length" value

From:	Albert Chu
Subject:	[Freeipmi-devel] [bug #38790] Invalid "Confidentiality Pad Length" value in encrypted RMCP+ packets
Date:	Thu, 25 Apr 2013 18:27:22 +0000
User-agent:	Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130307 Firefox/17.0

Update of bug #38790 (project freeipmi):

             Assigned to:                    None => chu11                  

    _______________________________________________________

Follow-up Comment #2:

I was able to reproduce with --set-asset-tag=12313 (not sure why it did not
with your example).  I'm surprised this bug lingered so long.  I guess most
vendors do not check the pad.

I did a different patch though, and found another location in the code that
needed to be changed.  Here's the patch I commited for 1.2.6.  I've of course
given credit to you & Broadcom in the ChangeLog for finding the bug and the
fix location.

===================================================================
--- libfreeipmi/interface/ipmi-rmcpplus-interface.c     (revision 9608)
+++ libfreeipmi/interface/ipmi-rmcpplus-interface.c     (working copy)
@@ -739,7 +739,7 @@
   uint8_t iv[IPMI_CRYPT_AES_CBC_128_IV_LENGTH];
   int iv_len;
   uint8_t payload_buf[IPMI_MAX_PAYLOAD_LENGTH];
-  uint8_t pad_len;
+  uint8_t pad_len, pad_tmp;
   int payload_len, cipher_keylen, cipher_blocklen, encrypt_len;
 
   /* Note: Confidentiality Key for AES_CBS_128 is K2 */
@@ -808,7 +808,11 @@
   /* Pad the data appropriately */
 
   /* +1 is for the pad length field */
-  pad_len = IPMI_CRYPT_AES_CBC_128_BLOCK_LENGTH - ((payload_len + 1) %
IPMI_CRYPT_AES_CBC_128_BLOCK_LENGTH);
+  pad_tmp = ((payload_len + 1) % IPMI_CRYPT_AES_CBC_128_BLOCK_LENGTH);
+  if (pad_tmp)
+    pad_len = IPMI_CRYPT_AES_CBC_128_BLOCK_LENGTH - pad_tmp;
+  else
+    pad_len = 0;
 
   if ((payload_len + pad_len + 1) > IPMI_MAX_PAYLOAD_LENGTH)
     {
@@ -821,8 +825,8 @@
       unsigned int i;
       for (i = 0; i < pad_len; i++)
         payload_buf[payload_len + i] = i + 1;
-      payload_buf[payload_len + pad_len] = pad_len;
     }
+  payload_buf[payload_len + pad_len] = pad_len;
 
   /* +1 for pad length field */
   if ((encrypt_len = crypt_cipher_encrypt (IPMI_CRYPT_CIPHER_AES,



    _______________________________________________________

Reply to this item at:

  <http://savannah.gnu.org/bugs/?38790>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.gnu.org/

[Prev in Thread]

Current Thread

[Next in Thread]

[Freeipmi-devel] [bug #38790] Invalid "Confidentiality Pad Length" value in encrypted RMCP+ packets, Rob Swindell, 2013/04/20
- [Freeipmi-devel] [bug #38790] Invalid "Confidentiality Pad Length" value in encrypted RMCP+ packets, Rob Swindell, 2013/04/24
  - [Freeipmi-devel] [bug #38790] Invalid "Confidentiality Pad Length" value in encrypted RMCP+ packets, Albert Chu <=
    - [Freeipmi-devel] [bug #38790] Invalid "Confidentiality Pad Length" value in encrypted RMCP+ packets, Albert Chu, 2013/04/25
    - Re: [Freeipmi-devel] [bug #38790] Invalid "Confidentiality Pad Length" value in encrypted RMCP+ packets, Rob Swindell, 2013/04/25

Prev by Date: [Freeipmi-devel] [bug #38811] Freeipmi FRU fails with invalid DIMM information
Next by Date: [Freeipmi-devel] [bug #38790] Invalid "Confidentiality Pad Length" value in encrypted RMCP+ packets
Previous by thread: [Freeipmi-devel] [bug #38790] Invalid "Confidentiality Pad Length" value in encrypted RMCP+ packets
Next by thread: [Freeipmi-devel] [bug #38790] Invalid "Confidentiality Pad Length" value in encrypted RMCP+ packets
Index(es):
- Date
- Thread