From bdf19fbcb226d970112dd47f45583d88083548ac Mon Sep 17 00:00:00 2001
From: Andrew Jeffery <andrew@aj.id.au>
Date: Thu, 21 Feb 2019 16:58:13 +1030
Subject: libflash/ipmi-hiomap: Enforce message size for empty response

[ Upstream commit 4af122b23402ca163012de527277901d7770c376 ]

The protocol defines the response to the associated messages as empty
except for the command ID and sequence fields. If the BMC is returning
extra data consider the message malformed.

Cc: stable
Signed-off-by: Andrew Jeffery <andrew@aj.id.au>
Signed-off-by: Stewart Smith <stewart@linux.ibm.com>
Signed-off-by: Vasant Hegde <hegdevasant@linux.vnet.ibm.com>
---
 libflash/ipmi-hiomap.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/libflash/ipmi-hiomap.c b/libflash/ipmi-hiomap.c
index 7a36449..56492fa 100644
--- a/libflash/ipmi-hiomap.c
+++ b/libflash/ipmi-hiomap.c
@@ -208,6 +208,12 @@ static void ipmi_hiomap_cmd_cb(struct ipmi_msg *msg)
 	case HIOMAP_C_FLUSH:
 	case HIOMAP_C_ACK:
 	case HIOMAP_C_ERASE:
+		if (msg->resp_size != 2) {
+			prerror("%u: Unexpected response size: %u\n", msg->data[0],
+				msg->resp_size);
+			res->cc = IPMI_ERR_UNSPECIFIED;
+			break;
+		}
 		break;
 	default:
 		prlog(PR_WARNING, "Unimplemented command handler: %u\n",
-- 
cgit v1.1