From: Albert Chu <chu11@llnl.gov>
Subject: ipmi-oem: fix several memory out of bounds errors
References: bsc#1260414 CVE-2026-33554
Patch-Mainline: describe
Git-commit: b03ca4d1bff4626c11db8684564b88cd26a2425d


Found by Zhihan Zheng (chnzzh@outlook.com)


Signed-off-by: Thomas Renninger <trenn@suse.de>
diff --git a/ipmi-oem/ipmi-oem-dell.c b/ipmi-oem/ipmi-oem-dell.c
index 7fbc0c186..cf3bad244 100644
--- a/ipmi-oem/ipmi-oem-dell.c
+++ b/ipmi-oem/ipmi-oem-dell.c
@@ -7161,7 +7161,7 @@ ipmi_oem_dell_get_last_post_code (ipmi_oem_state_data_t *state_data)
   uint8_t bytes_rq[IPMI_OEM_MAX_BYTES];
   uint8_t bytes_rs[IPMI_OEM_MAX_BYTES];
   uint8_t post_code;
-  uint8_t string_length;
+  size_t string_length;
   char post_code_string[IPMI_OEM_STR_BUFLEN + 1];
   int rs_len;
   int rv = -1;
@@ -7216,10 +7216,16 @@ ipmi_oem_dell_get_last_post_code (ipmi_oem_state_data_t *state_data)
     goto cleanup;
 
   post_code = bytes_rs[2];
-  string_length = bytes_rs[3];
+  string_length = (size_t)bytes_rs[3];
 
   if (string_length)
-    memcpy (post_code_string, &bytes_rs[4], string_length);
+    {
+      if (string_length > (size_t)(rs_len - 4))
+        string_length = rs_len - 4;
+      if (string_length > IPMI_OEM_STR_BUFLEN)
+        string_length = IPMI_OEM_STR_BUFLEN;
+      memcpy (post_code_string, &bytes_rs[4], string_length);
+    }
 
   pstdout_printf (state_data->pstate,
                   "Post Code %02Xh : %s\n",
diff --git a/ipmi-oem/ipmi-oem-supermicro.c b/ipmi-oem/ipmi-oem-supermicro.c
index 51b8397a4..01d6b1112 100644
--- a/ipmi-oem/ipmi-oem-supermicro.c
+++ b/ipmi-oem/ipmi-oem-supermicro.c
@@ -129,7 +129,12 @@ ipmi_oem_supermicro_extra_firmware_info (ipmi_oem_state_data_t *state_data)
   firmware_hardware_id = bytes_rs[18];
 
   if (rs_len > 19)
-    memcpy (firmware_tag, &bytes_rs[19], rs_len - 19);
+    {
+      size_t tag_len = (size_t)(rs_len - 19);
+      if (tag_len > IPMI_OEM_SUPERMICRO_STRING_MAX)
+        tag_len = IPMI_OEM_SUPERMICRO_STRING_MAX;
+      memcpy (firmware_tag, &bytes_rs[19], tag_len);
+    }
 
   /* assume minor version is BCD, just like in Get Device ID command */
   /* assume sub version is also BCD */
diff --git a/ipmi-oem/ipmi-oem-wistron.c b/ipmi-oem/ipmi-oem-wistron.c
index b182cf758..f705c94e9 100644
--- a/ipmi-oem/ipmi-oem-wistron.c
+++ b/ipmi-oem/ipmi-oem-wistron.c
@@ -3047,6 +3047,7 @@ ipmi_oem_wistron_read_proprietary_string (ipmi_oem_state_data_t *state_data)
   char string[IPMI_OEM_WISTRON_PROPRIETARY_STRING_MAX + 1];
   int rs_len;
   int rv = -1;
+  size_t len;
 
   assert (state_data);
   assert (!state_data->prog_data->args->oem_options_count);
@@ -3107,8 +3108,12 @@ ipmi_oem_wistron_read_proprietary_string (ipmi_oem_state_data_t *state_data)
       goto cleanup;
     }
 
+  len = (size_t)bytes_rs[3];
+  if (len > (size_t)(rs_len - 4))
+    len = rs_len - 4;
+
   memset (string, '\0', IPMI_OEM_WISTRON_PROPRIETARY_STRING_MAX + 1);
-  memcpy (string, &bytes_rs[4], bytes_rs[3]);
+  memcpy (string, &bytes_rs[4], len);
 
   pstdout_printf (state_data->pstate,
                   "%s\n",