OpenIPMI/SOURCES/OpenIPMI-CVE-2024-42934.patch

diff --git a/lanserv/lanserv_ipmi.c b/lanserv/lanserv_ipmi.c
index ccd60015..e707454e 100644
--- a/lanserv/lanserv_ipmi.c
+++ b/lanserv/lanserv_ipmi.c
@@ -882,6 +882,12 @@ handle_temp_session(lanserv_data_t *lan, msg_t *msg)
     }
 
     auth = msg->data[0] & 0xf;
+    if (auth >= MAX_IPMI_AUTHS) {
+	lan->sysinfo->log(lan->sysinfo, NEW_SESSION_FAILED, msg,
+		 "Activate session failed: Invalid auth: 0x%x", auth);
+	return;
+    }
+
     user = &(lan->users[user_idx]);
     if (! (user->valid)) {
 	lan->sysinfo->log(lan->sysinfo, NEW_SESSION_FAILED, msg,
@@ -3016,17 +3022,33 @@ ipmi_handle_lan_msg(lanserv_data_t *lan,
 {
     msg_t   msg;
 
+    memset(&msg, 0, sizeof(msg));
+
     msg.src_addr = from_addr;
     msg.src_len = from_len;
 
     msg.oem_data = 0;
 
+    msg.channel = lan->channel.channel_num;
+    msg.orig_channel = &lan->channel;
+
+    /*
+     * Initialize the data so the log won't crash if it gets called, and
+     * so the log might have useful info.
+     */
+    msg.data = data;
+    msg.len = len;
+
     if (len < 5) {
 	lan->sysinfo->log(lan->sysinfo, LAN_ERR, &msg,
 		 "LAN msg failure: message too short");
 	return;
     }
 
+    /* Length is at least marginally correct, skip the first part now. */
+    msg.data = data + 5;
+    msg.len = len - 5;
+
     if (data[2] != 0xff) {
 	lan->sysinfo->log(lan->sysinfo, LAN_ERR, &msg,
 		 "LAN msg failure: seq not ff");
@@ -3034,17 +3056,15 @@ ipmi_handle_lan_msg(lanserv_data_t *lan,
     }
 
     msg.authtype = data[4];
-    msg.data = data+5;
-    msg.len = len - 5;
-    msg.channel = lan->channel.channel_num;
-    msg.orig_channel = &lan->channel;
-
     if (msg.authtype == IPMI_AUTHTYPE_RMCP_PLUS) {
 	ipmi_handle_rmcpp_msg(lan, &msg);
+    } else if (msg.authtype >= MAX_IPMI_AUTHS) {
+	lan->sysinfo->log(lan->sysinfo, LAN_ERR, &msg,
+			  "LAN msg failure: Invalid authtype: %d", data[4]);
+	return;
     } else {
 	ipmi_handle_rmcp_msg(lan, &msg);
     }
-
 }
 
 static void