From b47d5873449c2b75509ea7c4a4dd8e8de65ffcc5 Mon Sep 17 00:00:00 2001
From: Eason Chen <EasonChen1@quantatw.com>
Date: Wed, 27 Apr 2022 14:14:16 +0800
Subject: [PATCH] Check data length and IANA for OEM commands

Summary:
- BIC will hang up if OEM command with no data is received, as following
bic-util slot1 0xe0 0x60

- IPMI message retains previous data, if the retained data is same as
IANA, the check will pass even data length is zero.
- Fixed it by checking data length and IANA.

Test plan:
Build code: PASS
---
 common/service/ipmi/ipmi.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/common/service/ipmi/ipmi.c b/common/service/ipmi/ipmi.c
index 17cc62f220..50da9a0063 100644
--- a/common/service/ipmi/ipmi.c
+++ b/common/service/ipmi/ipmi.c
@@ -163,7 +163,8 @@ void IPMI_handler(void *arug0, void *arug1, void *arug2)
 			IPMI_OEM_handler(&msg_cfg.buffer);
 			break;
 		case NETFN_OEM_1S_REQ:
-			if ((msg_cfg.buffer.data[0] | (msg_cfg.buffer.data[1] << 8) |
+			if (msg_cfg.buffer.data_len >= 3 &&
+			    (msg_cfg.buffer.data[0] | (msg_cfg.buffer.data[1] << 8) |
 			     (msg_cfg.buffer.data[2] << 16)) == IANA_ID) {
 				msg_cfg.buffer.data_len -= 3;
 				memcpy(&msg_cfg.buffer.data[0], &msg_cfg.buffer.data[3],