fix: reject IPMI packets with invalid CBC padding instead of crashing

cbc_pad in decrypt mode reads the last byte as the pad count, then calls splice(@block, 0 - $count). If decrypted data is corrupt, the pad count can exceed the array size, crashing with "Modification of non-creatable array value attempted, subscript -16". Return empty string on invalid padding so the caller treats it as a decryption failure rather than accepting corrupted data as a valid IPMI response. Ref: #7511
2026-05-17 19:57:18 +00:00 · 2026-05-06 01:23:10 -03:00
parent b006975b54
commit cb2a6b3f3c
1 changed files with 3 additions and 0 deletions
@@ -763,6 +763,9 @@ sub cbc_pad {
        unless ($count) {
            return pack("C*", @block);
        }
+        if ($count > scalar @block) {
+            return "";
+        }
        splice @block, 0 - $count;
        return pack("C*", @block);
    }