From cb2a6b3f3c425d3f6ffe47171664043b4a8b418f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Vin=C3=ADcius=20Ferr=C3=A3o?=
 <2031761+viniciusferrao@users.noreply.github.com>
Date: Wed, 6 May 2026 01:23:10 -0300
Subject: [PATCH] fix: reject IPMI packets with invalid CBC padding instead of
 crashing

cbc_pad in decrypt mode reads the last byte as the pad count, then
calls splice(@block, 0 - $count). If decrypted data is corrupt, the
pad count can exceed the array size, crashing with "Modification of
non-creatable array value attempted, subscript -16".

Return empty string on invalid padding so the caller treats it as a
decryption failure rather than accepting corrupted data as a valid
IPMI response.

Ref: #7511
---
 xCAT-server/lib/perl/xCAT/IPMI.pm | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/xCAT-server/lib/perl/xCAT/IPMI.pm b/xCAT-server/lib/perl/xCAT/IPMI.pm
index 759777e33..26933533a 100644
--- a/xCAT-server/lib/perl/xCAT/IPMI.pm
+++ b/xCAT-server/lib/perl/xCAT/IPMI.pm
@@ -763,6 +763,9 @@ sub cbc_pad {
         unless ($count) {
             return pack("C*", @block);
         }
+        if ($count > scalar @block) {
+            return "";
+        }
         splice @block, 0 - $count;
         return pack("C*", @block);
     }