From 71df5364cb025291c79a46d280da0e5651096fe4 Mon Sep 17 00:00:00 2001
From: mengkanglai <mengkanglai2@huawei.com>
Date: Tue, 21 Mar 2023 17:48:03 +0800
Subject: [PATCH] lan channel fix set alert on off and lanplus realloc the msg
 if the payload_length gets update

---
 ...ort-lan-channel-Fix-set-alert-on-off.patch | 69 ++++++++++++++++++
 ...the-msg-if-the-payload_length-gets-u.patch | 72 +++++++++++++++++++
 ipmitool.spec                                 | 10 ++-
 3 files changed, 150 insertions(+), 1 deletion(-)
 create mode 100644 backport-lan-channel-Fix-set-alert-on-off.patch
 create mode 100644 backport-lanplus-Realloc-the-msg-if-the-payload_length-gets-u.patch

diff --git a/backport-lan-channel-Fix-set-alert-on-off.patch b/backport-lan-channel-Fix-set-alert-on-off.patch
new file mode 100644
index 0000000..74c1b58
--- /dev/null
+++ b/backport-lan-channel-Fix-set-alert-on-off.patch
@@ -0,0 +1,69 @@
+From 4b791f8bf67ef9134699039b2758ed4023409621 Mon Sep 17 00:00:00 2001
+From: Alexander Amelkin <alexander@amelkin.msk.ru>
+Date: Tue, 20 Oct 2020 17:15:59 +0300
+Subject: [PATCH] lan: channel: Fix set alert on/off
+
+From IPMI Spec, Chapter 22.22 Set Channel Access Command
+Table 22, Set Channel Access Command
+
+Byte#2, Bit#5 is "PEF Alerting Enable/Disable"
+And the bit value:
+    0b = enable PEF Alerting
+    1b = disable PEF Alerting on this channel
+
+In current code, alert "on" set Bit#5 to 1 and alert "off" set Bit#5 to
+0, it's straightforward but just opposite of IPMI spec bit definition.
+
+Resolves ipmitool/ipmitool#247
+
+Reported-by: Ryan Fang <Ryan.Fang@quantatw.com>
+Signed-off-by: Alexander Amelkin <alexander@amelkin.msk.ru>
+---
+ include/ipmitool/ipmi_channel.h | 10 ++++++++--
+ lib/ipmi_lanp.c                 |  6 +++---
+ 2 files changed, 11 insertions(+), 5 deletions(-)
+
+diff --git a/include/ipmitool/ipmi_channel.h b/include/ipmitool/ipmi_channel.h
+index d9be57e..41f1b88 100644
+--- a/include/ipmitool/ipmi_channel.h
++++ b/include/ipmitool/ipmi_channel.h
+@@ -89,10 +89,16 @@ struct channel_info_t {
+ 	uint8_t aux_info[2];
+ };
+ 
+-/* (22.23) Get Channel Access */
++
++/* (22.22 / 22.23) Set/Get Channel Access */
++typedef enum {
++    ALERTING_ENABLED = 0,
++    ALERTING_DISABLED = (1 << 5) /* See Table 22 */
++} alerting_t;
++
+ struct channel_access_t {
+ 	uint8_t access_mode;
+-	uint8_t alerting;
++	alerting_t alerting;
+ 	uint8_t channel;
+ 	uint8_t per_message_auth;
+ 	uint8_t privilege_limit;
+diff --git a/lib/ipmi_lanp.c b/lib/ipmi_lanp.c
+index 16c0d9a..fe0046f 100644
+--- a/lib/ipmi_lanp.c
++++ b/lib/ipmi_lanp.c
+@@ -1026,10 +1026,10 @@ ipmi_set_alert_enable(struct ipmi_intf *intf, uint8_t channel, uint8_t enable)
+ 				channel);
+ 		return (-1);
+ 	}
+-	if (enable != 0) {
+-		channel_access.alerting = 1;
++	if (enable) {
++		channel_access.alerting = ALERTING_ENABLED;
+ 	} else {
+-		channel_access.alerting = 0;
++		channel_access.alerting = ALERTING_DISABLED;
+ 	}
+ 	/* non-volatile */
+ 	ccode = _ipmi_set_channel_access(intf, channel_access, 1, 0);
+-- 
+2.27.0
+
diff --git a/backport-lanplus-Realloc-the-msg-if-the-payload_length-gets-u.patch b/backport-lanplus-Realloc-the-msg-if-the-payload_length-gets-u.patch
new file mode 100644
index 0000000..3cc7e6b
--- /dev/null
+++ b/backport-lanplus-Realloc-the-msg-if-the-payload_length-gets-u.patch
@@ -0,0 +1,72 @@
+From 8f0946a81eb22c14823d726afc486139bb2094ca Mon Sep 17 00:00:00 2001
+From: Tom Tung <shes050117@gmail.com>
+Date: Fri, 12 Aug 2022 16:47:27 +0800
+Subject: [PATCH] lanplus: Realloc the msg if the payload_length gets updated
+
+It's possible the payload_length gets updated in
+lanplus_encrypt_payload. If it's updated, the memory of msg should be
+updated.
+
+Tested: use ipmitool with lanplus with similar STR  and there is no
+memory stomping issue.
+
+Resolved: ipmitool/ipmitool#351
+Signed-off-by: Tom Tung <shes050117@gmail.com>
+---
+ src/plugins/lanplus/lanplus.c | 19 +++++++++++++++++++
+ src/plugins/lanplus/lanplus.h |  2 ++
+ 2 files changed, 21 insertions(+)
+
+diff --git a/src/plugins/lanplus/lanplus.c b/src/plugins/lanplus/lanplus.c
+index ed41380..7a9162c 100644
+--- a/src/plugins/lanplus/lanplus.c
++++ b/src/plugins/lanplus/lanplus.c
+@@ -1727,6 +1727,7 @@ ipmi_lanplus_build_v2x_msg(
+ 	 */
+ 	if (session->v2_data.session_state == LANPLUS_STATE_ACTIVE)
+ 	{
++		uint16_t old_payload_length = payload->payload_length;
+ 		/* Payload len is adjusted as necessary by lanplus_encrypt_payload */
+ 		lanplus_encrypt_payload(session->v2_data.crypt_alg,        /* input  */
+ 								session->v2_data.k2,               /* input  */
+@@ -1735,6 +1736,24 @@ ipmi_lanplus_build_v2x_msg(
+ 								msg + IPMI_LANPLUS_OFFSET_PAYLOAD, /* output */
+ 								&(payload->payload_length));       /* output */
+ 
++		if (old_payload_length != payload->payload_length)
++		{
++			len =
++				IPMI_LANPLUS_OFFSET_PAYLOAD   +
++				payload->payload_length       +
++				IPMI_MAX_INTEGRITY_PAD_SIZE   +
++				IPMI_LANPLUS_PAD_LENGTH_SIZE  +
++				IPMI_LANPLUS_NEXT_HEADER_SIZE +
++				IPMI_MAX_AUTH_CODE_SIZE;
++
++			uint8_t * new_msg = realloc(msg, len);
++			if (!new_msg) {
++				free(msg);
++				lprintf(LOG_ERR, "ipmitool: realloc failure");
++				return;
++			}
++			msg = new_msg;
++		}
+ 	}
+ 
+ 	/* Now we know the payload length */
+diff --git a/src/plugins/lanplus/lanplus.h b/src/plugins/lanplus/lanplus.h
+index 3e287ae..94bd56a 100644
+--- a/src/plugins/lanplus/lanplus.h
++++ b/src/plugins/lanplus/lanplus.h
+@@ -86,6 +86,8 @@
+ #define IPMI_LANPLUS_OFFSET_PAYLOAD_SIZE 0x0E
+ #define IPMI_LANPLUS_OFFSET_PAYLOAD      0x10
+ 
++#define IPMI_LANPLUS_PAD_LENGTH_SIZE  1
++#define IPMI_LANPLUS_NEXT_HEADER_SIZE 1
+ 
+ #define IPMI_GET_CHANNEL_AUTH_CAP 0x38
+ 
+-- 
+2.27.0
+
diff --git a/ipmitool.spec b/ipmitool.spec
index 737f9a0..af260e6 100644
--- a/ipmitool.spec
+++ b/ipmitool.spec
@@ -1,6 +1,6 @@
 Name:            ipmitool
 Version:         1.8.18
-Release:         17
+Release:         18
 Summary:         Utility for IPMI control
 License:         BSD
 URL:             http://ipmitool.sourceforge.net/
@@ -42,6 +42,8 @@ Patch6022:       ipmitool-CVE-2020-5208-Fix-buffer-overflow-in-ipmi_get_session_
 Patch6023:       ipmitool-CVE-2020-5208-Fix-buffer-overflow.patch
 Patch6024:       ipmitool-CVE-2020-5208-Fix-buffer-overflows-in-get_lan_param_select.patch
 Patch6025:       ipmitool-CVE-2020-5208-Fix-id_string-buffer-overflows.patch
+Patch6026:       backport-lanplus-Realloc-the-msg-if-the-payload_length-gets-u.patch
+Patch6027:       backport-lan-channel-Fix-set-alert-on-off.patch
 
 BuildRequires:    openssl-devel readline-devel ncurses-devel git
 %{?systemd_requires}
@@ -171,6 +173,12 @@ install -Dm 755 contrib/bmc-snmp-proxy         %{buildroot}%{_libexecdir}/bmc-sn
 %{_mandir}/man8/ipmievd.8*
 
 %changelog
+* Tue Mar 21 2023 mengkanglai <mengkanglai2@huawei.com> - 1.8.18-18
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:lan channel fix set alert on off and lanplus realloc the msg if the payload_length gets update
+
 * Mon Dec 13 2021 xihaochen <xihaochen@huawei.com> - 1.8.18-17
 - Type:requirement
 - ID:NA
-- 
Gitee