diff --git a/dump-space-around-the-equal-for-shellcheck-sc1068.patch b/dump-space-around-the-equal-for-shellcheck-sc1068.patch new file mode 100644 index 0000000000000000000000000000000000000000..4100fdbbe834d80be6ba45c4d1674b9f4e727da8 --- /dev/null +++ b/dump-space-around-the-equal-for-shellcheck-sc1068.patch @@ -0,0 +1,23 @@ +From b9e84bfcfdbfabc83024e7fdcf31172a3d36311b Mon Sep 17 00:00:00 2001 +From: songzifeng +Date: Mon, 8 Jun 2020 16:30:09 +0800 +Subject: dump space around the "=" + + +diff --git a/agent/mibgroup/Rmon/test_alarm.sh b/agent/mibgroup/Rmon/test_alarm.sh +index b6046c7..0a0863a 100755 +--- a/agent/mibgroup/Rmon/test_alarm.sh ++++ b/agent/mibgroup/Rmon/test_alarm.sh +@@ -27,7 +27,7 @@ ETHIND=3 + EVNIND=7 + ALRIND=2 + LOWLIMIT=4800 +-HILIMIT =4900 ++HILIMIT=4900 + INTERVAL=3 + WAITTIME=17 + +-- +2.23.0 + + diff --git a/net-snmp-5.9.1-IdeaUI_antic_attack.patch b/net-snmp-5.9.1-IdeaUI_antic_attack.patch new file mode 100644 index 0000000000000000000000000000000000000000..7dceda26410b95e1841835146b6bd331e83e0eec --- /dev/null +++ b/net-snmp-5.9.1-IdeaUI_antic_attack.patch @@ -0,0 +1,202 @@ +From e194c8fbe2cc2b1085a3da97ddb94eb329558446 Mon Sep 17 00:00:00 2001 +From: chenrufeng +Date: Fri, 5 Jan 2024 10:38:35 +0800 +Subject: [PATCH] add support for IDEAUI_ANTI_ATTACK + +--- + agent/snmp_agent.c | 2 + + include/net-snmp/library/snmp_api.h | 5 ++ + include/net-snmp/output_api.h | 18 ++++++++ + include/net-snmp/types.h | 6 +++ + snmplib/snmp_api.c | 72 +++++++++++++++++++++++++++++ + 5 files changed, 103 insertions(+) + +diff --git a/agent/snmp_agent.c b/agent/snmp_agent.c +index 273b46772..bff663d32 100644 +--- a/agent/snmp_agent.c ++++ b/agent/snmp_agent.c +@@ -2214,7 +2214,9 @@ handle_snmp_packet(int op, netsnmp_session * session, int reqid, + */ + if (pdu->version == SNMP_VERSION_3 && + session->s_snmp_errno == SNMPERR_USM_AUTHENTICATIONFAILURE) { ++#ifndef IDEAUI_ANTI_ATTACK + send_easy_trap(SNMP_TRAP_AUTHFAIL, 0); ++#endif + return 1; + } + +diff --git a/include/net-snmp/library/snmp_api.h b/include/net-snmp/library/snmp_api.h +index 6b4fad6ab..419f44764 100644 +--- a/include/net-snmp/library/snmp_api.h ++++ b/include/net-snmp/library/snmp_api.h +@@ -384,6 +384,11 @@ typedef struct request_list { + NETSNMP_IMPORT + void init_snmp(const char *); + ++#if defined(IDEAUI_ANTI_ATTACK) ++ NETSNMP_IMPORT ++ void netsnmp_init_antiattack_callback(struct snmp_s_anti_attack* callbacklist); ++#endif ++ + NETSNMP_IMPORT + int + snmp_build(u_char ** pkt, size_t * pkt_len, size_t * offset, +diff --git a/include/net-snmp/output_api.h b/include/net-snmp/output_api.h +index 3b142850c..9bce8d704 100644 +--- a/include/net-snmp/output_api.h ++++ b/include/net-snmp/output_api.h +@@ -184,4 +184,22 @@ netsnmp_debug_no_dumpsetup(const char *token, const void *buf, size_t len) + #define ERROR_MSG(string) snmp_set_detail(string) + #endif + ++#if defined(IDEAUI_ANTI_ATTACK) ++typedef struct snmp_s_anti_info { ++ char *userName; ++ char *peerName; ++ int antiRes; ++} snmp_anti_info; ++ ++/* ++ * anti attack ++ */ ++struct snmp_s_anti_attack { ++ void (*cb_init_attack_info)(void); ++ void (*cb_uninit_attack_info)(void); ++ unsigned int (*cb_add_attack_info) (char *, const char *); ++ void (*cb_clear_attack_info) (char *, const char *); ++ int (*cb_is_attack_lock) (char *, const char *); ++}; ++#endif /* IDEAUI_ANTI_ATTACK */ + #endif /* NET_SNMP_OUTPUT_API_H */ +diff --git a/include/net-snmp/types.h b/include/net-snmp/types.h +index d489f37b1..830d3b93f 100644 +--- a/include/net-snmp/types.h ++++ b/include/net-snmp/types.h +@@ -17,6 +17,12 @@ + */ + + #include ++#if defined(IDEAUI_OS_ANDROID) ++#include ++typedef unsigned long int ulong; ++typedef unsigned short int ushort; ++typedef unsigned int uint; ++#endif + + #ifndef NET_SNMP_CONFIG_H + #error "Please include before this file" +diff --git a/snmplib/snmp_api.c b/snmplib/snmp_api.c +index 4042f8046..96e7eeb5b 100644 +--- a/snmplib/snmp_api.c ++++ b/snmplib/snmp_api.c +@@ -329,6 +329,13 @@ int snmp_errno = 0; + * END MTCRITICAL_RESOURCE + */ + ++#if defined(IDEAUI_ANTI_ATTACK) ++ /* ++ * anti attack ++ */ ++struct snmp_s_anti_attack g_stAntiAttack = {NULL, NULL, NULL, NULL, NULL}; ++#endif ++ + /* + * global error detail storage + */ +@@ -863,6 +870,20 @@ register_default_handlers(void) + netsnmp_register_service_handlers(); + } + ++#if defined(IDEAUI_ANTI_ATTACK) ++void netsnmp_init_antiattack_callback(struct snmp_s_anti_attack* callbacklist) ++{ ++ if (callbacklist == NULL) { ++ return; ++ } ++ g_stAntiAttack.cb_init_attack_info = callbacklist->cb_init_attack_info; ++ g_stAntiAttack.cb_uninit_attack_info = callbacklist->cb_uninit_attack_info; ++ g_stAntiAttack.cb_add_attack_info = callbacklist->cb_add_attack_info; ++ g_stAntiAttack.cb_clear_attack_info = callbacklist->cb_clear_attack_info; ++ g_stAntiAttack.cb_is_attack_lock = callbacklist->cb_is_attack_lock; ++} ++#endif ++ + static int init_snmp_init_done = 0; /* To prevent double init's. */ + /** + * Calls the functions to do config file loading and mib module parsing +@@ -4287,10 +4308,33 @@ _snmp_parse(void *sessp, + static size_t ourEngineID_len = sizeof(ourEngineID); + + netsnmp_pdu *pdu2 = NULL; ++#if defined(IDEAUI_ANTI_ATTACK) ++ char* peerName = NULL; ++ const int ipMaxLen = 256; ++ char szRemoteAddr[ipMaxLen] = {0}; ++ char unknownPeer[ipMaxLen] = {0}; ++ strcpy(unknownPeer, "UnkownHost"); ++ snmp_anti_info antiInfo = {0}; ++#endif + + session->s_snmp_errno = 0; + session->s_errno = 0; + ++#if defined(IDEAUI_ANTI_ATTACK) ++ if (pdu->transport_data_length != 0) { ++ struct sockaddr_in *from_in = (struct sockaddr_in *)pdu->transport_data; ++ if (AF_INET6 == from_in->sin_family) { ++ struct sockaddr_in6 *from_in6 = (struct sockaddr_in6 *)pdu->transport_data; ++ inet_ntop(AF_INET6, (void *) &(from_in6->sin6_addr), szRemoteAddr, sizeof(szRemoteAddr)); ++ } else { ++ inet_ntop(AF_INET, (void *) &(from_in->sin_addr), szRemoteAddr, sizeof(szRemoteAddr)); ++ } ++ peerName = szRemoteAddr; ++ } else { ++ peerName = unknownPeer; ++ } ++#endif ++ + /* + * Ensure all incoming PDUs have a unique means of identification + * (This is not restricted to AgentX handling, +@@ -4391,6 +4435,16 @@ _snmp_parse(void *sessp, + snmp_api_errstring(result))); + + if (result) { ++#if defined(IDEAUI_ANTI_ATTACK) ++ antiInfo.userName = pdu->securityName; ++ antiInfo.peerName = peerName; ++ antiInfo.antiRes = result; ++ if (g_stAntiAttack.cb_add_attack_info != NULL && ++ ((pdu->securityLevel == SNMP_SEC_LEVEL_AUTHNOPRIV) || ++ (pdu->securityLevel == SNMP_SEC_LEVEL_AUTHPRIV))) { ++ g_stAntiAttack.cb_add_attack_info((char *)&antiInfo, (const char*)peerName); ++ } ++#endif + struct snmp_secmod_def *secmod = + find_sec_mod(pdu->securityModel); + if (!sessp) { +@@ -4408,6 +4462,24 @@ _snmp_parse(void *sessp, + } + free_securityStateRef(pdu); + } ++#if defined(IDEAUI_ANTI_ATTACK) ++ else { ++ if ((g_stAntiAttack.cb_is_attack_lock != NULL) && ++ ((pdu->securityLevel == SNMP_SEC_LEVEL_AUTHNOPRIV) || ++ (pdu->securityLevel == SNMP_SEC_LEVEL_AUTHPRIV))) { ++ antiInfo.userName = pdu->securityName; ++ antiInfo.peerName = peerName; ++ antiInfo.antiRes = result; ++ if (g_stAntiAttack.cb_is_attack_lock((char *)&antiInfo, (const char*)peerName) != 0) { ++ result = SNMPERR_ASN_PARSE_ERR; ++ } else { ++ if (g_stAntiAttack.cb_clear_attack_info != NULL) { ++ g_stAntiAttack.cb_clear_attack_info((char *)&antiInfo, (const char*)peerName); ++ } ++ } ++ } ++ } ++#endif + + /* Implement RFC5343 here for two reasons: + 1) From a security perspective it handles this otherwise diff --git a/net-snmp-5.9.1-IdeaUI_reset_last_engineTime.patch b/net-snmp-5.9.1-IdeaUI_reset_last_engineTime.patch new file mode 100644 index 0000000000000000000000000000000000000000..7a1991e438e2ad4e620ac32741645f5173c1df63 --- /dev/null +++ b/net-snmp-5.9.1-IdeaUI_reset_last_engineTime.patch @@ -0,0 +1,47 @@ +From e194c8fbe2cc2b1085a3da97ddb94eb329558446 Mon Sep 17 00:00:00 2001 +From: chenrufeng +Date: Fri, 5 Jan 2024 10:38:35 +0800 +Subject: [PATCH] Reset last_engineTime when calling init_snmpv3() + +--- + snmplib/snmpv3.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/snmplib/snmpv3.c b/snmplib/snmpv3.c +index 29c2a0ffc..d9b9eb7d6 100644 +--- a/snmplib/snmpv3.c ++++ b/snmplib/snmpv3.c +@@ -99,6 +99,10 @@ static struct timeval snmpv3starttime; + static int getHwAddress(const char *networkDevice, char *addressOut); + #endif + ++#ifdef IDEAUI_RESET_LAST_ENGINETIME ++ static uint32_t last_engineTime = 0; ++#endif ++ + /*******************************************************************-o-****** + * snmpv3_secLevel_conf + * +@@ -949,6 +953,9 @@ init_snmpv3(const char *type) + { + netsnmp_get_monotonic_clock(&snmpv3starttime); + ++#ifdef IDEAUI_RESET_LAST_ENGINETIME ++ last_engineTime = 0; ++#endif + if (!type) + type = "__snmpapp__"; + +@@ -1249,7 +1256,9 @@ snmpv3_local_snmpEngineTime(void) + netsnmp_feature_require(calculate_sectime_diff) + #endif /* NETSNMP_FEATURE_CHECKING */ + ++#ifndef IDEAUI_RESET_LAST_ENGINETIME + static uint32_t last_engineTime; ++#endif + struct timeval now; + uint32_t engineTime; + +-- +2.34.1 + diff --git a/net-snmp.spec b/net-snmp.spec index b4c9821ac539c135cf1109da7312cf88b3f58aa5..7a0706faa12520f8088b18db24c49538804c1d0c 100644 --- a/net-snmp.spec +++ b/net-snmp.spec @@ -3,7 +3,7 @@ Name: net-snmp Version: 5.9.3 -Release: 1 +Release: 2 Epoch: 1 Summary: SNMP Daemon License: BSD @@ -44,6 +44,10 @@ Patch22: backport-libsnmp-Remove-netsnmp_openssl_err_log.patch Patch23: backport-net-snmp-5.9-ipv6-disable-leak.patch Patch24: backport-net-snmp-5.9-sendmsg-error-code.patch +patch25: dump-space-around-the-equal-for-shellcheck-sc1068.patch +Patch26: net-snmp-5.9.1-IdeaUI_antic_attack.patch +Patch27: net-snmp-5.9.1-IdeaUI_reset_last_engineTime.patch + %{?systemd_requires} BuildRequires: systemd gcc openssl-devel bzip2-devel elfutils-devel libselinux-devel BuildRequires: elfutils-libelf-devel rpm-devel perl-devel perl(ExtUtils::Embed) procps @@ -201,8 +205,7 @@ for file in README COPYING; do iconv -f 8859_1 -t UTF-8 <$file >$file.utf8 mv $file.utf8 $file done -chmod 644 local/ipf-mod.pl -chmod 755 local/passtest +chmod 644 local/passtest local/ipf-mod.pl mkdir -p %{buildroot}/%{_tmpfilesdir} install -m 644 %SOURCE7 %{buildroot}/%{_tmpfilesdir}/net-snmp.conf @@ -215,6 +218,7 @@ cp -f libtool.orig libtool rm -vf testing/fulltests/default/T200snmpv2cwalkall_simple chmod 755 local/passtest LD_LIBRARY_PATH=%{buildroot}/%{_libdir} make test +chmod 644 local/passtest %endif %post @@ -322,6 +326,13 @@ LD_LIBRARY_PATH=%{buildroot}/%{_libdir} make test %{_mandir}/man1/fixproc* %changelog +* Fri May 10 2024 gaihuiying - 1:5.9.3-2 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC:Customized the anti-attacki/reset-last_engineTime function for IdeaUI + change the permissions of passtest + * Mon Aug 07 2023 xingwei - 1:5.9.3-1 - Type:requirement - CVE:NA