On Mon, Apr 23, 2012 at 9:56 PM, Jim Mankovich <jm...@hp.com> wrote:
> Duncan,
>
> I already have a fix for the 16 character username problem. I already
> posted a patch for it to the Patch tracker
>
Alright.
> for version 1.8.11 and I was going to post a patch for it to TOB after I
> complete the Threshold/Discrete/Analog
> Display issue which is currently in review. If you look closely you will
> see I assigned these defect to myself.
>
> Both of the defects you mention are for the same issue, the problem is
> that ipmitool permits a user to specify greater
> than 16 character passwords. The IPMI password length limit is 16.
>
>
Indeed it is. That's not the point. The point is anyone with any tool, or
just modified ipmitool, can send username/password longer than 16 byte and
make BMC to hang. ipmitool is one of places it should get fixed, but not
the only one. That's it the point.
Such bug could have make it a great DoS. Hmm.
> I'll try to post a patch for review for the 16 character username limit
> sometime this week.
>
> Do you what you can with the resources you have a hand.
> Any/All help is much appreciated.
>
>
Once the patches I've posted get "somewhere", I'll post more. But sacrifice
time at stuff that doesn't go anywhere? Been there, done that and life is
too short ;)
Take care,
--Duncan
>
> -- Jim Mankovich | jm...@hp.com --
>
>
> On 4/23/2012 12:22 PM, Duncan Idaho wrote:
>
>
> On Mon, Apr 23, 2012 at 6:26 PM, Jim Mankovich <jm...@hp.com> wrote:
>
>> [...]
>> report and I could not find any existing resolution to in the TOB CVS for
>> ipmitool. If anyone
>> has any time to work on ipmitool, please look at Tracker items first for
>> something to do.
>>
>>
> Time, yes(sometimes). Machines to test at? No.
> And some stuff, well the most of it, will require some IPMI capable
> hardware to test and develop at. So it won't be that easy to get devs.
>
> Anyway. Once we agree on code in 'lib/ipmi_user.c', I could take a look at
> http://sourceforge.net/tracker/?func=detail&aid=3001519&group_id=95200&atid=610550and
> http://sourceforge.net/tracker/?func=detail&aid=3184687&group_id=95200&atid=610550.
> That's where they'll go right? btw this sounds like a BMC(IPMI stack) to
> me as well and reportee should report it to his vendor.
>
> --Duncan
>
>
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Ipmitool-devel mailing list
Ipmitool-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ipmitool-devel
