On 21 March 2010 08:45, Dave Shield <[email protected]> wrote:
> On 20 March 2010 15:13, Robert Story <[email protected]> wrote:
>> Dave, have any other issues come up that might warrant a rc2?
>
> I've got a list of three or four possible patches sitting on my desk at work.
> I'll send out a CFV tomorrow.
Please find attached four proposed patches, which could potentially be
applied to the 5.4.x (and 5.2.x) lines. We're currently in release-freeze
for both of these branches, so could people please indicate whether or
not they would like to see these included in the 5.4.3 and 5.2.6 releases.
It would be helpful to have an explicit vote for each individual patch:
1) Latch disk statistics: no / 54x only / both 54x and 52x
2) Missing privKey crash: no / 54x only / both 54x and 52x
3) VACM best match: no / 54x only / both 54x and 52x
4) MIB dir path logging: no / 54x only / both 54x and 52x
A word of explanation for each of these:
1) Latch disk statistics (disk-latch.patch)
For large disks (>2Tb), the UCD-SNMP-MIB:dskTable currently
reports the lower-32 bits of the total/usage/available statistics, which
is effectively a random, meaningless (but apparently valid) value.
This patch latches these three objects at the maximum value for an
Integer32 object - thus indicating that the value is not actually useable.
2) Missing privKey crash (des-priv.patch)
In certain circumstances (relating to sending SNMPv3 notifications),
it's possible for sending a trap to follow a NULL pointer and crash the
agent. This patch protects against this.
(See the coders thread "snmpwalk causes agent to coldStart"
from last Monday for details)
3) VACM best match (vacm-best-match.patch)
The VACM MIB describes how to select which row from the
vacmAccessTable to use when deciding whether to allow access.
The Net-SNMP agent does not follow this algorithm properly.
This patch corrects this.
(See the users thread "vacm_getAccessEntry() doesn't look for best match"
from December 2009 for details)
4) MIB dir path logging (mibdir-log.patch)
A common query on the lists is asking why the agent isn't loading
configuration or MIB files - particularly when switching from a vendor-supplied
package to source-compiled version (or vice versa). This often comes
down to changes in the search paths used, but determining what paths
are being used requires turning on debugging tokens.
This patch reports the relevant search path as part of the error message
when a MIB module isn't found, or no access control is configured.
(As well reporting these paths as part of the usage output message)
I await your votes for or against.....
Dave
Index: agent/mibgroup/ucd-snmp/disk.c
===================================================================
--- agent/mibgroup/ucd-snmp/disk.c (revision 18348)
+++ agent/mibgroup/ucd-snmp/disk.c (working copy)
@@ -163,6 +163,8 @@
int minpercent;
};
+#define MAX_INT_32 0x7fffffff
+
int numdisks;
int allDisksIncluded = 0;
int maxdisks = 0;
@@ -768,11 +770,18 @@
switch (vp->magic) {
case DISKTOTAL:
long_ret = (long)(vfs.f_blocks * multiplier);
+ if ( long_ret > MAX_INT_32 )
+ long_ret = MAX_INT_32;
return ((u_char *) (&long_ret));
case DISKAVAIL:
- return ((u_char *) (&avail));
+ long_ret = avail;
+ if ( long_ret > MAX_INT_32 )
+ long_ret = MAX_INT_32;
+ return ((u_char *) (&long_ret));
case DISKUSED:
long_ret = (long)((vfs.f_blocks - vfs.f_bfree) * multiplier);
+ if ( long_ret > MAX_INT_32 )
+ long_ret = MAX_INT_32;
return ((u_char *) (&long_ret));
case DISKPERCENT:
long_ret = percent;
@@ -845,12 +854,18 @@
switch (vp->magic) {
case DISKTOTAL:
long_ret = (long)(totalblks * multiplier);
+ if ( long_ret > MAX_INT_32 )
+ long_ret = MAX_INT_32;
return ((u_char *) (&long_ret));
case DISKAVAIL:
long_ret = (long)(avail * multiplier);
+ if ( long_ret > MAX_INT_32 )
+ long_ret = MAX_INT_32;
return ((u_char *) (&long_ret));
case DISKUSED:
long_ret = (long)(used * multiplier);
+ if ( long_ret > MAX_INT_32 )
+ long_ret = MAX_INT_32;
return ((u_char *) (&long_ret));
case DISKPERCENT:
long_ret = percent;
Index: snmplib/snmpusm.c
===================================================================
--- snmplib/snmpusm.c (revision 18256)
+++ snmplib/snmpusm.c (working copy)
@@ -2590,6 +2590,17 @@
end_of_overhead = value_ptr;
+ if ( !user->privKey ) {
+ DEBUGMSGTL(("usm", "No privacy pass phrase for %s\n", user->secName));
+ if (snmp_increment_statistic(STAT_USMSTATSDECRYPTIONERRORS) ==
+ 0) {
+ DEBUGMSGTL(("usm", "%s\n", "Failed increment statistic."));
+ }
+ usm_free_usmStateReference(*secStateRef);
+ *secStateRef = NULL;
+ return SNMPERR_USM_DECRYPTIONERROR;
+ }
+
/*
* XOR the salt with the last (iv_length) bytes
* of the priv_key to obtain the IV.
Index: snmplib/vacm.c
===================================================================
--- snmplib/vacm.c (revision 18350)
+++ snmplib/vacm.c (working copy)
@@ -881,11 +881,50 @@
}
struct vacm_accessEntry *
+_vacm_choose_best( struct vacm_accessEntry *current,
+ struct vacm_accessEntry *candidate)
+{
+ /*
+ * RFC 3415: vacmAccessTable:
+ * 2) if this set has [more than] one member, ...
+ * it comes down to deciding how to weight the
+ * preferences between ContextPrefixes,
+ * SecurityModels, and SecurityLevels
+ */
+ if (( !current ) ||
+ /* a) if the subset of entries with securityModel
+ * matching the securityModel in the message is
+ * not empty, then discard the rest
+ */
+ ( current->securityModel == SNMP_SEC_MODEL_ANY &&
+ candidate->securityModel != SNMP_SEC_MODEL_ANY ) ||
+ /* b) if the subset of entries with vacmAccessContextPrefix
+ * matching the contextName in the message is
+ * not empty, then discard the rest
+ */
+ ( current->contextMatch == CONTEXT_MATCH_PREFIX &&
+ candidate->contextMatch == CONTEXT_MATCH_EXACT ) ||
+ /* c) discard all entries with ContextPrefixes shorter
+ * than the longest one remaining in the set
+ */
+ ( current->contextMatch == CONTEXT_MATCH_PREFIX &&
+ current->contextPrefix[0] < candidate->contextPrefix[0] ) ||
+ /* d) select the entry with the highest securityLevel
+ */
+ ( current->securityLevel < candidate->securityLevel )) {
+
+ return candidate;
+ }
+
+ return current;
+}
+
+struct vacm_accessEntry *
vacm_getAccessEntry(const char *groupName,
const char *contextPrefix,
int securityModel, int securityLevel)
{
- struct vacm_accessEntry *vp;
+ struct vacm_accessEntry *vp, *best=NULL;
char group[VACMSTRINGLEN];
char context[VACMSTRINGLEN];
int glen, clen;
@@ -914,9 +953,9 @@
&& clen >= vp->contextPrefix[0]
&& (memcmp(vp->contextPrefix + 1, context + 1,
vp->contextPrefix[0]) == 0))))
- return vp;
+ best = _vacm_choose_best( best, vp );
}
- return NULL;
+ return best;
}
void
Index: snmplib/parse.c
===================================================================
--- snmplib/parse.c (revision 18044)
+++ snmplib/parse.c (working copy)
@@ -548,6 +549,7 @@
static int current_module = 0;
static int max_module = 0;
+static int first_err_module = 1;
static char *last_err_module = NULL; /* no repeats on "Cannot find module..." */
static void tree_from_node(struct tree *tp, struct node *np);
@@ -794,6 +796,11 @@
static void
print_module_not_found(const char *cp)
{
+ if (first_err_module) {
+ snmp_log(LOG_ERR, "MIB search path: %s\n",
+ netsnmp_get_mib_directory());
+ first_err_module = 0;
+ }
if (!last_err_module || strcmp(cp, last_err_module))
print_error("Cannot find module", cp, CONTINUE);
if (last_err_module)
Index: agent/mibgroup/mibII/vacm_conf.c
===================================================================
--- agent/mibgroup/mibII/vacm_conf.c (revision 18044)
+++ agent/mibgroup/mibII/vacm_conf.c (working copy)
@@ -1111,10 +1111,12 @@
*/
if ((MASTER_AGENT == agent_mode) && (strcmp(name, "snmptrapd") != 0)) {
snmp_log(LOG_WARNING,
- "Warning: no access control information configured.\n It's "
- "unlikely this agent can serve any useful purpose in this "
- "state.\n Run \"snmpconf -g basic_setup\" to help you "
- "configure the %s.conf file for this agent.\n", name );
+ "Warning: no access control information configured.\n"
+ " (Config search path: %s)\n"
+ " It's unlikely this agent can serve any useful purpose in this state.\n"
+ " Run \"snmpconf -g basic_setup\" to help you "
+ "configure the %s.conf file for this agent.\n",
+ get_configuration_directory(), name);
}
/*
@@ -1134,7 +1136,9 @@
NETSNMP_DS_APP_NO_AUTHORIZATION)) {
snmp_log(LOG_WARNING,
"Warning: no access control information configured.\n"
- "This receiver will *NOT* accept any incoming notifications.\n");
+ " (Config search path: %s)\n"
+ "This receiver will *NOT* accept any incoming notifications.\n",
+ get_configuration_directory());
}
}
return SNMP_ERR_NOERROR;
Index: agent/snmpd.c
===================================================================
--- agent/snmpd.c (revision 18044)
+++ agent/snmpd.c (working copy)
@@ -269,6 +269,7 @@
" -A\t\t\tappend to the logfile rather than truncating it\n"
" -c FILE[,...]\t\tread FILE(s) as configuration file(s)\n"
" -C\t\t\tdo not read the default configuration files\n"
+ "\t\t\t (config search path: %s)\n"
" -d\t\t\tdump sent and received SNMP packets\n"
" -DTOKEN[,...]\tturn on debugging output for the given TOKEN(s)\n"
"\t\t\t (try ALL for extremely verbose output)\n"
@@ -283,11 +284,12 @@
" -I [-]INITLIST\tlist of mib modules to initialize (or not)\n"
"\t\t\t (run snmpd with -Dmib_init for a list)\n"
" -L <LOGOPTS>\t\ttoggle options controlling where to log to\n",
- netsnmp_get_version());
+ netsnmp_get_version(),
+ get_configuration_directory());
snmp_log_options_usage("\t", stdout);
printf(" -m MIBLIST\t\tuse MIBLIST instead of the default MIB list\n"
- " -M DIRLIST\t\tuse DIRLIST as the list of locations\n"
- "\t\t\t to look for MIBs\n"
+ " -M DIRLIST\t\tuse DIRLIST as the list of locations to look for MIBs\n"
+ "\t\t\t (default %s)\n"
" -p FILE\t\tstore process id in FILE\n"
" -q\t\t\tprint information in a more parsable format\n"
" -r\t\t\tdo not exit if files only accessible to root\n"
@@ -322,7 +324,13 @@
" -s\t\t\tuse -Lsd instead\n"
" -S d|i|0-7\t\tuse -Ls <facility> instead\n"
- "\n");
+ "\n",
+#ifndef NETSNMP_DISABLE_MIB_LOADING
+ netsnmp_get_mib_directory()
+#else
+ "MIBs not loaded"
+#endif
+ );
exit(1);
}
Index: snmplib/snmp_parse_args.c
===================================================================
--- snmplib/snmp_parse_args.c (revision 18044)
+++ snmplib/snmp_parse_args.c (working copy)
@@ -132,6 +133,8 @@
" -M DIR[:...]\t\tlook in given list of directories for MIBs\n");
#ifndef NETSNMP_DISABLE_MIB_LOADING
fprintf(outf,
+ " (default: %s)\n", netsnmp_get_mib_directory());
+ fprintf(outf,
" -P MIBOPTS\t\tToggle various defaults controlling MIB parsing:\n");
snmp_mib_toggle_options_usage("\t\t\t ", outf);
#endif
------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Net-snmp-coders mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/net-snmp-coders
