Hide Forgot
Description of problem: If ipmitool firewall reset is executed without specifying the parameters [<channel H>] [<lun L> [ <netfn N> [<command C [<subfn S>]]]], it will print out a usage message for each lun/netfn pair for all 256 commands, this is a very long list and eventually results in segmentation fault. Version-Release number of selected component (if applicable): ~]# cat /etc/redhat-release Red Hat Enterprise Linux Server release 6.8 (Santiago) [root@dell-per210-01 ~]# uname -r 2.6.32-642.el6.i686 ~]# rpm -q ipmitool ipmitool-1.8.15-2.el6.i686 How reproducible: Always Steps to Reproduce: 1. ipmitool firewall reset 2. 3. Actual results: ~]# ipmitool firewall reset Get Command Support (LUN=0, NetFn=46, op=0) command failed: Request data length invalid Get Configurable Command (LUN=0, NetFn=46, op=0) command failed: Request data length invalid Get Command Support (LUN=2, NetFn=0, op=0) command failed: Invalid data field in request Get Configurable Command (LUN=2, NetFn=0, op=0) command failed: Invalid data field in request Get Command Enables (LUN=2, NetFn=0, op=0) command failed: Invalid data field in request Get Command Support (LUN=2, NetFn=2, op=0) command failed: Invalid data field in request Get Configurable Command (LUN=2, NetFn=2, op=0) command failed: Invalid data field in request Get Command Enables (LUN=2, NetFn=2, op=0) command failed: Invalid data field in request <snip> Set Command Sub-function Enables (LUN=3, NetFn=34, command=253) command failed: Invalid data field in request reset lun 3, netfn 34, command 254, subfn Set Command Sub-function Enables (LUN=3, NetFn=34, command=254) command failed: Invalid data field in request reset lun 3, netfn 34, command 255, subfn Set Command Sub-function Enables (LUN=3, NetFn=34, command=255) command failed: Invalid data field in request reset lun 3, netfn 34, command Set Command Enables (LUN=3, NetFn=34, op=0) command failed: Invalid data field in request reset lun 3, netfn 36, command 0, subfn Segmentation fault (core dumped) Expected results: No segmentation fault, if unsupported a sing usage message should be printed Additional info:
I can hit this as well and it is not fixed upstream, yet. The issue seems to be that the cmd pointers for netfn 38 (and onwards) do not point to a valid memory area and once dereferenced lead to a segfault. Looking further at the code, this is caused by dual meaning of n in the internal functions -- in the function that populates the structures (_gather_info), it means a natural number while in the function that processes it (ipmi_firewall_reset), it denotes an even number (2*n) -- hence, it tries to access memory that is simply out of bounds of what was allocated. As for the amount of messages, we could limit this a bit if checked if it is supported. It did not work 100 % in my tests but it did took less time and produced less noise. However, I am not sure whether this is desired as 'ipmitool reset firewall' is supposed to reset all the firewall values and this is probably a best effort (albeit brute force) approach to it -- bmc could probably lie about the support, etc...
Upstream PR: https://sourceforge.net/p/ipmitool/bugs/446/
Red Hat Enterprise Linux 6 is in the Production 3 Phase. During the Production 3 Phase, Critical impact Security Advisories (RHSAs) and selected Urgent Priority Bug Fix Advisories (RHBAs) may be released as they become available. The official life cycle policy can be reviewed here: http://redhat.com/rhel/lifecycle This issue does not meet the inclusion criteria for the Production 3 Phase and will be marked as CLOSED/WONTFIX. If this remains a critical requirement, please contact Red Hat Customer Support to request a re-evaluation of the issue, citing a clear business justification. Note that a strong business justification will be required for re-evaluation. Red Hat Customer Support can be contacted via the Red Hat Customer Portal at the following URL: https://access.redhat.com/