!39 Fix get_bmc_ip failure caused by search rule issue

From: @zhangzikang1992 
Reviewed-by: @jiangheng12 
Signed-off-by: @jiangheng12

0005-zero-initialize-the-recv-structure-on-the-stack.patch

@@ -0,0 +1,26 @@
+From 5ac7f6a54e0a416fc37e962c2be87b16821cc771 Mon Sep 17 00:00:00 2001
+From: Patrick Venture <pstrinkle@users.noreply.github.com>
+Date: Wed, 3 Nov 2021 14:10:53 -0700
+Subject: [PATCH] zero initialize the recv structure on the stack
+
+Zero initialize the recv structure used by openipmi_read().
+---
+ src/ipmievd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/ipmievd.c b/src/ipmievd.c
+index 2c19887..6a94b1f 100644
+--- a/src/ipmievd.c
++++ b/src/ipmievd.c
+@@ -422,7 +422,7 @@ static int
+ openipmi_read(struct ipmi_event_intf * eintf)
+ {
+ 	struct ipmi_addr addr;
+-	struct ipmi_recv recv;
++	struct ipmi_recv recv = {};
+ 	uint8_t data[80];
+ 	int rv;
+ 
+-- 
+2.25.1
+

0006-Fix-get_bmc_ip-failure-caused-by-search-rule-issue.patch

@@ -0,0 +1,27 @@
+From bfc156d725d3262d331a771a2be06e3dd9eeb6be Mon Sep 17 00:00:00 2001
+From: zhangzikang <zhangzikang@kylinos.cn>
+Date: Wed, 25 Sep 2024 14:26:54 +0800
+Subject: [PATCH] Fix get_bmc_ip failure caused by search rule issue
+
+---
+ contrib/exchange-bmc-os-info.init.redhat | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/contrib/exchange-bmc-os-info.init.redhat b/contrib/exchange-bmc-os-info.init.redhat
+index b7ec43f..98efbe6 100644
+--- a/contrib/exchange-bmc-os-info.init.redhat
++++ b/contrib/exchange-bmc-os-info.init.redhat
+@@ -199,8 +199,8 @@ get_bmc_ip()
+ 	#Thanks to http://ingvar.blog.redpill-linpro.com
+ 	for CHANNEL in `seq 1 14`
+ 	do
+-		[ $(${IPMI_TOOL} lan print ${CHANNEL} 2>/dev/null \
+-			| grep -q "^Set") ] || break
++		${IPMI_TOOL} lan print ${CHANNEL} 2>/dev/null \
++			| grep -q "^IP Address  .*:" && break
+ 	done
+ 
+ 	# Get BMC_IPv4 and BMC_URL from BMC
+-- 
+2.27.0
+

backport-fru-Fix-crashes-on-6-bit-ASCII-strings.patch

@@ -0,0 +1,33 @@
+From 1245aaa387dca1cb99408869b2c1b3e2410a1352 Mon Sep 17 00:00:00 2001
+From: Alexander Amelkin <alexander@amelkin.msk.ru>
+Date: Tue, 15 Sep 2020 16:49:20 +0300
+Subject: [PATCH] fru: Fix crashes on 6-bit ASCII strings
+
+Fix calculation of the buffer size for decoded 6-bit ASCII
+strings. Previously the program could allocate too a short buffer
+that caused buffer overflows and segmentation fault crashes on
+certain FRU contents.
+
+Signed-off-by: Alexander Amelkin <alexander@amelkin.msk.ru>
+---
+ lib/ipmi_fru.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/lib/ipmi_fru.c b/lib/ipmi_fru.c
+index 501ef26..3d1d8a1 100644
+--- a/lib/ipmi_fru.c
++++ b/lib/ipmi_fru.c
+@@ -175,8 +175,8 @@ char * get_fru_area_str(uint8_t * data, uint32_t * offset)
+ 		size = (len * 2);
+ 		break;
+ 	case 2:           /* 10b: 6-bit ASCII */
+-		/* 4 chars per group of 1-3 bytes */
+-		size = (((len * 4 + 2) / 3) & ~3);
++		/* 4 chars per group of 1-3 bytes, round up to 4 bytes boundary */
++		size = (len / 3 + 1) * 4;
+ 		break;
+ 	case 3:           /* 11b: 8-bit ASCII */
+ 		/* no length adjustment */
+-- 
+2.20.1
+

backport-lan-channel-Fix-set-alert-on-off.patch

@@ -0,0 +1,69 @@
+From 4b791f8bf67ef9134699039b2758ed4023409621 Mon Sep 17 00:00:00 2001
+From: Alexander Amelkin <alexander@amelkin.msk.ru>
+Date: Tue, 20 Oct 2020 17:15:59 +0300
+Subject: [PATCH] lan: channel: Fix set alert on/off
+
+From IPMI Spec, Chapter 22.22 Set Channel Access Command
+Table 22, Set Channel Access Command
+
+Byte#2, Bit#5 is "PEF Alerting Enable/Disable"
+And the bit value:
+    0b = enable PEF Alerting
+    1b = disable PEF Alerting on this channel
+
+In current code, alert "on" set Bit#5 to 1 and alert "off" set Bit#5 to
+0, it's straightforward but just opposite of IPMI spec bit definition.
+
+Resolves ipmitool/ipmitool#247
+
+Reported-by: Ryan Fang <Ryan.Fang@quantatw.com>
+Signed-off-by: Alexander Amelkin <alexander@amelkin.msk.ru>
+---
+ include/ipmitool/ipmi_channel.h | 10 ++++++++--
+ lib/ipmi_lanp.c                 |  6 +++---
+ 2 files changed, 11 insertions(+), 5 deletions(-)
+
+diff --git a/include/ipmitool/ipmi_channel.h b/include/ipmitool/ipmi_channel.h
+index d9be57e..41f1b88 100644
+--- a/include/ipmitool/ipmi_channel.h
++++ b/include/ipmitool/ipmi_channel.h
+@@ -89,10 +89,16 @@ struct channel_info_t {
+ 	uint8_t aux_info[2];
+ };
+ 
+-/* (22.23) Get Channel Access */
++
++/* (22.22 / 22.23) Set/Get Channel Access */
++typedef enum {
++    ALERTING_ENABLED = 0,
++    ALERTING_DISABLED = (1 << 5) /* See Table 22 */
++} alerting_t;
++
+ struct channel_access_t {
+ 	uint8_t access_mode;
+-	uint8_t alerting;
++	alerting_t alerting;
+ 	uint8_t channel;
+ 	uint8_t per_message_auth;
+ 	uint8_t privilege_limit;
+diff --git a/lib/ipmi_lanp.c b/lib/ipmi_lanp.c
+index 16c0d9a..fe0046f 100644
+--- a/lib/ipmi_lanp.c
++++ b/lib/ipmi_lanp.c
+@@ -1026,10 +1026,10 @@ ipmi_set_alert_enable(struct ipmi_intf *intf, uint8_t channel, uint8_t enable)
+ 				channel);
+ 		return (-1);
+ 	}
+-	if (enable != 0) {
+-		channel_access.alerting = 1;
++	if (enable) {
++		channel_access.alerting = ALERTING_ENABLED;
+ 	} else {
+-		channel_access.alerting = 0;
++		channel_access.alerting = ALERTING_DISABLED;
+ 	}
+ 	/* non-volatile */
+ 	ccode = _ipmi_set_channel_access(intf, channel_access, 1, 0);
+-- 
+2.27.0
+

backport-lanplus-Realloc-the-msg-if-the-payload_length-gets-u.patch

@@ -0,0 +1,72 @@
+From 8f0946a81eb22c14823d726afc486139bb2094ca Mon Sep 17 00:00:00 2001
+From: Tom Tung <shes050117@gmail.com>
+Date: Fri, 12 Aug 2022 16:47:27 +0800
+Subject: [PATCH] lanplus: Realloc the msg if the payload_length gets updated
+
+It's possible the payload_length gets updated in
+lanplus_encrypt_payload. If it's updated, the memory of msg should be
+updated.
+
+Tested: use ipmitool with lanplus with similar STR  and there is no
+memory stomping issue.
+
+Resolved: ipmitool/ipmitool#351
+Signed-off-by: Tom Tung <shes050117@gmail.com>
+---
+ src/plugins/lanplus/lanplus.c | 19 +++++++++++++++++++
+ src/plugins/lanplus/lanplus.h |  2 ++
+ 2 files changed, 21 insertions(+)
+
+diff --git a/src/plugins/lanplus/lanplus.c b/src/plugins/lanplus/lanplus.c
+index ed41380..7a9162c 100644
+--- a/src/plugins/lanplus/lanplus.c
++++ b/src/plugins/lanplus/lanplus.c
+@@ -1727,6 +1727,7 @@ ipmi_lanplus_build_v2x_msg(
+ 	 */
+ 	if (session->v2_data.session_state == LANPLUS_STATE_ACTIVE)
+ 	{
++		uint16_t old_payload_length = payload->payload_length;
+ 		/* Payload len is adjusted as necessary by lanplus_encrypt_payload */
+ 		lanplus_encrypt_payload(session->v2_data.crypt_alg,        /* input  */
+ 								session->v2_data.k2,               /* input  */
+@@ -1735,6 +1736,24 @@ ipmi_lanplus_build_v2x_msg(
+ 								msg + IPMI_LANPLUS_OFFSET_PAYLOAD, /* output */
+ 								&(payload->payload_length));       /* output */
+ 
++		if (old_payload_length != payload->payload_length)
++		{
++			len =
++				IPMI_LANPLUS_OFFSET_PAYLOAD   +
++				payload->payload_length       +
++				IPMI_MAX_INTEGRITY_PAD_SIZE   +
++				IPMI_LANPLUS_PAD_LENGTH_SIZE  +
++				IPMI_LANPLUS_NEXT_HEADER_SIZE +
++				IPMI_MAX_AUTH_CODE_SIZE;
++
++			uint8_t * new_msg = realloc(msg, len);
++			if (!new_msg) {
++				free(msg);
++				lprintf(LOG_ERR, "ipmitool: realloc failure");
++				return;
++			}
++			msg = new_msg;
++		}
+ 	}
+ 
+ 	/* Now we know the payload length */
+diff --git a/src/plugins/lanplus/lanplus.h b/src/plugins/lanplus/lanplus.h
+index 3e287ae..94bd56a 100644
+--- a/src/plugins/lanplus/lanplus.h
++++ b/src/plugins/lanplus/lanplus.h
+@@ -86,6 +86,8 @@
+ #define IPMI_LANPLUS_OFFSET_PAYLOAD_SIZE 0x0E
+ #define IPMI_LANPLUS_OFFSET_PAYLOAD      0x10
+ 
++#define IPMI_LANPLUS_PAD_LENGTH_SIZE  1
++#define IPMI_LANPLUS_NEXT_HEADER_SIZE 1
+ 
+ #define IPMI_GET_CHANNEL_AUTH_CAP 0x38
+ 
+-- 
+2.27.0
+

ipmitool.spec

@@ -1,9 +1,9 @@
 Name:            ipmitool
 Version:         1.8.18
-Release:         18
+Release:         23
 Summary:         Utility for IPMI control
 License:         BSD
-URL:             http://ipmitool.sourceforge.net/
+URL:             https://codeberg.org/IPMITool/ipmitool
 Source0:         http://downloads.sourceforge.net/project/%{name}/%{name}/%{version}/%{name}-%{version}.tar.bz2
 Source1:         ipmievd.sysconf
 Source2:         ipmievd.service
@@ -13,6 +13,7 @@ Patch1:          0001-CVE-2011-4339-OpenIPMI.patch
 Patch2:          0002-openssl.patch
 Patch3:          0003-ipmitool-1.8.11-set-kg-key.patch
 Patch4:          0004-slowswid.patch
+Patch5:          0005-zero-initialize-the-recv-structure-on-the-stack.patch
 
 Patch6000:       ID-477-fru-Fix-decoding-of-non-text-data-in-get_fru_.patch
 Patch6001:       ID-480-ipmitool-coredumps-in-EVP_CIPHER_CTX_init.patch
@@ -42,6 +43,11 @@ Patch6023:       ipmitool-CVE-2020-5208-Fix-buffer-overflow.patch
 Patch6024:       ipmitool-CVE-2020-5208-Fix-buffer-overflows-in-get_lan_param_select.patch
 Patch6025:       ipmitool-CVE-2020-5208-Fix-id_string-buffer-overflows.patch
 Patch6026:       fix-variable-definition-error-with-gcc-10.patch
+Patch6027:       backport-lanplus-Realloc-the-msg-if-the-payload_length-gets-u.patch
+Patch6028:       backport-lan-channel-Fix-set-alert-on-off.patch
+Patch6029:       backport-fru-Fix-crashes-on-6-bit-ASCII-strings.patch
+
+Patch9000:       0006-Fix-get_bmc_ip-failure-caused-by-search-rule-issue.patch
 
 BuildRequires:    openssl-devel readline-devel ncurses-devel 
 %{?systemd_requires}
@@ -170,6 +176,36 @@ install -Dm 755 contrib/bmc-snmp-proxy         %{buildroot}%{_libexecdir}/bmc-sn
 %{_mandir}/man8/ipmievd.8*
 
 %changelog
+* Tue Oct 08 2024 zhangzikang <zhangzikang@kylinos.cn> - 1.8.18-23
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:Fix get_bmc_ip failure caused by search rule issue
+
+* Mon Dec 04 2023 Huang Yang <huangyang@loongson.cn> - 1.8.18-22
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:Resolve malloc aborted error raised when executing ipmitool fru.
+
+* Wed May 31 2023 mengkanglai <mengkanglai2@huawei.com> - 1.8.18-21
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:update URL address
+
+* Tue Mar 21 2023 mengkanglai <mengkanglai2@huawei.com> - 1.8.18-20
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:lan channel fix set alert on off and lanplus realloc the msg if the payload_length gets update
+
+* Mon Oct 31 2022 mengkanglai <mengkanglai2@huawei.com> - 1.8.18-19
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:zero initialize the recv structure on the stack
+
 * Mon Dec 27 2021 gaihuiying <gaihuiying1@huawei.com> - 1.8.18-18
 - Type:requirement
 - ID:NA