Customized the anti-attacki/reset-last_engineTime function for IdeaUI and add modify the permissions of passtest

(cherry picked from commit 0cc3ed93338c59cba8a1b731ac41462d5d518f1d)

dump-space-around-the-equal-for-shellcheck-sc1068.patch

@@ -0,0 +1,23 @@
+From b9e84bfcfdbfabc83024e7fdcf31172a3d36311b Mon Sep 17 00:00:00 2001
+From: songzifeng <songzifeng1@huawei.com>
+Date: Mon, 8 Jun 2020 16:30:09 +0800
+Subject: dump space around the "=" 
+
+
+diff --git a/agent/mibgroup/Rmon/test_alarm.sh b/agent/mibgroup/Rmon/test_alarm.sh
+index b6046c7..0a0863a 100755
+--- a/agent/mibgroup/Rmon/test_alarm.sh
++++ b/agent/mibgroup/Rmon/test_alarm.sh
+@@ -27,7 +27,7 @@ ETHIND=3
+ EVNIND=7
+ ALRIND=2
+ LOWLIMIT=4800
+-HILIMIT =4900
++HILIMIT=4900
+ INTERVAL=3
+ WAITTIME=17
+ 
+-- 
+2.23.0
+
+

net-snmp-5.9.1-IdeaUI_antic_attack.patch

@@ -0,0 +1,202 @@
+From e194c8fbe2cc2b1085a3da97ddb94eb329558446 Mon Sep 17 00:00:00 2001
+From: chenrufeng <chenrufeng4@huawei.com>
+Date: Fri, 5 Jan 2024 10:38:35 +0800
+Subject: [PATCH] add support for IDEAUI_ANTI_ATTACK
+
+---
+ agent/snmp_agent.c                  |  2 +
+ include/net-snmp/library/snmp_api.h |  5 ++
+ include/net-snmp/output_api.h       | 18 ++++++++
+ include/net-snmp/types.h            |  6 +++
+ snmplib/snmp_api.c                  | 72 +++++++++++++++++++++++++++++
+ 5 files changed, 103 insertions(+)
+
+diff --git a/agent/snmp_agent.c b/agent/snmp_agent.c
+index 273b46772..bff663d32 100644
+--- a/agent/snmp_agent.c
++++ b/agent/snmp_agent.c
+@@ -2214,7 +2214,9 @@ handle_snmp_packet(int op, netsnmp_session * session, int reqid,
+      */
+     if (pdu->version  == SNMP_VERSION_3 && 
+         session->s_snmp_errno == SNMPERR_USM_AUTHENTICATIONFAILURE) {
++#ifndef IDEAUI_ANTI_ATTACK
+            send_easy_trap(SNMP_TRAP_AUTHFAIL, 0);
++#endif
+            return 1;
+     } 
+ 	
+diff --git a/include/net-snmp/library/snmp_api.h b/include/net-snmp/library/snmp_api.h
+index 6b4fad6ab..419f44764 100644
+--- a/include/net-snmp/library/snmp_api.h
++++ b/include/net-snmp/library/snmp_api.h
+@@ -384,6 +384,11 @@ typedef struct request_list {
+     NETSNMP_IMPORT
+     void            init_snmp(const char *);
+ 
++#if defined(IDEAUI_ANTI_ATTACK)
++    NETSNMP_IMPORT
++    void            netsnmp_init_antiattack_callback(struct snmp_s_anti_attack* callbacklist);
++#endif
++
+     NETSNMP_IMPORT
+     int
+     snmp_build(u_char ** pkt, size_t * pkt_len, size_t * offset,
+diff --git a/include/net-snmp/output_api.h b/include/net-snmp/output_api.h
+index 3b142850c..9bce8d704 100644
+--- a/include/net-snmp/output_api.h
++++ b/include/net-snmp/output_api.h
+@@ -184,4 +184,22 @@ netsnmp_debug_no_dumpsetup(const char *token, const void *buf, size_t len)
+ #define ERROR_MSG(string)	snmp_set_detail(string)
+ #endif
+ 
++#if defined(IDEAUI_ANTI_ATTACK)
++typedef struct snmp_s_anti_info {
++    char *userName;
++    char *peerName;
++    int antiRes;
++} snmp_anti_info;
++
++/*
++ * anti attack
++ */
++struct snmp_s_anti_attack {
++    void (*cb_init_attack_info)(void);
++    void (*cb_uninit_attack_info)(void);
++    unsigned int (*cb_add_attack_info) (char *, const char *);
++    void (*cb_clear_attack_info) (char *, const char *);
++    int (*cb_is_attack_lock) (char *, const char *);
++};
++#endif /* IDEAUI_ANTI_ATTACK */
+ #endif                          /* NET_SNMP_OUTPUT_API_H */
+diff --git a/include/net-snmp/types.h b/include/net-snmp/types.h
+index d489f37b1..830d3b93f 100644
+--- a/include/net-snmp/types.h
++++ b/include/net-snmp/types.h
+@@ -17,6 +17,12 @@
+      */
+ 
+ #include <stdio.h>
++#if defined(IDEAUI_OS_ANDROID)
++#include <sys/select.h>
++typedef unsigned long int ulong;
++typedef unsigned short int ushort;
++typedef unsigned int uint;
++#endif
+ 
+ #ifndef NET_SNMP_CONFIG_H
+ #error "Please include <net-snmp/net-snmp-config.h> before this file"
+diff --git a/snmplib/snmp_api.c b/snmplib/snmp_api.c
+index 4042f8046..96e7eeb5b 100644
+--- a/snmplib/snmp_api.c
++++ b/snmplib/snmp_api.c
+@@ -329,6 +329,13 @@ int             snmp_errno = 0;
+  * END MTCRITICAL_RESOURCE
+  */
+ 
++#if defined(IDEAUI_ANTI_ATTACK)
++ /*
++ * anti attack
++ */
++struct snmp_s_anti_attack g_stAntiAttack = {NULL, NULL, NULL, NULL, NULL};
++#endif
++
+ /*
+  * global error detail storage
+  */
+@@ -863,6 +870,20 @@ register_default_handlers(void)
+     netsnmp_register_service_handlers();
+ }
+ 
++#if defined(IDEAUI_ANTI_ATTACK)
++void netsnmp_init_antiattack_callback(struct snmp_s_anti_attack* callbacklist)
++{
++    if (callbacklist == NULL) {
++        return;
++    }
++    g_stAntiAttack.cb_init_attack_info = callbacklist->cb_init_attack_info;
++    g_stAntiAttack.cb_uninit_attack_info = callbacklist->cb_uninit_attack_info;
++    g_stAntiAttack.cb_add_attack_info = callbacklist->cb_add_attack_info;
++    g_stAntiAttack.cb_clear_attack_info = callbacklist->cb_clear_attack_info;
++    g_stAntiAttack.cb_is_attack_lock = callbacklist->cb_is_attack_lock;
++}
++#endif
++
+ static int init_snmp_init_done = 0; /* To prevent double init's. */
+ /**
+  * Calls the functions to do config file loading and  mib module parsing
+@@ -4287,10 +4308,33 @@ _snmp_parse(void *sessp,
+     static size_t   ourEngineID_len = sizeof(ourEngineID);
+ 
+     netsnmp_pdu    *pdu2 = NULL;
++#if defined(IDEAUI_ANTI_ATTACK)
++    char* peerName = NULL;
++    const int ipMaxLen = 256;
++    char szRemoteAddr[ipMaxLen] = {0};
++    char unknownPeer[ipMaxLen] = {0};
++    strcpy(unknownPeer, "UnkownHost");
++    snmp_anti_info antiInfo = {0};
++#endif
+ 
+     session->s_snmp_errno = 0;
+     session->s_errno = 0;
+ 
++#if defined(IDEAUI_ANTI_ATTACK)
++    if (pdu->transport_data_length != 0) {
++       struct sockaddr_in *from_in = (struct sockaddr_in *)pdu->transport_data;
++        if (AF_INET6 == from_in->sin_family) {
++            struct sockaddr_in6 *from_in6 = (struct sockaddr_in6 *)pdu->transport_data;
++            inet_ntop(AF_INET6, (void *) &(from_in6->sin6_addr), szRemoteAddr, sizeof(szRemoteAddr));
++            } else {
++           inet_ntop(AF_INET, (void *) &(from_in->sin_addr), szRemoteAddr, sizeof(szRemoteAddr));
++        }
++        peerName = szRemoteAddr;
++    } else {
++        peerName = unknownPeer;
++    }
++#endif
++
+     /*
+      * Ensure all incoming PDUs have a unique means of identification 
+      * (This is not restricted to AgentX handling,
+@@ -4391,6 +4435,16 @@ _snmp_parse(void *sessp,
+                     snmp_api_errstring(result)));
+ 
+         if (result) {
++#if defined(IDEAUI_ANTI_ATTACK)
++            antiInfo.userName = pdu->securityName;
++            antiInfo.peerName = peerName;
++            antiInfo.antiRes = result;
++            if (g_stAntiAttack.cb_add_attack_info != NULL &&
++                ((pdu->securityLevel == SNMP_SEC_LEVEL_AUTHNOPRIV) ||
++                (pdu->securityLevel == SNMP_SEC_LEVEL_AUTHPRIV))) {
++                g_stAntiAttack.cb_add_attack_info((char *)&antiInfo, (const char*)peerName);
++            }
++#endif
+             struct snmp_secmod_def *secmod =
+                 find_sec_mod(pdu->securityModel);
+             if (!sessp) {
+@@ -4408,6 +4462,24 @@ _snmp_parse(void *sessp,
+             }
+             free_securityStateRef(pdu);
+         }
++#if defined(IDEAUI_ANTI_ATTACK)
++        else {
++            if ((g_stAntiAttack.cb_is_attack_lock != NULL) &&
++                ((pdu->securityLevel == SNMP_SEC_LEVEL_AUTHNOPRIV) ||
++                (pdu->securityLevel == SNMP_SEC_LEVEL_AUTHPRIV))) {
++                antiInfo.userName = pdu->securityName;
++                antiInfo.peerName = peerName;
++                antiInfo.antiRes = result;
++                if (g_stAntiAttack.cb_is_attack_lock((char *)&antiInfo, (const char*)peerName) != 0) {
++                    result = SNMPERR_ASN_PARSE_ERR;
++                } else {
++                    if (g_stAntiAttack.cb_clear_attack_info != NULL) {
++                        g_stAntiAttack.cb_clear_attack_info((char *)&antiInfo, (const char*)peerName);
++                    }
++                }
++            }
++        }
++#endif
+ 
+         /* Implement RFC5343 here for two reasons:
+            1) From a security perspective it handles this otherwise

net-snmp-5.9.1-IdeaUI_reset_last_engineTime.patch

@@ -0,0 +1,47 @@
+From e194c8fbe2cc2b1085a3da97ddb94eb329558446 Mon Sep 17 00:00:00 2001
+From: chenrufeng <chenrufeng4@huawei.com>
+Date: Fri, 5 Jan 2024 10:38:35 +0800
+Subject: [PATCH] Reset last_engineTime when calling init_snmpv3()
+
+---
+ snmplib/snmpv3.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/snmplib/snmpv3.c b/snmplib/snmpv3.c
+index 29c2a0ffc..d9b9eb7d6 100644
+--- a/snmplib/snmpv3.c
++++ b/snmplib/snmpv3.c
+@@ -99,6 +99,10 @@ static struct timeval snmpv3starttime;
+ static int      getHwAddress(const char *networkDevice, char *addressOut);
+ #endif
+ 
++#ifdef IDEAUI_RESET_LAST_ENGINETIME
++    static uint32_t last_engineTime = 0;
++#endif
++
+ /*******************************************************************-o-******
+  * snmpv3_secLevel_conf
+  *
+@@ -949,6 +953,9 @@ init_snmpv3(const char *type)
+ {
+     netsnmp_get_monotonic_clock(&snmpv3starttime);
+ 
++#ifdef IDEAUI_RESET_LAST_ENGINETIME
++    last_engineTime = 0;
++#endif
+     if (!type)
+         type = "__snmpapp__";
+ 
+@@ -1249,7 +1256,9 @@ snmpv3_local_snmpEngineTime(void)
+     netsnmp_feature_require(calculate_sectime_diff)
+ #endif /* NETSNMP_FEATURE_CHECKING */
+ 
++#ifndef IDEAUI_RESET_LAST_ENGINETIME
+     static uint32_t last_engineTime;
++#endif
+     struct timeval  now;
+     uint32_t engineTime;
+ 
+-- 
+2.34.1
+

net-snmp.spec

@@ -3,7 +3,7 @@
 
 Name:            net-snmp
 Version:         5.9.3
-Release:         1
+Release:         2
 Epoch:           1
 Summary:         SNMP Daemon
 License:         BSD
@@ -44,6 +44,10 @@ Patch22:         backport-libsnmp-Remove-netsnmp_openssl_err_log.patch
 Patch23:         backport-net-snmp-5.9-ipv6-disable-leak.patch
 Patch24:         backport-net-snmp-5.9-sendmsg-error-code.patch
 
+patch25:         dump-space-around-the-equal-for-shellcheck-sc1068.patch
+Patch26:         net-snmp-5.9.1-IdeaUI_antic_attack.patch
+Patch27:         net-snmp-5.9.1-IdeaUI_reset_last_engineTime.patch
+
 %{?systemd_requires}
 BuildRequires:   systemd gcc openssl-devel bzip2-devel elfutils-devel libselinux-devel
 BuildRequires:   elfutils-libelf-devel rpm-devel perl-devel perl(ExtUtils::Embed) procps
@@ -201,8 +205,7 @@ for file in README COPYING; do
     iconv -f 8859_1 -t UTF-8 <$file >$file.utf8
     mv $file.utf8 $file
 done
-chmod 644 local/ipf-mod.pl
-chmod 755 local/passtest
+chmod 644 local/passtest local/ipf-mod.pl
 
 mkdir -p %{buildroot}/%{_tmpfilesdir}
 install -m 644 %SOURCE7 %{buildroot}/%{_tmpfilesdir}/net-snmp.conf
@@ -215,6 +218,7 @@ cp -f libtool.orig libtool
 rm -vf testing/fulltests/default/T200snmpv2cwalkall_simple
 chmod 755 local/passtest
 LD_LIBRARY_PATH=%{buildroot}/%{_libdir} make test
+chmod 644 local/passtest
 %endif
 
 %post
@@ -322,6 +326,13 @@ LD_LIBRARY_PATH=%{buildroot}/%{_libdir} make test
 %{_mandir}/man1/fixproc*
 
 %changelog
+* Fri May 10 2024 gaihuiying <eaglegai@163.com> - 1:5.9.3-2
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:Customized the anti-attacki/reset-last_engineTime function for IdeaUI
+       change the permissions of passtest
+
 * Mon Aug 07 2023 xingwei <xingwei14@h-partners.com> - 1:5.9.3-1
 - Type:requirement
 - CVE:NA