Age | Commit message (Collapse) | Author |
|
- pdu header has 3 elements, not 4
- additional varbinds are optional.
This is needed to make ber_scanf_elements stricter.
Note that people using "trap handle" in their snmpd.conf and expect a trap
without additional varbinds to show the trapoid to appear twice will have
to adjust their "command".
OK rob@
|
|
for this MIB in the first place, this has now been removed in ifq changes.
Since the MIB is marked as deprecated anyway, simply return 0. ok claudio@
|
|
much what this counter is for. For sure better than net.inet.ip.ifq.drops
which no longer exists.
Found by and OK martijn@ and OK sthen@
|
|
|
|
to misread.
as per suggestion by and OK deraadt@
|
|
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.
|
|
OK claudio@, gerhard@
|
|
preparation for SHA-2 support.
OK claudio@, gerhard@
|
|
oids needing to be part of the snmpd loaded tree.
This is in line with RFC3416.
OK gerhard@ who apparently has the exact same diff in his repo.
|
|
snmpEngineBoots and snmpEngineTime by sending an AuthPriv request with the
requested values set to zero and with a valid user.
Move the engine_boots and engine_time down after the user check and remove
the 0-check, so we can reply with the appropriate usmStatsNotInTimeWindows.
This allows us to use p5-Net-SNMP against snmpd with seclevel enc.
OK rob@
|
|
snmpEngineID by sending a noAuthNoPriv request. Move the seclevel check to
after the usm_decode phase, so we can reply with the mandatory
usmStatsUnknownEngineIDs instead of usmStatsUnsupportedSecLevels.
This brings us one step closer to using p5-Net-SNMP with seclevel enc.
OK tb@, rob@
|
|
snmpctl. Separate copies of ber.[ch] have existed and been maintained in sync
in ldap, ldapd, ypldap and snmpd.
This commit moves the BER API into /usr/lib/libutil. All current consumers
already link libutil. ldapd and snmpd regress passes, and release builds.
With help from tb@ and guenther@.
ok deraadt@, tb@
|
|
ok reyk@
|
|
ok claudio@
|
|
fixes a problem when handling large negative integers.
ok claudio@
|
|
|
|
larger types really is a range reduction...
Almost any cast to (unsigned) is a bug.
ok millert tb benno
|
|
where the "wrong" #define was used.
ok dlg@
|
|
Dup /dev/null to the stdio file descriptors in the children.
based on a fix for httpd(8) and relayd(8); from Jan Klemkow
|
|
OK deraadt@, tb@, claudio@
|
|
Change distance sensor type to be displayed as meters with 3 decimals
instead of millimeters.
ok mpi@ kettenis@
|
|
the prefixlen is never bigger than 128 for inet6.
OK remi@
|
|
|
|
Found via snmpctl snmp walk 127.0.0.1 oid 1
OK claudio@
|
|
pledge cannot be used, nevertheless since we now have unveil available we can
use it to guarantee that in this particular case the snmpe process cannot
access the filesystem at all, therefore close a big attack vector and achieve
a great level of protection even without being able to use pledge.
prodded by deraadt@
|
|
read permissions, but once it reaches pledge(2) just before the main loop both
were already opened. Since snmpd(8) doesn't have a way to load or reload the
config file, not even through SIGHUP, then rpath promise is not needed.
The snmpe process cannot yet be pledged, but it doesn't need fs access so we
can disable the access through unveil("/", ""); unveil(NULL, NULL);
"looks right" to deraadt@
|
|
(and other lexers too)
This commit rectifies earlier change:
in the lex... even inside quotes, a \ followed by space or tab should
expand to space or tab, and a \ followed by newline should be ignored
(as a line continuation). compatible with the needs of hoststated
(which has the most strict quoted string requirements), and ifstated
(where one commonly does line continuations in strings).
OK deraadt@, OK millert@
|
|
rtable 255 is a valid routing table or domain id that wasn't handled
by the ip[6]_mroute code or by snmpd. The arrays in the ip[6]_mroute
code where off by one and didn't allocate space for rtable 255; snmpd
simply ignored rtable 255. All other places in the tree seem to
handle RT_TABLEID_MAX correctly.
OK florian@ benno@ henning@ deraadt@
|
|
"looks good" gilles@ halex@
|
|
ok mpi@
|
|
ok claudio@ miko@
|
|
|
|
build and is still a work in progress. Tweaks and comments welcome.
|
|
ok claudio@
|
|
sockets cause no harm and this way we close another attack surface by not
allowing the daemon to create/delete any more files.
While here also scramble pledge promises to their canonical form.
OK florian@
|
|
possible stack overflow due to recursion in ber_free_elements().
ok claudio@
|
|
ok claudio@
|
|
ok claudio@
|
|
This way the size is the same on all archs and 32bit should be good enough.
OK rob@
|
|
ok tb@, claudio@
|
|
|
|
api uses read and write buffers (byte streams) that are utilized by calling
applications which may or may not use sockets.
ok claudio@
buffer byte streams that applications then use for
|
|
ok claudio@, jca@
|
|
out of memory log_warn(). i.e. ("%s", __func__) instead of manual
function names and redundant verbiage about which wrapper detected the
out of memory condition.
ok henning@
|
|
calloc or strdup), we just need to log that we ran out of memory in a
particular function.
Recommended by florian@ and deraadt@
ok benno@ henning@ tb@
|
|
After the removal of fd-based read/writes I could have trimmed the code
further.
- no socket-based reads so ber_read() doesn't need to loop until it gets
the desired amount of data
- return either the requested amount of data or -1/ECANCELED, the caller
shouldn't have to handle partial reads itself
- inline ber_readbuf() into ber_read()
ok rob@ claudio@ tb@
|
|
running out of memory.
Next step, be correct *and* consistent.
ok dennis@ tb@ benno@ schwarze@
|
|
|
|
|
|
can call ber_readbuf() in all cases. This resolves a problem previously
encountered with SNMPv3 authentication, simplifies the code, and completes a
full synchronization of all ber instances.
Proposed by claudio@. Problematic use case in snmpd tested by sthen@ and me.
ldap(s) appear happy as well.
looks good to claudio@
|