On Mon, Apr 23, 2012 at 9:56 PM, Jim Mankovich <jmank@hp.com> wrote:

I already have a fix for the 16 character username problem.   I already posted a patch for it to the Patch tracker

for version 1.8.11 and I was going to post a patch for it to TOB after I complete the Threshold/Discrete/Analog
Display issue which is currently in review.   If you look closely you will see I assigned these defect to myself.

Both of the defects you mention are for the same issue, the problem is that ipmitool permits a user to specify greater
than 16 character passwords.   The IPMI password length limit is 16.

Indeed it is. That's not the point. The point is anyone with any tool, or just modified ipmitool, can send username/password longer than 16 byte and make BMC to hang. ipmitool is one of places it should get fixed, but not the only one. That's it the point.
Such bug could have make it a great DoS. Hmm.
I'll try to post a patch for review for the 16 character username limit sometime this week.

Do you what you can with the resources you have a hand.
Any/All help is much appreciated.

Once the patches I've posted get "somewhere", I'll post more. But sacrifice time at stuff that doesn't go anywhere? Been there, done that and life is too short ;)

Take care,

-- Jim Mankovich | jmank@hp.com --

On 4/23/2012 12:22 PM, Duncan Idaho wrote:

On Mon, Apr 23, 2012 at 6:26 PM, Jim Mankovich <jmank@hp.com> wrote:
report and I could not find any existing resolution to in the TOB CVS for ipmitool.   If anyone
has any time to work on ipmitool, please look at Tracker items first for something to do.

Time, yes(sometimes). Machines to test at? No.
And some stuff, well the most of it, will require some IPMI capable hardware to test and develop at. So it won't be that easy to get devs.

Anyway. Once we agree on code in 'lib/ipmi_user.c', I could take a look at http://sourceforge.net/tracker/?func=detail&aid=3001519&group_id=95200&atid=610550 and http://sourceforge.net/tracker/?func=detail&aid=3184687&group_id=95200&atid=610550 . That's where they'll go right? btw this sounds like a BMC(IPMI stack) to me as well and reportee should report it to his vendor.