2009/12/7 Lewis Adam-VNQM87 <vnq...@motorola.com>:
> Looking at version 5.5 of the net-snmp suite ... in snmplib\vacm.c, the
> function
> vacm_getAccessEntry() just gets the first entry that matches the search
> criteria rather than search for the one with the highest securityLevel.
> Am I missing something or is this just a to-be-done?
No - I think you've spotted a bug.
Note that it's not just a matter of choosing the "highest
securityLevel" - there's
a whole set of priority decisions defined in RFC 3415 that the code is
not currently
applying.
Please try the attached patch, and see whether this leads to the expected
behaviour
Dave
Index: vacm.c
===================================================================
--- vacm.c (revision 17857)
+++ vacm.c (working copy)
@@ -887,11 +887,50 @@
}
struct vacm_accessEntry *
+_vacm_choose_best( struct vacm_accessEntry *current,
+ struct vacm_accessEntry *candidate)
+{
+ /*
+ * RFC 3415: vacmAccessTable:
+ * 2) if this set has [more than] one member, ...
+ * it comes down to deciding how to weight the
+ * preferences between ContextPrefixes,
+ * SecurityModels, and SecurityLevels
+ */
+ if (( !current ) ||
+ /* a) if the subset of entries with securityModel
+ * matching the securityModel in the message is
+ * not empty, then discard the rest
+ */
+ ( current->securityModel == SNMP_SEC_MODEL_ANY &&
+ candidate->securityModel != SNMP_SEC_MODEL_ANY ) ||
+ /* b) if the subset of entries with vacmAccessContextPrefix
+ * matching the contextName in the message is
+ * not empty, then discard the rest
+ */
+ ( current->contextMatch == CONTEXT_MATCH_PREFIX &&
+ candidate->contextMatch == CONTEXT_MATCH_EXACT ) ||
+ /* c) discard all entries with ContextPrefixes shorter
+ * than the longest one remaining in the set
+ */
+ ( current->contextMatch == CONTEXT_MATCH_PREFIX &&
+ current->contextPrefix[0] < candidate->contextPrefix[0] ) ||
+ /* d) select the entry with the highest securityLevel
+ */
+ ( current->securityLevel < candidate->securityLevel )) {
+
+ return candidate;
+ }
+
+ return current;
+}
+
+struct vacm_accessEntry *
vacm_getAccessEntry(const char *groupName,
const char *contextPrefix,
int securityModel, int securityLevel)
{
- struct vacm_accessEntry *vp;
+ struct vacm_accessEntry *vp, *best=NULL;
char group[VACMSTRINGLEN];
char context[VACMSTRINGLEN];
int glen, clen;
@@ -920,9 +959,9 @@
&& clen >= vp->contextPrefix[0]
&& (memcmp(vp->contextPrefix + 1, context + 1,
vp->contextPrefix[0]) == 0))))
- return vp;
+ best = _vacm_choose_best( best, vp );
}
- return NULL;
+ return best;
}
void
------------------------------------------------------------------------------
Return on Information:
Google Enterprise Search pays you back
Get the facts.
http://p.sf.net/sfu/google-dev2dev
_______________________________________________
Net-snmp-users mailing list
Net-snmp-users@lists.sourceforge.net
Please see the following page to unsubscribe or change other options:
https://lists.sourceforge.net/lists/listinfo/net-snmp-users
