Allow only Administrator to bridge on ME commands
Allow only Administrator to bridge on ME commands
Tested:
Verified by using below commands
1. Enter in Manufacturing mode by executing below command
Command: ipmitool raw 0x30 0xB4 3 2
Response: //Success
2. Verify using ME commands
Command: ipmitool -I lanplus -H <BMC_IP> -U root -P 0penBmc -L
ADMINISTRATOR -t 0x2c -b 6 raw 0x2e 0xca 0x57 0x01 0x00
Response: 57 01 00 06 04 00 04 03
Command: ipmitool -I lanplus -H <BMC_IP> -U root -P 0penBmc -L USER -t
0x2c -b 6 raw 0x2e 0xca 0x57 0x01 0x00
Response: Unable to send RAW command (channel=0x6 netfn=0x2e lun=0x0
cmd=0xca rsp=0xd4): Insufficient privilege level
Command: ipmitool -I lanplus -H <BMC_IP> -U root -P 0penBmc -L OPERATOR
-t 0x2c -b 6 raw 0x2e 0xca 0x57 0x01 0x00
Response: Unable to send RAW command (channel=0x6 netfn=0x2e lun=0x0
cmd=0xca rsp=0xd4): Insufficient privilege level
Signed-off-by: srikanta mondal <srikantax.mondal@intel.com>
Change-Id: I34eb3ae50965c3562306578a34f1a6bf5cba9387
diff --git a/src/bridgingcommands.cpp b/src/bridgingcommands.cpp
index 4041474..3220474 100644
--- a/src/bridgingcommands.cpp
+++ b/src/bridgingcommands.cpp
@@ -253,8 +253,13 @@
return ipmi::ccReqDataLenInvalid;
}
+ // Bridging to ME requires Administrator lvl
+ if ((ctx->priv) != ipmi::Privilege::Admin)
+ {
+ return ipmi::ccInsufficientPrivilege;
+ }
+
auto sendMsgReqData = reinterpret_cast<const ipmbHeader *>(msgData.data());
- // TODO: check privilege lvl. Bridging to ME requires Administrator lvl
// allow bridging to ME only
if (sendMsgReqData->Header.Req.address != ipmbMeSlaveAddress)