head	1.4;
access;
symbols
	pkgsrc-2013Q2:1.4.0.2
	pkgsrc-2013Q2-base:1.4
	pkgsrc-2012Q4:1.3.0.2
	pkgsrc-2012Q4-base:1.3
	pkgsrc-2012Q3:1.2.0.6
	pkgsrc-2012Q3-base:1.2
	pkgsrc-2012Q2:1.2.0.4
	pkgsrc-2012Q2-base:1.2
	pkgsrc-2012Q1:1.2.0.2
	pkgsrc-2012Q1-base:1.2
	pkgsrc-2011Q4:1.1.1.1.0.2
	pkgsrc-2011Q4-base:1.1.1.1
	pkgsrc-base:1.1.1.1
	TNF:1.1.1;
locks; strict;
comment	@# @;


1.4
date	2013.02.05.07.45.39;	author wiz;	state dead;
branches;
next	1.3;

1.3
date	2012.11.19.02.59.06;	author joerg;	state Exp;
branches;
next	1.2;

1.2
date	2012.03.13.13.23.18;	author taca;	state Exp;
branches;
next	1.1;

1.1
date	2011.12.15.22.23.24;	author asau;	state Exp;
branches
	1.1.1.1;
next	;

1.1.1.1
date	2011.12.15.22.23.24;	author asau;	state Exp;
branches;
next	;


desc
@@


1.4
log
@Remove samba30 and samba33, as stated by Aleksej Saushev on Jul 7, 2012.
@
text
@$NetBSD: patch-ee,v 1.3 2012/11/19 02:59:06 joerg Exp $

Patch to fix CVE-2010-2063 and CVE-2012-0870.

--- smbd/process.c.orig	2009-09-30 12:21:56.000000000 +0000
+++ smbd/process.c
@@@@ -1159,8 +1159,9 @@@@ int chain_reply(char *inbuf,char *outbuf
 {
 	static char *orig_inbuf;
 	static char *orig_outbuf;
+	static int orig_size;
 	int smb_com1, smb_com2 = CVAL(inbuf,smb_vwv0);
-	unsigned smb_off2 = SVAL(inbuf,smb_vwv1);
+	static unsigned smb_off2;
 	char *inbuf2, *outbuf2;
 	int outsize2;
 	int new_size;
@@@@ -1178,6 +1179,21 @@@@ int chain_reply(char *inbuf,char *outbuf
 		/* this is the first part of the chain */
 		orig_inbuf = inbuf;
 		orig_outbuf = outbuf;
+		orig_size = size;
+		smb_off2 = 0;
+	}
+
+	if (SVAL(inbuf,smb_vwv1) <= smb_off2) {
+		DEBUG(1, ("AndX offset not increasing\n"));
+		SCVAL(outbuf, smb_vwv0, 0xFF);
+		return -1;
+	}
+	smb_off2 = SVAL(inbuf, smb_vwv1);
+
+	/* Validate smb_off2 */
+	if ((smb_off2 < smb_wct - 4) || orig_size < (smb_off2 + 4 - smb_wct)) {
+		exit_server_cleanly("Bad chained packet");
+		return -1;
 	}
 
 	/*
@@@@ -1192,6 +1208,11 @@@@ int chain_reply(char *inbuf,char *outbuf
 	SSVAL(outbuf,smb_vwv1,smb_offset(outbuf+outsize,outbuf));
 	SCVAL(outbuf,smb_vwv0,smb_com2);
 
+	if (outsize <= smb_wct) {
+		exit_server_cleanly("Bad chained packet");
+		return -1;
+	}
+
 	/* remember how much the caller added to the chain, only counting stuff
 		after the parameter words */
 	chain_size += outsize - smb_wct;
@


1.3
log
@Correctly return an error value when bailing out.
@
text
@d1 1
a1 1
$NetBSD: patch-ee,v 1.2 2012/03/13 13:23:18 taca Exp $
@


1.2
log
@Add patch for CVE-2012-0870.

Bump PKGREVISION.
@
text
@d1 1
a1 1
$NetBSD: patch-ee,v 1.1.1.1 2011/12/15 22:23:24 asau Exp $
d29 1
a29 1
+		return;
@


1.1
log
@Initial revision
@
text
@d1 1
a1 1
$NetBSD: patch-ee,v 1.3 2010/06/19 14:08:56 taca Exp $
d3 1
a3 1
Patch to fix CVE-2010-2063.
d7 1
a7 1
@@@@ -1159,6 +1159,7 @@@@ int chain_reply(char *inbuf,char *outbuf
d13 2
a14 1
 	unsigned smb_off2 = SVAL(inbuf,smb_vwv1);
d16 3
a18 1
@@@@ -1178,6 +1179,13 @@@@ int chain_reply(char *inbuf,char *outbuf
d23 1
d26 7
d40 1
a40 1
@@@@ -1192,6 +1200,11 @@@@ int chain_reply(char *inbuf,char *outbuf
@


1.1.1.1
log
@Reimport Samba 3.0.37 from net/samba as net/samba30 as part of Samba packages rotation.
@
text
@@