Add patch for CVE-2012-0870.

Bump PKGREVISION.

6 files changed, 57 insertions, 13 deletions

diff --git a/net/samba30/Makefile b/net/samba30/Makefile
index dda83fd846e..986a010a239 100644
--- a/net/samba30/Makefile
+++ b/net/samba30/Makefile
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.3 2012/02/01 08:14:47 sbd Exp $
+# $NetBSD: Makefile,v 1.4 2012/03/13 13:23:18 taca Exp $
 
 .include "../../net/samba/Makefile.mirrors"
 
 DISTNAME=		samba-${VERSION}
-PKGREVISION=		7
+PKGREVISION=		9
 CATEGORIES=		net
 MASTER_SITES=		${SAMBA_MIRRORS:=old-versions/}
 
diff --git a/net/samba30/distinfo b/net/samba30/distinfo
index 65660aa9e16..eeae4a68c42 100644
--- a/net/samba30/distinfo
+++ b/net/samba30/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.1.1.1 2011/12/15 22:23:24 asau Exp $
+$NetBSD: distinfo,v 1.2 2012/03/13 13:23:18 taca Exp $
 
 SHA1 (samba-3.0.37.tar.gz) = 5ec6bc6558b3c799f747eb49fbba019d5edf0cbd
 RMD160 (samba-3.0.37.tar.gz) = 06b76ae22729e10c83d6af42d03b03ad69e49103
@@ -39,6 +39,6 @@ SHA1 (patch-cg) = 2755a019759826a39c3e201f6a0d1646e6dd2fba
 SHA1 (patch-ch) = 3c4c404519154e294cee134ddb4d2b9c7d8e02a2
 SHA1 (patch-ci) = d78298d0997cf7877cfe2411355fb6c61dec17f6
 SHA1 (patch-da) = 2dddd250b2207d658b02ff43b46199ce4305b7f8
-SHA1 (patch-ee) = d52511dc7d065db7ba1464138c4bc85cfe2f0d59
+SHA1 (patch-ee) = b5bae1f8ebbd02cae70a5d7a8faef8ad5e5896ac
 SHA1 (patch-lib_replace_test_os2__delete.c) = 27958a98f37fdc03e109c641d768721e4e587f31
 SHA1 (patch-libsmb_clikrb5.c) = 0efe8e7b06588a727b8cf459ed6e9dc46d1b8f13
diff --git a/net/samba30/patches/patch-ee b/net/samba30/patches/patch-ee
index f242b8d6f29..f6b8f93d554 100644
--- a/net/samba30/patches/patch-ee
+++ b/net/samba30/patches/patch-ee
@@ -1,24 +1,35 @@
-$NetBSD: patch-ee,v 1.1.1.1 2011/12/15 22:23:24 asau Exp $
+$NetBSD: patch-ee,v 1.2 2012/03/13 13:23:18 taca Exp $
 
-Patch to fix CVE-2010-2063.
+Patch to fix CVE-2010-2063 and CVE-2012-0870.
 
 --- smbd/process.c.orig	2009-09-30 12:21:56.000000000 +0000
 +++ smbd/process.c
-@@ -1159,6 +1159,7 @@ int chain_reply(char *inbuf,char *outbuf
+@@ -1159,8 +1159,9 @@ int chain_reply(char *inbuf,char *outbuf
  {
  	static char *orig_inbuf;
  	static char *orig_outbuf;
 +	static int orig_size;
  	int smb_com1, smb_com2 = CVAL(inbuf,smb_vwv0);
- 	unsigned smb_off2 = SVAL(inbuf,smb_vwv1);
+-	unsigned smb_off2 = SVAL(inbuf,smb_vwv1);
++	static unsigned smb_off2;
  	char *inbuf2, *outbuf2;
-@@ -1178,6 +1179,13 @@ int chain_reply(char *inbuf,char *outbuf
+ 	int outsize2;
+ 	int new_size;
+@@ -1178,6 +1179,21 @@ int chain_reply(char *inbuf,char *outbuf
  		/* this is the first part of the chain */
  		orig_inbuf = inbuf;
  		orig_outbuf = outbuf;
 +		orig_size = size;
++		smb_off2 = 0;
 +	}
 +
++	if (SVAL(inbuf,smb_vwv1) <= smb_off2) {
++		DEBUG(1, ("AndX offset not increasing\n"));
++		SCVAL(outbuf, smb_vwv0, 0xFF);
++		return;
++	}
++	smb_off2 = SVAL(inbuf, smb_vwv1);
++
 +	/* Validate smb_off2 */
 +	if ((smb_off2 < smb_wct - 4) || orig_size < (smb_off2 + 4 - smb_wct)) {
 +		exit_server_cleanly("Bad chained packet");
@@ -26,7 +37,7 @@ Patch to fix CVE-2010-2063.
  	}
  
  	/*
-@@ -1192,6 +1200,11 @@ int chain_reply(char *inbuf,char *outbuf
+@@ -1192,6 +1208,11 @@ int chain_reply(char *inbuf,char *outbuf
  	SSVAL(outbuf,smb_vwv1,smb_offset(outbuf+outsize,outbuf));
  	SCVAL(outbuf,smb_vwv0,smb_com2);
  
diff --git a/net/samba33/Makefile b/net/samba33/Makefile
index b6e01840099..81b71b2c850 100644
--- a/net/samba33/Makefile
+++ b/net/samba33/Makefile
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.19 2012/02/06 12:41:17 wiz Exp $
+# $NetBSD: Makefile,v 1.20 2012/03/13 13:22:24 taca Exp $
 
 .include "../../net/samba/Makefile.mirrors"
 
 DISTNAME=		samba-${VERSION}
-PKGREVISION=		2
+PKGREVISION=		3
 CATEGORIES=		net
 MASTER_SITES=		${SAMBA_MIRRORS:=old-versions/}
 
diff --git a/net/samba33/distinfo b/net/samba33/distinfo
index fcf98d85189..9605497a1b7 100644
--- a/net/samba33/distinfo
+++ b/net/samba33/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.8 2011/08/02 14:06:20 taca Exp $
+$NetBSD: distinfo,v 1.9 2012/03/13 13:22:24 taca Exp $
 
 SHA1 (samba-3.3.16.tar.gz) = bfb06f2cd88ba6c2fb9d25cabf3b22bf1a402f08
 RMD160 (samba-3.3.16.tar.gz) = 30e181de0e5399503cad3e09f3dd172a0fc6a011
@@ -28,3 +28,4 @@ SHA1 (patch-av) = e3ebea3cf0a44fc43c8878c1563972ca2c2b60a9
 SHA1 (patch-aw) = 8dafe1df0661ce8f662716804cf39516c2499add
 SHA1 (patch-ax) = 86ba06f64069a837b6422f5ea1d7b16bed7915b0
 SHA1 (patch-lib_replace_test_os2__delete.c) = d4e14bdfb62b51465902f7090b1b2a6a44dc0060
+SHA1 (patch-smbd_process.c) = f12a4224a6a337ceaeac51843eb32c46a71aa7ca
diff --git a/net/samba33/patches/patch-smbd_process.c b/net/samba33/patches/patch-smbd_process.c
new file mode 100644
index 00000000000..4fc764f514b
--- /dev/null
+++ b/net/samba33/patches/patch-smbd_process.c
@@ -0,0 +1,32 @@
+$NetBSD: patch-smbd_process.c,v 1.1 2012/03/13 13:22:24 taca Exp $
+
+* Fix for CVE-2012-0870.
+
+--- smbd/process.c.orig	2011-07-24 19:09:38.000000000 +0000
++++ smbd/process.c
+@@ -1656,7 +1656,7 @@ void chain_reply(struct smb_request *req
+ 	int size = smb_len(req->inbuf)+4;
+ 
+ 	int smb_com1, smb_com2 = CVAL(inbuf,smb_vwv0);
+-	unsigned smb_off2 = SVAL(inbuf,smb_vwv1);
++	static unsigned smb_off2;
+ 	char *inbuf2;
+ 	int outsize2;
+ 	int new_size;
+@@ -1681,8 +1681,16 @@ void chain_reply(struct smb_request *req
+ 		/* this is the first part of the chain */
+ 		orig_inbuf = inbuf;
+ 		orig_size = size;
++		smb_off2 = 0;
+ 	}
+ 
++	if (SVAL(inbuf,smb_vwv1) <= smb_off2) {
++		DEBUG(1, ("AndX offset not increasing\n"));
++		SCVAL(outbuf, smb_vwv0, 0xFF);
++		return;
++	}
++	smb_off2 = SVAL(inbuf, smb_vwv1);
++
+ 	/* Validate smb_off2 */
+ 	if ((smb_off2 < smb_wct - 4) || orig_size < (smb_off2 + 4 - smb_wct)) {
+ 		exit_server_cleanly("Bad chained packet");