Try to fix a possible buffer overrun (CVE-2012-4428). Didn't find

a patch upstream nor anywhere else, hope this is correct. Someone
please review.
Being here, fix a memcpy() size bug on 64-bit systems.
bump PKGREV

4 files changed, 62 insertions, 3 deletions

diff --git a/net/openslp/Makefile b/net/openslp/Makefile
index 1d0f6e815fe..ba0441b1a2a 100644
--- a/net/openslp/Makefile
+++ b/net/openslp/Makefile
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.40 2013/02/06 23:23:21 jperkin Exp $
+# $NetBSD: Makefile,v 1.41 2013/02/14 16:51:32 drochner Exp $
 
 DISTNAME=	openslp-1.2.1
-PKGREVISION=	5
+PKGREVISION=	6
 CATEGORIES=	net
 MASTER_SITES=	${MASTER_SITE_SOURCEFORGE:=openslp/}
 
diff --git a/net/openslp/distinfo b/net/openslp/distinfo
index 64bd452dea8..3517cbe12a5 100644
--- a/net/openslp/distinfo
+++ b/net/openslp/distinfo
@@ -1,8 +1,9 @@
-$NetBSD: distinfo,v 1.16 2011/04/08 12:19:17 drochner Exp $
+$NetBSD: distinfo,v 1.17 2013/02/14 16:51:32 drochner Exp $
 
 SHA1 (openslp-1.2.1.tar.gz) = 47ab19154084d2b467f09525f5351e9ab7193cf9
 RMD160 (openslp-1.2.1.tar.gz) = a31d516ba784ad893a740946082fe5e0f15a37ea
 Size (openslp-1.2.1.tar.gz) = 886195 bytes
+SHA1 (patch-CVE-2012-4428) = 2ada5f48b06b9b5dd37e5e017e50372c3806c021
 SHA1 (patch-aa) = 670b3fa3c95453e5a5efca04bc83a0da06d03d2b
 SHA1 (patch-ac) = 031177b9334b570e1021887ae2bdf56f4ba02c48
 SHA1 (patch-ae) = 1332580b2d9cb3e2e5c5da219c1036b9701161e5
@@ -11,3 +12,4 @@ SHA1 (patch-ai) = 11baa3ef891677f1df78f75b93001580ff450e13
 SHA1 (patch-aj) = 8e1d32772cf59a938a4d9d9d0957d223f4ea6c06
 SHA1 (patch-ak) = e64ede590e4af9d8951177b68c4bbf1b56ebdfae
 SHA1 (patch-al) = 19fa24e2ac362c3e45413826cd139ced984e8adc
+SHA1 (patch-am) = 7b8a47f0998202aab9c82278a2c405584eb3fea4
diff --git a/net/openslp/patches/patch-CVE-2012-4428 b/net/openslp/patches/patch-CVE-2012-4428
new file mode 100644
index 00000000000..67a25a84362
--- /dev/null
+++ b/net/openslp/patches/patch-CVE-2012-4428
@@ -0,0 +1,42 @@
+$NetBSD: patch-CVE-2012-4428,v 1.1 2013/02/14 16:51:32 drochner Exp $
+
+try to prevent list overrun (upstream code is completely rewritten)
+
+--- common/slp_compare.c.orig	2005-02-15 20:07:43.000000000 +0000
++++ common/slp_compare.c
+@@ -270,9 +270,9 @@ int SLPContainsStringList(int listlen, 
+         itembegin = itemend;
+ 
+         /* seek to the end of the next list item */
+-        while(1)
++        while(itemend != listend)
+         {
+-            if(itemend == listend || *itemend == ',')
++            if(*itemend == ',')
+             {
+                 if(*(itemend - 1) != '\\')
+                 {
+@@ -326,9 +326,9 @@ int SLPIntersectStringList(int list1len,
+         itembegin = itemend;
+ 
+         /* seek to the end of the next list item */
+-        while(1)
++        while(itemend != listend)
+         {
+-            if(itemend == listend || *itemend == ',')
++            if(*itemend == ',')
+             {
+                 if(*(itemend - 1) != '\\')
+                 {
+@@ -415,9 +415,9 @@ int SLPUnionStringList(int list1len,
+         itembegin = itemend;
+ 
+         /* seek to the end of the next list item */
+-        while(1)
++        while(itemend != listend)
+         {
+-            if(itemend == listend || *itemend == ',')
++            if(*itemend == ',')
+             {
+                 if(*(itemend - 1) != '\\')
+                 {
diff --git a/net/openslp/patches/patch-am b/net/openslp/patches/patch-am
new file mode 100644
index 00000000000..68b40fa9d70
--- /dev/null
+++ b/net/openslp/patches/patch-am
@@ -0,0 +1,15 @@
+$NetBSD: patch-am,v 1.1 2013/02/14 16:51:32 drochner Exp $
+
+size of pointer vs size of target (fixed upstream)
+
+--- slpd/slpd_socket.c.orig	2005-02-09 00:09:46.000000000 +0000
++++ slpd/slpd_socket.c
+@@ -183,7 +183,7 @@ int DropSLPMulticastGroup(sockfd_t sockf
+     memcpy(&mreq.imr_multiaddr, maddr, sizeof(struct in_addr));
+ 
+     /* drop for the specified interface */
+-    memcpy(&mreq.imr_interface,addr,sizeof(addr));
++    memcpy(&mreq.imr_interface,addr,sizeof(struct in_addr));
+ 
+     return setsockopt(sockfd, IPPROTO_IP, IP_DROP_MEMBERSHIP, (char*)&mreq,sizeof(mreq));               
+ }