Add patch for CVE-2012-0870.

Bump PKGREVISION.

1 files changed, 17 insertions, 6 deletions

diff --git a/net/samba30/patches/patch-ee b/net/samba30/patches/patch-ee
index f242b8d6f29..f6b8f93d554 100644
--- a/net/samba30/patches/patch-ee
+++ b/net/samba30/patches/patch-ee
@@ -1,24 +1,35 @@
-$NetBSD: patch-ee,v 1.1.1.1 2011/12/15 22:23:24 asau Exp $
+$NetBSD: patch-ee,v 1.2 2012/03/13 13:23:18 taca Exp $
 
-Patch to fix CVE-2010-2063.
+Patch to fix CVE-2010-2063 and CVE-2012-0870.
 
 --- smbd/process.c.orig	2009-09-30 12:21:56.000000000 +0000
 +++ smbd/process.c
-@@ -1159,6 +1159,7 @@ int chain_reply(char *inbuf,char *outbuf
+@@ -1159,8 +1159,9 @@ int chain_reply(char *inbuf,char *outbuf
  {
  	static char *orig_inbuf;
  	static char *orig_outbuf;
 +	static int orig_size;
  	int smb_com1, smb_com2 = CVAL(inbuf,smb_vwv0);
- 	unsigned smb_off2 = SVAL(inbuf,smb_vwv1);
+-	unsigned smb_off2 = SVAL(inbuf,smb_vwv1);
++	static unsigned smb_off2;
  	char *inbuf2, *outbuf2;
-@@ -1178,6 +1179,13 @@ int chain_reply(char *inbuf,char *outbuf
+ 	int outsize2;
+ 	int new_size;
+@@ -1178,6 +1179,21 @@ int chain_reply(char *inbuf,char *outbuf
  		/* this is the first part of the chain */
  		orig_inbuf = inbuf;
  		orig_outbuf = outbuf;
 +		orig_size = size;
++		smb_off2 = 0;
 +	}
 +
++	if (SVAL(inbuf,smb_vwv1) <= smb_off2) {
++		DEBUG(1, ("AndX offset not increasing\n"));
++		SCVAL(outbuf, smb_vwv0, 0xFF);
++		return;
++	}
++	smb_off2 = SVAL(inbuf, smb_vwv1);
++
 +	/* Validate smb_off2 */
 +	if ((smb_off2 < smb_wct - 4) || orig_size < (smb_off2 + 4 - smb_wct)) {
 +		exit_server_cleanly("Bad chained packet");
@@ -26,7 +37,7 @@ Patch to fix CVE-2010-2063.
  	}
  
  	/*
-@@ -1192,6 +1200,11 @@ int chain_reply(char *inbuf,char *outbuf
+@@ -1192,6 +1208,11 @@ int chain_reply(char *inbuf,char *outbuf
  	SSVAL(outbuf,smb_vwv1,smb_offset(outbuf+outsize,outbuf));
  	SCVAL(outbuf,smb_vwv0,smb_com2);