--- /dev/null
+From b610e0cee563465c6b970647b215f8ae4d0c6599 Mon Sep 17 00:00:00 2001
+From: Kai Blin <kai@samba.org>
+Date: Fri, 8 Jul 2011 12:56:21 +0200
+Subject: [PATCH 01/12] s3 swat: Allow getting the user's HTTP auth password
+
+Signed-off-by: Kai Blin <kai@samba.org>
+---
+ source/web/cgi.c | 9 +++++++++
+ source/web/swat_proto.h | 1 +
+ 2 files changed, 10 insertions(+), 0 deletions(-)
+
+diff --git a/source/web/cgi.c b/source/web/cgi.c
+index 72aa11c..ccdc3a7 100644
+--- a/source/web/cgi.c
++++ b/source/web/cgi.c
+@@ -42,6 +42,7 @@ static char *query_string;
+ static const char *baseurl;
+ static char *pathinfo;
+ static char *C_user;
++static char *C_pass;
+ static bool inetd_server;
+ static bool got_request;
+
+@@ -388,6 +389,7 @@ static bool cgi_handle_authorization(char *line)
+
+ /* Save the users name */
+ C_user = SMB_STRDUP(user);
++ C_pass = SMB_STRDUP(user_pass);
+ TALLOC_FREE(pass);
+ return True;
+ }
+@@ -422,6 +424,13 @@ char *cgi_user_name(void)
+ return(C_user);
+ }
+
++/***************************************************************************
++return a ptr to the users password
++ ***************************************************************************/
++char *cgi_user_pass(void)
++{
++ return(C_pass);
++}
+
+ /***************************************************************************
+ handle a file download
+diff --git a/source/web/swat_proto.h b/source/web/swat_proto.h
+index 0f84e4f..76f9c3c 100644
+--- a/source/web/swat_proto.h
++++ b/source/web/swat_proto.h
+@@ -31,6 +31,7 @@ const char *cgi_variable(const char *name);
+ const char *cgi_variable_nonull(const char *name);
+ bool am_root(void);
+ char *cgi_user_name(void);
++char *cgi_user_pass(void);
+ void cgi_setup(const char *rootdir, int auth_required);
+ const char *cgi_baseurl(void);
+ const char *cgi_pathinfo(void);
+--
+1.7.1
+
+
+From 3806fec53dcf3b6e5c3fd71917f9d67d47c65e32 Mon Sep 17 00:00:00 2001
+From: Kai Blin <kai@samba.org>
+Date: Fri, 8 Jul 2011 12:57:43 +0200
+Subject: [PATCH 02/12] s3 swat: Add support for anti-XSRF token
+
+Signed-off-by: Kai Blin <kai@samba.org>
+---
+ source/web/swat.c | 54 +++++++++++++++++++++++++++++++++++++++++++++++
+ source/web/swat_proto.h | 5 ++++
+ 2 files changed, 59 insertions(+), 0 deletions(-)
+
+diff --git a/source/web/swat.c b/source/web/swat.c
+index 434b1ac..e7d84e5 100644
+--- a/source/web/swat.c
++++ b/source/web/swat.c
+@@ -29,6 +29,7 @@
+
+ #include "includes.h"
+ #include "web/swat_proto.h"
++#include "../lib/crypto/md5.h"
+
+ static int demo_mode = False;
+ static int passwd_only = False;
+@@ -50,6 +51,7 @@ static int iNumNonAutoPrintServices = 0;
+ #define DISABLE_USER_FLAG "disable_user_flag"
+ #define ENABLE_USER_FLAG "enable_user_flag"
+ #define RHOST "remote_host"
++#define XSRF_TOKEN "xsrf"
+
+ #define _(x) lang_msg_rotate(talloc_tos(),x)
+
+@@ -138,6 +140,58 @@ static char *make_parm_name(const char *label)
+ return parmname;
+ }
+
++void get_xsrf_token(const char *username, const char *pass,
++ const char *formname, char token_str[33])
++{
++ struct MD5Context md5_ctx;
++ uint8_t token[16];
++ int i;
++
++ token_str[0] = '\0';
++ ZERO_STRUCT(md5_ctx);
++ MD5Init(&md5_ctx);
++
++ MD5Update(&md5_ctx, (uint8_t *)formname, strlen(formname));
++ if (username != NULL) {
++ MD5Update(&md5_ctx, (uint8_t *)username, strlen(username));
++ }
++ if (pass != NULL) {
++ MD5Update(&md5_ctx, (uint8_t *)pass, strlen(pass));
++ }
++
++ MD5Final(token, &md5_ctx);
++
++ for(i = 0; i < sizeof(token); i++) {
++ char tmp[3];
++
++ snprintf(tmp, sizeof(tmp), "%02x", token[i]);
++ strncat(token_str, tmp, sizeof(tmp));
++ }
++}
++
++void print_xsrf_token(const char *username, const char *pass,
++ const char *formname)
++{
++ char token[33];
++
++ get_xsrf_token(username, pass, formname, token);
++ printf("<input type=\"hidden\" name=\"%s\" value=\"%s\">\n",
++ XSRF_TOKEN, token);
++
++}
++
++bool verify_xsrf_token(const char *formname)
++{
++ char expected[33];
++ const char *username = cgi_user_name();
++ const char *pass = cgi_user_pass();
++ const char *token = cgi_variable_nonull(XSRF_TOKEN);
++
++ get_xsrf_token(username, pass, formname, expected);
++ return (strncmp(expected, token, sizeof(expected)) == 0);
++}
++
++
+ /****************************************************************************
+ include a lump of html in a page
+ ****************************************************************************/
+diff --git a/source/web/swat_proto.h b/source/web/swat_proto.h
+index 76f9c3c..e66c942 100644
+--- a/source/web/swat_proto.h
++++ b/source/web/swat_proto.h
+@@ -67,5 +67,10 @@ void status_page(void);
+ /* The following definitions come from web/swat.c */
+
+ const char *lang_msg_rotate(TALLOC_CTX *ctx, const char *msgid);
++void get_xsrf_token(const char *username, const char *pass,
++ const char *formname, char token_str[33]);
++void print_xsrf_token(const char *username, const char *pass,
++ const char *formname);
++bool verify_xsrf_token(const char *formname);
+
+ #endif /* _SWAT_PROTO_H_ */
+--
+1.7.1
+
+
+From 3f38cf42facc38c19e0448cbae3078b9606b08e4 Mon Sep 17 00:00:00 2001
+From: Kai Blin <kai@samba.org>
+Date: Fri, 8 Jul 2011 12:58:53 +0200
+Subject: [PATCH 03/12] s3 swat: Add XSRF protection to status page
+
+Signed-off-by: Kai Blin <kai@samba.org>
+---
+ source/web/statuspage.c | 7 +++++++
+ 1 files changed, 7 insertions(+), 0 deletions(-)
+
+diff --git a/source/web/statuspage.c b/source/web/statuspage.c
+index 8070ae7..fe545e4 100644
+--- a/source/web/statuspage.c
++++ b/source/web/statuspage.c
+@@ -247,9 +247,14 @@ void status_page(void)
+ int nr_running=0;
+ bool waitup = False;
+ TALLOC_CTX *ctx = talloc_stackframe();
++ const char form_name[] = "status";
+
+ smbd_pid = pid_to_procid(pidfile_pid("smbd"));
+
++ if (!verify_xsrf_token(form_name)) {
++ goto output_page;
++ }
++
+ if (cgi_variable("smbd_restart") || cgi_variable("all_restart")) {
+ stop_smbd();
+ start_smbd();
+@@ -326,9 +331,11 @@ void status_page(void)
+
+ initPid2Machine ();
+
++output_page:
+ printf("<H2>%s</H2>\n", _("Server Status"));
+
+ printf("<FORM method=post>\n");
++ print_xsrf_token(cgi_user_name(), cgi_user_pass(), form_name);
+
+ if (!autorefresh) {
+ printf("<input type=submit value=\"%s\" name=\"autorefresh\">\n", _("Auto Refresh"));
+--
+1.7.1
+
+
+From ba996f0ae87f6bf4f19a4918e44dbd6d44a96561 Mon Sep 17 00:00:00 2001
+From: Kai Blin <kai@samba.org>
+Date: Fri, 8 Jul 2011 15:02:53 +0200
+Subject: [PATCH 04/12] s3 swat: Add XSRF protection to viewconfig page
+
+Signed-off-by: Kai Blin <kai@samba.org>
+---
+ source/web/swat.c | 7 +++++++
+ 1 files changed, 7 insertions(+), 0 deletions(-)
+
+diff --git a/source/web/swat.c b/source/web/swat.c
+index e7d84e5..647126f 100644
+--- a/source/web/swat.c
++++ b/source/web/swat.c
+@@ -664,13 +664,20 @@ static void welcome_page(void)
+ static void viewconfig_page(void)
+ {
+ int full_view=0;
++ const char form_name[] = "viewconfig";
++
++ if (!verify_xsrf_token(form_name)) {
++ goto output_page;
++ }
+
+ if (cgi_variable("full_view")) {
+ full_view = 1;
+ }
+
++output_page:
+ printf("<H2>%s</H2>\n", _("Current Config"));
+ printf("<form method=post>\n");
++ print_xsrf_token(cgi_user_name(), cgi_user_pass(), form_name);
+
+ if (full_view) {
+ printf("<input type=submit name=\"normal_view\" value=\"%s\">\n", _("Normal View"));
+--
+1.7.1
+
+
+From 94f8482607a175c44436fae456fbda3624629982 Mon Sep 17 00:00:00 2001
+From: Kai Blin <kai@samba.org>
+Date: Fri, 8 Jul 2011 15:03:15 +0200
+Subject: [PATCH 05/12] s3 swat: Add XSRF protection to wizard_params page
+
+Signed-off-by: Kai Blin <kai@samba.org>
+---
+ source/web/swat.c | 7 +++++++
+ 1 files changed, 7 insertions(+), 0 deletions(-)
+
+diff --git a/source/web/swat.c b/source/web/swat.c
+index 647126f..b7eec4a 100644
+--- a/source/web/swat.c
++++ b/source/web/swat.c
+@@ -697,18 +697,25 @@ output_page:
+ static void wizard_params_page(void)
+ {
+ unsigned int parm_filter = FLAG_WIZARD;
++ const char form_name[] = "wizard_params";
+
+ /* Here we first set and commit all the parameters that were selected
+ in the previous screen. */
+
+ printf("<H2>%s</H2>\n", _("Wizard Parameter Edit Page"));
+
++ if (!verify_xsrf_token(form_name)) {
++ goto output_page;
++ }
++
+ if (cgi_variable("Commit")) {
+ commit_parameters(GLOBAL_SECTION_SNUM);
+ save_reload(0);
+ }
+
++output_page:
+ printf("<form name=\"swatform\" method=post action=wizard_params>\n");
++ print_xsrf_token(cgi_user_name(), cgi_user_pass(), form_name);
+
+ if (have_write_access) {
+ printf("<input type=submit name=\"Commit\" value=\"Commit Changes\">\n");
+--
+1.7.1
+
+
+From eb22fd73060534700d514ec295985549131c7569 Mon Sep 17 00:00:00 2001
+From: Kai Blin <kai@samba.org>
+Date: Fri, 8 Jul 2011 15:03:44 +0200
+Subject: [PATCH 06/12] s3 swat: Add XSRF protection to wizard page
+
+Signed-off-by: Kai Blin <kai@samba.org>
+---
+ source/web/swat.c | 9 ++++++++-
+ 1 files changed, 8 insertions(+), 1 deletions(-)
+
+diff --git a/source/web/swat.c b/source/web/swat.c
+index b7eec4a..b6e0c0f 100644
+--- a/source/web/swat.c
++++ b/source/web/swat.c
+@@ -751,6 +751,11 @@ static void wizard_page(void)
+ int have_home = -1;
+ int HomeExpo = 0;
+ int SerType = 0;
++ const char form_name[] = "wizard";
++
++ if (!verify_xsrf_token(form_name)) {
++ goto output_page;
++ }
+
+ if (cgi_variable("Rewrite")) {
+ (void) rewritecfg_file();
+@@ -841,10 +846,12 @@ static void wizard_page(void)
+ winstype = 3;
+
+ role = lp_server_role();
+-
++
++output_page:
+ /* Here we go ... */
+ printf("<H2>%s</H2>\n", _("Samba Configuration Wizard"));
+ printf("<form method=post action=wizard>\n");
++ print_xsrf_token(cgi_user_name(), cgi_user_pass(), form_name);
+
+ if (have_write_access) {
+ printf("%s\n", _("The \"Rewrite smb.conf file\" button will clear the smb.conf file of all default values and of comments."));
+--
+1.7.1
+
+
+From 8fb3064eeaa3640af6c8b91aa5859d8bfb6d0888 Mon Sep 17 00:00:00 2001
+From: Kai Blin <kai@samba.org>
+Date: Fri, 8 Jul 2011 15:04:12 +0200
+Subject: [PATCH 07/12] s3 swat: Add XSRF protection to globals page
+
+Signed-off-by: Kai Blin <kai@samba.org>
+---
+ source/web/swat.c | 7 +++++++
+ 1 files changed, 7 insertions(+), 0 deletions(-)
+
+diff --git a/source/web/swat.c b/source/web/swat.c
+index b6e0c0f..5d11685 100644
+--- a/source/web/swat.c
++++ b/source/web/swat.c
+@@ -920,9 +920,14 @@ static void globals_page(void)
+ {
+ unsigned int parm_filter = FLAG_BASIC;
+ int mode = 0;
++ const char form_name[] = "globals";
+
+ printf("<H2>%s</H2>\n", _("Global Parameters"));
+
++ if (!verify_xsrf_token(form_name)) {
++ goto output_page;
++ }
++
+ if (cgi_variable("Commit")) {
+ commit_parameters(GLOBAL_SECTION_SNUM);
+ save_reload(0);
+@@ -935,7 +940,9 @@ static void globals_page(void)
+ if ( cgi_variable("AdvMode"))
+ mode = 1;
+
++output_page:
+ printf("<form name=\"swatform\" method=post action=globals>\n");
++ print_xsrf_token(cgi_user_name(), cgi_user_pass(), form_name);
+
+ ViewModeBoxes( mode );
+ switch ( mode ) {
+--
+1.7.1
+
+
+From ef457a20422cfa8231e25b539d2cd87f299686b9 Mon Sep 17 00:00:00 2001
+From: Kai Blin <kai@samba.org>
+Date: Fri, 8 Jul 2011 15:04:48 +0200
+Subject: [PATCH 08/12] s3 swat: Add XSRF protection to shares page
+
+Signed-off-by: Kai Blin <kai@samba.org>
+---
+ source/web/swat.c | 18 +++++++++++++-----
+ 1 files changed, 13 insertions(+), 5 deletions(-)
+
+diff --git a/source/web/swat.c b/source/web/swat.c
+index 5d11685..4544c31 100644
+--- a/source/web/swat.c
++++ b/source/web/swat.c
+@@ -982,11 +982,17 @@ static void shares_page(void)
+ int mode = 0;
+ unsigned int parm_filter = FLAG_BASIC;
+ size_t converted_size;
++ const char form_name[] = "shares";
++
++ printf("<H2>%s</H2>\n", _("Share Parameters"));
++
++ if (!verify_xsrf_token(form_name)) {
++ goto output_page;
++ }
+
+ if (share)
+ snum = lp_servicenumber(share);
+
+- printf("<H2>%s</H2>\n", _("Share Parameters"));
+
+ if (cgi_variable("Commit") && snum >= 0) {
+ commit_parameters(snum);
+@@ -1012,10 +1018,6 @@ static void shares_page(void)
+ }
+ }
+
+- printf("<FORM name=\"swatform\" method=post>\n");
+-
+- printf("<table>\n");
+-
+ if ( cgi_variable("ViewMode") )
+ mode = atoi(cgi_variable_nonull("ViewMode"));
+ if ( cgi_variable("BasicMode"))
+@@ -1023,6 +1025,12 @@ static void shares_page(void)
+ if ( cgi_variable("AdvMode"))
+ mode = 1;
+
++output_page:
++ printf("<FORM name=\"swatform\" method=post>\n");
++ print_xsrf_token(cgi_user_name(), cgi_user_pass(), form_name);
++
++ printf("<table>\n");
++
+ ViewModeBoxes( mode );
+ switch ( mode ) {
+ case 0:
+--
+1.7.1
+
+
+From 4850456845d2da5e3451716a5ad4ca0ef034e01f Mon Sep 17 00:00:00 2001
+From: Kai Blin <kai@samba.org>
+Date: Fri, 8 Jul 2011 15:05:38 +0200
+Subject: [PATCH 09/12] s3 swat: Add XSRF protection to password page
+
+Signed-off-by: Kai Blin <kai@samba.org>
+---
+ source/web/swat.c | 11 ++++++++---
+ 1 files changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/source/web/swat.c b/source/web/swat.c
+index 4544c31..5242484 100644
+--- a/source/web/swat.c
++++ b/source/web/swat.c
+@@ -1225,12 +1225,15 @@ static void chg_passwd(void)
+ static void passwd_page(void)
+ {
+ const char *new_name = cgi_user_name();
++ const char passwd_form[] = "passwd";
++ const char rpasswd_form[] = "rpasswd";
+
+ if (!new_name) new_name = "";
+
+ printf("<H2>%s</H2>\n", _("Server Password Management"));
+
+ printf("<FORM name=\"swatform\" method=post>\n");
++ print_xsrf_token(cgi_user_name(), cgi_user_pass(), passwd_form);
+
+ printf("<table>\n");
+
+@@ -1270,14 +1273,16 @@ static void passwd_page(void)
+ * Do some work if change, add, disable or enable was
+ * requested. It could be this is the first time through this
+ * code, so there isn't anything to do. */
+- if ((cgi_variable(CHG_S_PASSWD_FLAG)) || (cgi_variable(ADD_USER_FLAG)) || (cgi_variable(DELETE_USER_FLAG)) ||
+- (cgi_variable(DISABLE_USER_FLAG)) || (cgi_variable(ENABLE_USER_FLAG))) {
++ if (verify_xsrf_token(passwd_form) &&
++ ((cgi_variable(CHG_S_PASSWD_FLAG)) || (cgi_variable(ADD_USER_FLAG)) || (cgi_variable(DELETE_USER_FLAG)) ||
++ (cgi_variable(DISABLE_USER_FLAG)) || (cgi_variable(ENABLE_USER_FLAG)))) {
+ chg_passwd();
+ }
+
+ printf("<H2>%s</H2>\n", _("Client/Server Password Management"));
+
+ printf("<FORM name=\"swatform\" method=post>\n");
++ print_xsrf_token(cgi_user_name(), cgi_user_pass(), rpasswd_form);
+
+ printf("<table>\n");
+
+@@ -1310,7 +1315,7 @@ static void passwd_page(void)
+ * password somewhere other than the server. It could be this
+ * is the first time through this code, so there isn't
+ * anything to do. */
+- if (cgi_variable(CHG_R_PASSWD_FLAG)) {
++ if (verify_xsrf_token(passwd_form) && cgi_variable(CHG_R_PASSWD_FLAG)) {
+ chg_passwd();
+ }
+
+--
+1.7.1
+
+
+From 407ae61fbfc8ee1643a4db8ea9b104f031b32e0f Mon Sep 17 00:00:00 2001
+From: Kai Blin <kai@samba.org>
+Date: Fri, 8 Jul 2011 15:06:13 +0200
+Subject: [PATCH 10/12] s3 swat: Add XSRF protection to printer page
+
+Signed-off-by: Kai Blin <kai@samba.org>
+---
+ source/web/swat.c | 28 ++++++++++++++++++----------
+ 1 files changed, 18 insertions(+), 10 deletions(-)
+
+diff --git a/source/web/swat.c b/source/web/swat.c
+index 5242484..4582a63 100644
+--- a/source/web/swat.c
++++ b/source/web/swat.c
+@@ -1332,18 +1332,15 @@ static void printers_page(void)
+ int i;
+ int mode = 0;
+ unsigned int parm_filter = FLAG_BASIC;
++ const char form_name[] = "printers";
++
++ if (!verify_xsrf_token(form_name)) {
++ goto output_page;
++ }
+
+ if (share)
+ snum = lp_servicenumber(share);
+
+- printf("<H2>%s</H2>\n", _("Printer Parameters"));
+-
+- printf("<H3>%s</H3>\n", _("Important Note:"));
+- printf("%s",_("Printer names marked with [*] in the Choose Printer drop-down box "));
+- printf("%s",_("are autoloaded printers from "));
+- printf("<A HREF=\"/swat/help/smb.conf.5.html#printcapname\" target=\"docs\">%s</A>\n", _("Printcap Name"));
+- printf("%s\n", _("Attempting to delete these printers from SWAT will have no effect."));
+-
+ if (cgi_variable("Commit") && snum >= 0) {
+ commit_parameters(snum);
+ if (snum >= iNumNonAutoPrintServices)
+@@ -1372,8 +1369,6 @@ static void printers_page(void)
+ }
+ }
+
+- printf("<FORM name=\"swatform\" method=post>\n");
+-
+ if ( cgi_variable("ViewMode") )
+ mode = atoi(cgi_variable_nonull("ViewMode"));
+ if ( cgi_variable("BasicMode"))
+@@ -1381,6 +1376,19 @@ static void printers_page(void)
+ if ( cgi_variable("AdvMode"))
+ mode = 1;
+
++output_page:
++ printf("<H2>%s</H2>\n", _("Printer Parameters"));
++
++ printf("<H3>%s</H3>\n", _("Important Note:"));
++ printf("%s",_("Printer names marked with [*] in the Choose Printer drop-down box "));
++ printf("%s",_("are autoloaded printers from "));
++ printf("<A HREF=\"/swat/help/smb.conf.5.html#printcapname\" target=\"docs\">%s</A>\n", _("Printcap Name"));
++ printf("%s\n", _("Attempting to delete these printers from SWAT will have no effect."));
++
++
++ printf("<FORM name=\"swatform\" method=post>\n");
++ print_xsrf_token(cgi_user_name(), cgi_user_pass(), form_name);
++
+ ViewModeBoxes( mode );
+ switch ( mode ) {
+ case 0:
+--
+1.7.1
+
+
+From 11e281228f334bf3d384df5655136f0b4b4068aa Mon Sep 17 00:00:00 2001
+From: Kai Blin <kai@samba.org>
+Date: Sat, 9 Jul 2011 09:52:07 +0200
+Subject: [PATCH 11/12] s3 swat: Add time component to XSRF token
+
+Signed-off-by: Kai Blin <kai@samba.org>
+---
+ source/web/swat.c | 28 ++++++++++++++++++++++++----
+ source/web/swat_proto.h | 2 +-
+ 2 files changed, 25 insertions(+), 5 deletions(-)
+
+diff --git a/source/web/swat.c b/source/web/swat.c
+index 4582a63..50df66e 100644
+--- a/source/web/swat.c
++++ b/source/web/swat.c
+@@ -52,6 +52,8 @@ static int iNumNonAutoPrintServices = 0;
+ #define ENABLE_USER_FLAG "enable_user_flag"
+ #define RHOST "remote_host"
+ #define XSRF_TOKEN "xsrf"
++#define XSRF_TIME "xsrf_time"
++#define XSRF_TIMEOUT 300
+
+ #define _(x) lang_msg_rotate(talloc_tos(),x)
+
+@@ -141,7 +143,7 @@ static char *make_parm_name(const char *label)
+ }
+
+ void get_xsrf_token(const char *username, const char *pass,
+- const char *formname, char token_str[33])
++ const char *formname, time_t xsrf_time, char token_str[33])
+ {
+ struct MD5Context md5_ctx;
+ uint8_t token[16];
+@@ -152,6 +154,7 @@ void get_xsrf_token(const char *username, const char *pass,
+ MD5Init(&md5_ctx);
+
+ MD5Update(&md5_ctx, (uint8_t *)formname, strlen(formname));
++ MD5Update(&md5_ctx, (uint8_t *)&xsrf_time, sizeof(time_t));
+ if (username != NULL) {
+ MD5Update(&md5_ctx, (uint8_t *)username, strlen(username));
+ }
+@@ -173,11 +176,13 @@ void print_xsrf_token(const char *username, const char *pass,
+ const char *formname)
+ {
+ char token[33];
++ time_t xsrf_time = time(NULL);
+
+- get_xsrf_token(username, pass, formname, token);
++ get_xsrf_token(username, pass, formname, xsrf_time, token);
+ printf("<input type=\"hidden\" name=\"%s\" value=\"%s\">\n",
+ XSRF_TOKEN, token);
+-
++ printf("<input type=\"hidden\" name=\"%s\" value=\"%lld\">\n",
++ XSRF_TIME, (long long int)xsrf_time);
+ }
+
+ bool verify_xsrf_token(const char *formname)
+@@ -186,8 +191,23 @@ bool verify_xsrf_token(const char *formname)
+ const char *username = cgi_user_name();
+ const char *pass = cgi_user_pass();
+ const char *token = cgi_variable_nonull(XSRF_TOKEN);
++ const char *time_str = cgi_variable_nonull(XSRF_TIME);
++ time_t xsrf_time = 0;
++ time_t now = time(NULL);
++
++ if (sizeof(time_t) == sizeof(int)) {
++ xsrf_time = atoi(time_str);
++ } else if (sizeof(time_t) == sizeof(long)) {
++ xsrf_time = atol(time_str);
++ } else if (sizeof(time_t) == sizeof(long long)) {
++ xsrf_time = atoll(time_str);
++ }
++
++ if (abs(now - xsrf_time) > XSRF_TIMEOUT) {
++ return false;
++ }
+
+- get_xsrf_token(username, pass, formname, expected);
++ get_xsrf_token(username, pass, formname, xsrf_time, expected);
+ return (strncmp(expected, token, sizeof(expected)) == 0);
+ }
+
+diff --git a/source/web/swat_proto.h b/source/web/swat_proto.h
+index e66c942..424a3af 100644
+--- a/source/web/swat_proto.h
++++ b/source/web/swat_proto.h
+@@ -68,7 +68,7 @@ void status_page(void);
+
+ const char *lang_msg_rotate(TALLOC_CTX *ctx, const char *msgid);
+ void get_xsrf_token(const char *username, const char *pass,
+- const char *formname, char token_str[33]);
++ const char *formname, time_t xsrf_time, char token_str[33]);
+ void print_xsrf_token(const char *username, const char *pass,
+ const char *formname);
+ bool verify_xsrf_token(const char *formname);
+--
+1.7.1
+
+
+From 3973cfa50024983618a44ffdb9f756b642b85be7 Mon Sep 17 00:00:00 2001
+From: Kai Blin <kai@samba.org>
+Date: Tue, 12 Jul 2011 08:08:24 +0200
+Subject: [PATCH 12/12] s3 swat: Create random nonce in CGI mode
+
+In CGI mode, we don't get access to the user's password, which would
+reduce the hash used so far to parameters an attacker can easily guess.
+To work around this, read the nonce from secrets.tdb or generate one if
+it's not there.
+Also populate the C_user field so we can use that for token creation.
+
+Signed-off-by: Kai Blin <kai@samba.org>
+
+The last 12 patches address bug #8290 (CSRF vulnerability in SWAT).
+This addresses CVE-2011-2522 (Cross-Site Request Forgery in SWAT).
+---
+ source/web/cgi.c | 18 +++++++++++++++++-
+ source/web/swat.c | 1 -
+ 2 files changed, 17 insertions(+), 2 deletions(-)
+
+diff --git a/source/web/cgi.c b/source/web/cgi.c
+index ccdc3a7..890ac8e 100644
+--- a/source/web/cgi.c
++++ b/source/web/cgi.c
+@@ -19,6 +19,7 @@
+
+ #include "includes.h"
+ #include "web/swat_proto.h"
++#include "secrets.h"
+
+ #define MAX_VARIABLES 10000
+
+@@ -321,7 +322,22 @@ static void cgi_web_auth(void)
+ exit(0);
+ }
+
+- setuid(0);
++ C_user = SMB_STRDUP(user);
++
++ if (!setuid(0)) {
++ C_pass = secrets_fetch_generic("root", "SWAT");
++ if (C_pass == NULL) {
++ char *tmp_pass = NULL;
++ tmp_pass = generate_random_str(16);
++ if (tmp_pass == NULL) {
++ printf("%sFailed to create random nonce for "
++ "SWAT session\n<br>%s\n", head, tail);
++ exit(0);
++ }
++ secrets_store_generic("root", "SWAT", tmp_pass);
++ C_pass = SMB_STRDUP(tmp_pass);
++ }
++ }
+ setuid(pwd->pw_uid);
+ if (geteuid() != pwd->pw_uid || getuid() != pwd->pw_uid) {
+ printf("%sFailed to become user %s - uid=%d/%d<br>%s\n",
+diff --git a/source/web/swat.c b/source/web/swat.c
+index 50df66e..146f1cf 100644
+--- a/source/web/swat.c
++++ b/source/web/swat.c
+@@ -29,7 +29,6 @@
+
+ #include "includes.h"
+ #include "web/swat_proto.h"
+-#include "../lib/crypto/md5.h"
+
+ static int demo_mode = False;
+ static int passwd_only = False;
+--
+1.7.1
+
+++ /dev/null
-From 724e44eed299c618066dec411530aa9f156119ec Mon Sep 17 00:00:00 2001
-From: Karolin Seeger <kseeger@samba.org>
-Date: Sun, 27 Feb 2011 18:28:29 +0100
-Subject: [PATCH] Fix denial of service - memory corruption.
-
-CVE-2011-0719
-
-Fix bug #7949 (DoS in Winbind and smbd with many file descriptors open).
-
-All current released versions of Samba are vulnerable to
-a denial of service caused by memory corruption. Range
-checks on file descriptors being used in the FD_SET macro
-were not present allowing stack corruption. This can cause
-the Samba code to crash or to loop attempting to select
-on a bad file descriptor set.
-
-A connection to a file share, or a local account is needed
-to exploit this problem, either authenticated or unauthenticated
-(guest connection).
-
-Currently we do not believe this flaw is exploitable
-beyond a crash or causing the code to loop, but on the
-advice of our security reviewers we are releasing fixes
-in case an exploit is discovered at a later date.
----
- source/client/client.c | 4 +++-
- source/client/dnsbrowse.c | 12 ++++++++++++
- source/lib/events.c | 13 +++++++++++++
- source/lib/packet.c | 5 +++++
- source/lib/readline.c | 5 +++++
- source/lib/select.c | 6 ++++++
- source/lib/util_sock.c | 11 +++++++++--
- source/libaddns/dnssock.c | 6 +++++-
- source/libsmb/nmblib.c | 5 +++++
- source/nmbd/nmbd_packets.c | 24 ++++++++++++++++++++++--
- source/nsswitch/wb_common.c | 22 ++++++++++++++++++++--
- source/printing/printing.c | 5 +++++
- source/smbd/dnsregister.c | 6 ++++++
- source/smbd/oplock.c | 5 ++++-
- source/smbd/oplock_irix.c | 5 +++++
- source/smbd/process.c | 2 +-
- source/smbd/server.c | 29 +++++++++++++++++++++--------
- source/utils/smbfilter.c | 8 ++++++--
- source/winbindd/winbindd.c | 12 +++++++++++-
- source/winbindd/winbindd_dual.c | 7 +++++++
- 20 files changed, 171 insertions(+), 21 deletions(-)
-
-diff --git a/source/client/client.c b/source/client/client.c
-index 53bd9e6..a989441 100644
---- a/source/client/client.c
-+++ b/source/client/client.c
-@@ -4379,8 +4379,10 @@ static void readline_callback(void)
-
- again:
-
-- if (cli->fd == -1)
-+ if (cli->fd < 0 || cli->fd >= FD_SETSIZE) {
-+ errno = EBADF;
- return;
-+ }
-
- FD_ZERO(&fds);
- FD_SET(cli->fd,&fds);
-diff --git a/source/client/dnsbrowse.c b/source/client/dnsbrowse.c
-index 5e3a4de..aa2fb22 100644
---- a/source/client/dnsbrowse.c
-+++ b/source/client/dnsbrowse.c
-@@ -81,6 +81,11 @@ static void do_smb_resolve(struct mdns_smbsrv_result *browsesrv)
- TALLOC_FREE(fdset);
- }
-
-+ if (mdnsfd < 0 || mdnsfd >= FD_SETSIZE) {
-+ errno = EBADF;
-+ break;
-+ }
-+
- fdsetsz = howmany(mdnsfd + 1, NFDBITS) * sizeof(fd_mask);
- fdset = TALLOC_ZERO(ctx, fdsetsz);
- FD_SET(mdnsfd, fdset);
-@@ -183,6 +188,13 @@ int do_smb_browse(void)
-
- fdsetsz = howmany(mdnsfd + 1, NFDBITS) * sizeof(fd_mask);
- fdset = TALLOC_ZERO(ctx, fdsetsz);
-+
-+ if (mdnsfd < 0 || mdnsfd >= FD_SETSIZE) {
-+ errno = EBADF;
-+ TALLOC_FREE(ctx);
-+ return 1;
-+ }
-+
- FD_SET(mdnsfd, fdset);
-
- tv.tv_sec = 1;
-diff --git a/source/lib/events.c b/source/lib/events.c
-index cd20ceb..2ddbab7 100644
---- a/source/lib/events.c
-+++ b/source/lib/events.c
-@@ -140,6 +140,11 @@ struct fd_event *event_add_fd(struct event_context *event_ctx,
- {
- struct fd_event *fde;
-
-+ if (fd < 0 || fd >= FD_SETSIZE) {
-+ errno = EBADF;
-+ return NULL;
-+ }
-+
- if (!(fde = TALLOC_P(mem_ctx, struct fd_event))) {
- return NULL;
- }
-@@ -190,6 +195,14 @@ bool event_add_to_select_args(struct event_context *event_ctx,
- bool ret = False;
-
- for (fde = event_ctx->fd_events; fde; fde = fde->next) {
-+ if (fde->fd < 0 || fde->fd >= FD_SETSIZE) {
-+ /* We ignore here, as it shouldn't be
-+ possible to add an invalid fde->fd
-+ but we don't want FD_SET to see an
-+ invalid fd. */
-+ continue;
-+ }
-+
- if (fde->flags & EVENT_FD_READ) {
- FD_SET(fde->fd, read_fds);
- ret = True;
-diff --git a/source/lib/packet.c b/source/lib/packet.c
-index e048616..512c7f2 100644
---- a/source/lib/packet.c
-+++ b/source/lib/packet.c
-@@ -106,6 +106,11 @@ NTSTATUS packet_fd_read_sync(struct packet_context *ctx)
- int res;
- fd_set r_fds;
-
-+ if (ctx->fd < 0 || ctx->fd >= FD_SETSIZE) {
-+ errno = EBADF;
-+ return map_nt_error_from_unix(errno);
-+ }
-+
- FD_ZERO(&r_fds);
- FD_SET(ctx->fd, &r_fds);
-
-diff --git a/source/lib/readline.c b/source/lib/readline.c
-index 34867aa..70a82f2 100644
---- a/source/lib/readline.c
-+++ b/source/lib/readline.c
-@@ -91,6 +91,11 @@ static char *smb_readline_replacement(const char *prompt, void (*callback)(void)
- timeout.tv_sec = 5;
- timeout.tv_usec = 0;
-
-+ if (fd < 0 || fd >= FD_SETSIZE) {
-+ errno = EBADF;
-+ break;
-+ }
-+
- FD_ZERO(&fds);
- FD_SET(fd,&fds);
-
-diff --git a/source/lib/select.c b/source/lib/select.c
-index c3da6a9..2d5f02c 100644
---- a/source/lib/select.c
-+++ b/source/lib/select.c
-@@ -61,6 +61,11 @@ int sys_select(int maxfd, fd_set *readfds, fd_set *writefds, fd_set *errorfds, s
- if (pipe(select_pipe) == -1)
- smb_panic("Could not create select pipe");
-
-+ if (select_pipe[0] < 0 || select_pipe[0] >= FD_SETSIZE) {
-+ errno = EBADF;
-+ return -1;
-+ }
-+
- /*
- * These next two lines seem to fix a bug with the Linux
- * 2.0.x kernel (and probably other UNIXes as well) where
-@@ -87,6 +92,7 @@ int sys_select(int maxfd, fd_set *readfds, fd_set *writefds, fd_set *errorfds, s
- readfds2 = &readfds_buf;
- FD_ZERO(readfds2);
- }
-+
- FD_SET(select_pipe[0], readfds2);
-
- errno = 0;
-diff --git a/source/lib/util_sock.c b/source/lib/util_sock.c
-index 650bd13..8aa2c97 100644
---- a/source/lib/util_sock.c
-+++ b/source/lib/util_sock.c
-@@ -960,6 +960,11 @@ NTSTATUS read_socket_with_timeout(int fd, char *buf,
- timeout.tv_usec = (long)(1000 * (time_out % 1000));
-
- for (nread=0; nread < mincnt; ) {
-+ if (fd < 0 || fd >= FD_SETSIZE) {
-+ errno = EBADF;
-+ return map_nt_error_from_unix(EBADF);
-+ }
-+
- FD_ZERO(&fds);
- FD_SET(fd,&fds);
-
-@@ -1492,7 +1497,7 @@ bool open_any_socket_out(struct sockaddr_storage *addrs, int num_addrs,
-
- for (i=0; i<num_addrs; i++) {
- sockets[i] = socket(addrs[i].ss_family, SOCK_STREAM, 0);
-- if (sockets[i] < 0)
-+ if (sockets[i] < 0 || sockets[i] >= FD_SETSIZE)
- goto done;
- set_blocking(sockets[i], false);
- }
-@@ -1541,8 +1546,10 @@ bool open_any_socket_out(struct sockaddr_storage *addrs, int num_addrs,
- FD_ZERO(&r_fds);
-
- for (i=0; i<num_addrs; i++) {
-- if (sockets[i] == -1)
-+ if (sockets[i] < 0 || sockets[i] >= FD_SETSIZE) {
-+ /* This cannot happen - ignore if so. */
- continue;
-+ }
- FD_SET(sockets[i], &wr_fds);
- FD_SET(sockets[i], &r_fds);
- if (sockets[i]>maxfd)
-diff --git a/source/libaddns/dnssock.c b/source/libaddns/dnssock.c
-index 7c8bd41..f427bd5 100644
---- a/source/libaddns/dnssock.c
-+++ b/source/libaddns/dnssock.c
-@@ -218,7 +218,11 @@ static DNS_ERROR read_all(int fd, uint8 *data, size_t len)
- while (total < len) {
- ssize_t ret;
- int fd_ready;
--
-+
-+ if (fd < 0 || fd >= FD_SETSIZE) {
-+ return ERROR_DNS_SOCKET_ERROR;
-+ }
-+
- FD_ZERO( &rfds );
- FD_SET( fd, &rfds );
-
-diff --git a/source/libsmb/nmblib.c b/source/libsmb/nmblib.c
-index bfe5e7b..768e54d 100644
---- a/source/libsmb/nmblib.c
-+++ b/source/libsmb/nmblib.c
-@@ -1097,6 +1097,11 @@ struct packet_struct *receive_packet(int fd,enum packet_type type,int t)
- struct timeval timeout;
- int ret;
-
-+ if (fd < 0 || fd >= FD_SETSIZE) {
-+ errno = EBADF;
-+ return NULL;
-+ }
-+
- FD_ZERO(&fds);
- FD_SET(fd,&fds);
- timeout.tv_sec = t/1000;
-diff --git a/source/nmbd/nmbd_packets.c b/source/nmbd/nmbd_packets.c
-index 4b97819..03e5362 100644
---- a/source/nmbd/nmbd_packets.c
-+++ b/source/nmbd/nmbd_packets.c
-@@ -1683,7 +1683,7 @@ static bool create_listen_fdset(fd_set **ppset, int **psock_array, int *listen_n
- for (subrec = FIRST_SUBNET; subrec; subrec = NEXT_SUBNET_EXCLUDING_UNICAST(subrec))
- count++;
-
-- if((count*2) + 2 > FD_SETSIZE) {
-+ if((count*2) + 2 >= FD_SETSIZE) {
- DEBUG(0,("create_listen_fdset: Too many file descriptors needed (%d). We can \
- only use %d.\n", (count*2) + 2, FD_SETSIZE));
- SAFE_FREE(pset);
-@@ -1699,24 +1699,44 @@ only use %d.\n", (count*2) + 2, FD_SETSIZE));
- FD_ZERO(pset);
-
- /* Add in the broadcast socket on 137. */
-+ if (ClientNMB < 0 || ClientNMB >= FD_SETSIZE) {
-+ errno = EBADF;
-+ SAFE_FREE(pset);
-+ return True;
-+ }
-+
- FD_SET(ClientNMB,pset);
- sock_array[num++] = ClientNMB;
- *maxfd = MAX( *maxfd, ClientNMB);
-
- /* Add in the 137 sockets on all the interfaces. */
- for (subrec = FIRST_SUBNET; subrec; subrec = NEXT_SUBNET_EXCLUDING_UNICAST(subrec)) {
-+ if (subrec->nmb_sock < 0 || subrec->nmb_sock >= FD_SETSIZE) {
-+ /* We have to ignore sockets outside FD_SETSIZE. */
-+ continue;
-+ }
- FD_SET(subrec->nmb_sock,pset);
- sock_array[num++] = subrec->nmb_sock;
- *maxfd = MAX( *maxfd, subrec->nmb_sock);
- }
-
- /* Add in the broadcast socket on 138. */
-+ if (ClientDGRAM < 0 || ClientDGRAM >= FD_SETSIZE) {
-+ errno = EBADF;
-+ SAFE_FREE(pset);
-+ return True;
-+ }
-+
- FD_SET(ClientDGRAM,pset);
- sock_array[num++] = ClientDGRAM;
- *maxfd = MAX( *maxfd, ClientDGRAM);
-
- /* Add in the 138 sockets on all the interfaces. */
- for (subrec = FIRST_SUBNET; subrec; subrec = NEXT_SUBNET_EXCLUDING_UNICAST(subrec)) {
-+ if (subrec->dgram_sock < 0 || subrec->dgram_sock >= FD_SETSIZE) {
-+ /* We have to ignore sockets outside FD_SETSIZE. */
-+ continue;
-+ }
- FD_SET(subrec->dgram_sock,pset);
- sock_array[num++] = subrec->dgram_sock;
- *maxfd = MAX( *maxfd, subrec->dgram_sock);
-@@ -1767,7 +1787,7 @@ bool listen_for_packets(bool run_election)
-
- #ifndef SYNC_DNS
- dns_fd = asyncdns_fd();
-- if (dns_fd != -1) {
-+ if (dns_fd >= 0 && dns_fd < FD_SETSIZE) {
- FD_SET(dns_fd, &r_fds);
- maxfd = MAX( maxfd, dns_fd);
- }
-diff --git a/source/nsswitch/wb_common.c b/source/nsswitch/wb_common.c
-index a164621..4f76bd0 100644
---- a/source/nsswitch/wb_common.c
-+++ b/source/nsswitch/wb_common.c
-@@ -240,6 +240,12 @@ static int winbind_named_pipe_sock(const char *dir)
-
- switch (errno) {
- case EINPROGRESS:
-+
-+ if (fd < 0 || fd >= FD_SETSIZE) {
-+ errno = EBADF;
-+ goto error_out;
-+ }
-+
- FD_ZERO(&w_fds);
- FD_SET(fd, &w_fds);
- tv.tv_sec = CONNECT_TIMEOUT - wait_time;
-@@ -383,7 +389,13 @@ int winbind_write_sock(void *buffer, int count, int recursing, int need_priv)
- while(nwritten < count) {
- struct timeval tv;
- fd_set r_fds;
--
-+
-+ if (winbindd_fd < 0 || winbindd_fd >= FD_SETSIZE) {
-+ errno = EBADF;
-+ winbind_close_sock();
-+ return -1;
-+ }
-+
- /* Catch pipe close on other end by checking if a read()
- call would not block by calling select(). */
-
-@@ -443,7 +455,13 @@ int winbind_read_sock(void *buffer, int count)
- while(nread < count) {
- struct timeval tv;
- fd_set r_fds;
--
-+
-+ if (winbindd_fd < 0 || winbindd_fd >= FD_SETSIZE) {
-+ errno = EBADF;
-+ winbind_close_sock();
-+ return -1;
-+ }
-+
- /* Catch pipe close on other end by checking if a read()
- call would not block by calling select(). */
-
-diff --git a/source/printing/printing.c b/source/printing/printing.c
-index a9272eb..c3b8c61 100644
---- a/source/printing/printing.c
-+++ b/source/printing/printing.c
-@@ -1407,6 +1407,11 @@ void start_background_queue(void)
- exit(1);
- }
-
-+ if (pause_pipe[1] < 0 || pause_pipe[1] >= FD_SETSIZE) {
-+ DEBUG(5,("start_background_queue: pipe fd out of range.\n"));
-+ exit(1);
-+ }
-+
- background_lpq_updater_pid = sys_fork();
-
- if (background_lpq_updater_pid == -1) {
-diff --git a/source/smbd/dnsregister.c b/source/smbd/dnsregister.c
-index f02739e..3c689b9 100644
---- a/source/smbd/dnsregister.c
-+++ b/source/smbd/dnsregister.c
-@@ -125,6 +125,9 @@ void dns_register_smbd(struct dns_reg_state ** dns_state_ptr,
- */
- if (dns_state->srv_ref != NULL) {
- mdnsd_conn_fd = DNSServiceRefSockFD(dns_state->srv_ref);
-+ if (mdnsd_conn_fd < 0 || mdnsd_conn_fd >= FD_SETSIZE) {
-+ return;
-+ }
- FD_SET(mdnsd_conn_fd, listen_set);
- return;
- }
-@@ -156,6 +159,9 @@ void dns_register_smbd(struct dns_reg_state ** dns_state_ptr,
- }
-
- mdnsd_conn_fd = DNSServiceRefSockFD(dns_state->srv_ref);
-+ if (mdnsd_conn_fd < 0 || mdnsd_conn_fd >= FD_SETSIZE) {
-+ return;
-+ }
- FD_SET(mdnsd_conn_fd, listen_set);
- *maxfd = MAX(*maxfd, mdnsd_conn_fd);
- *timeout = timeval_zero();
-diff --git a/source/smbd/oplock.c b/source/smbd/oplock.c
-index a07d05d..5ae3fdf 100644
---- a/source/smbd/oplock.c
-+++ b/source/smbd/oplock.c
-@@ -241,7 +241,10 @@ bool downgrade_oplock(files_struct *fsp)
- int oplock_notify_fd(void)
- {
- if (koplocks) {
-- return koplocks->notification_fd;
-+ int fd = koplocks->notification_fd;
-+ if (fd < 0 || fd >= FD_SETSIZE) {
-+ return -1;
-+ }
- }
-
- return -1;
-diff --git a/source/smbd/oplock_irix.c b/source/smbd/oplock_irix.c
-index 8c287c9..6e86fac 100644
---- a/source/smbd/oplock_irix.c
-+++ b/source/smbd/oplock_irix.c
-@@ -284,6 +284,11 @@ struct kernel_oplocks *irix_init_kernel_oplocks(void)
- return False;
- }
-
-+ if (pfd[0] < 0 || pfd[0] >= FD_SETSIZE) {
-+ DEBUG(0,("setup_kernel_oplock_pipe: fd out of range.\n"));
-+ return False;
-+ }
-+
- oplock_pipe_read = pfd[0];
- oplock_pipe_write = pfd[1];
-
-diff --git a/source/smbd/process.c b/source/smbd/process.c
-index 403c7c6..9b8f29b 100644
---- a/source/smbd/process.c
-+++ b/source/smbd/process.c
-@@ -698,7 +698,7 @@ static void async_processing(fd_set *pfds)
-
- static int select_on_fd(int fd, int maxfd, fd_set *fds)
- {
-- if (fd != -1) {
-+ if (fd != -1 && fd < FD_SETSIZE) {
- FD_SET(fd, fds);
- maxfd = MAX(maxfd, fd);
- }
-diff --git a/source/smbd/server.c b/source/smbd/server.c
-index 5129484..a670334 100644
---- a/source/smbd/server.c
-+++ b/source/smbd/server.c
-@@ -209,7 +209,13 @@ static bool open_sockets_inetd(void)
- /* Started from inetd. fd 0 is the socket. */
- /* We will abort gracefully when the client or remote system
- goes away */
-- smbd_set_server_fd(dup(0));
-+ int fd = dup(0);
-+
-+ if (fd < 0 || fd >= FD_SETSIZE) {
-+ return false;
-+ }
-+
-+ smbd_set_server_fd(fd);
-
- /* close our standard file descriptors */
- close_low_fds(False); /* Don't close stderr */
-@@ -436,7 +442,8 @@ static bool open_sockets_smbd(bool is_daemon, bool interactive, const char *smb_
- num_sockets == 0 ? 0 : 2,
- ifss,
- true);
-- if(s == -1) {
-+ if(s < 0 || s >= FD_SETSIZE) {
-+ close(s);
- continue;
- }
-
-@@ -516,7 +523,7 @@ static bool open_sockets_smbd(bool is_daemon, bool interactive, const char *smb_
- num_sockets == 0 ? 0 : 2,
- &ss,
- true);
-- if (s == -1) {
-+ if (s < 0 || s >= FD_SETSIZE) {
- continue;
- }
-
-@@ -709,6 +716,7 @@ static bool open_sockets_smbd(bool is_daemon, bool interactive, const char *smb_
- struct sockaddr addr;
- socklen_t in_addrlen = sizeof(addr);
- pid_t child = 0;
-+ int fd;
-
- s = -1;
- for(i = 0; i < num_sockets; i++) {
-@@ -721,16 +729,21 @@ static bool open_sockets_smbd(bool is_daemon, bool interactive, const char *smb_
- }
- }
-
-- smbd_set_server_fd(accept(s,&addr,&in_addrlen));
--
-- if (smbd_server_fd() == -1 && errno == EINTR)
-+ fd = accept(s,&addr,&in_addrlen);
-+ if (fd == -1 && errno == EINTR)
- continue;
--
-- if (smbd_server_fd() == -1) {
-+ if (fd == -1) {
- DEBUG(2,("open_sockets_smbd: accept: %s\n",
- strerror(errno)));
- continue;
- }
-+ if (fd < 0 || fd >= FD_SETSIZE) {
-+ DEBUG(2,("open_sockets_smbd: bad fd %d\n",
-+ fd ));
-+ continue;
-+ }
-+
-+ smbd_set_server_fd(fd);
-
- /* Ensure child is set to blocking mode */
- set_blocking(smbd_server_fd(),True);
-diff --git a/source/utils/smbfilter.c b/source/utils/smbfilter.c
-index 1e22a40..45f9207 100644
---- a/source/utils/smbfilter.c
-+++ b/source/utils/smbfilter.c
-@@ -162,8 +162,8 @@ static void filter_child(int c, struct sockaddr_storage *dest_ss)
- int num;
-
- FD_ZERO(&fds);
-- if (s != -1) FD_SET(s, &fds);
-- if (c != -1) FD_SET(c, &fds);
-+ if (s >= 0 && s < FD_SETSIZE) FD_SET(s, &fds);
-+ if (c >= 0 && c < FD_SETSIZE) FD_SET(c, &fds);
-
- num = sys_select_intr(MAX(s+1, c+1),&fds,NULL,NULL,NULL);
- if (num <= 0) continue;
-@@ -235,6 +235,10 @@ static void start_filter(char *desthost)
- struct sockaddr_storage ss;
- socklen_t in_addrlen = sizeof(ss);
-
-+ if (s < 0 || s >= FD_SETSIZE) {
-+ break;
-+ }
-+
- FD_ZERO(&fds);
- FD_SET(s, &fds);
-
-diff --git a/source/winbindd/winbindd.c b/source/winbindd/winbindd.c
-index 1d618e2..6b5c251 100644
---- a/source/winbindd/winbindd.c
-+++ b/source/winbindd/winbindd.c
-@@ -836,7 +836,8 @@ static void process_loop(void)
- listen_sock = open_winbindd_socket();
- listen_priv_sock = open_winbindd_priv_socket();
-
-- if (listen_sock == -1 || listen_priv_sock == -1) {
-+ if (listen_sock < 0 || listen_sock >= FD_SETSIZE ||
-+ listen_priv_sock < 0 || listen_priv_sock >= FD_SETSIZE) {
- perror("open_winbind_socket");
- exit(1);
- }
-@@ -861,6 +862,9 @@ static void process_loop(void)
-
- FD_ZERO(&r_fds);
- FD_ZERO(&w_fds);
-+
-+ /* We check the range for listen_sock and
-+ listen_priv_sock above. */
- FD_SET(listen_sock, &r_fds);
- FD_SET(listen_priv_sock, &r_fds);
-
-@@ -890,6 +894,12 @@ static void process_loop(void)
- }
-
- for (ev = fd_events; ev; ev = ev->next) {
-+ if (ev->fd < 0 || ev->fd >= FD_SETSIZE) {
-+ /* Ignore here - event_add_to_select_args
-+ should make this impossible. */
-+ continue;
-+ }
-+
- if (ev->flags & EVENT_FD_READ) {
- FD_SET(ev->fd, &r_fds);
- maxfd = MAX(ev->fd, maxfd);
-diff --git a/source/winbindd/winbindd_dual.c b/source/winbindd/winbindd_dual.c
-index ff004f2..b30ec20 100644
---- a/source/winbindd/winbindd_dual.c
-+++ b/source/winbindd/winbindd_dual.c
-@@ -1250,6 +1250,12 @@ static bool fork_domain_child(struct winbindd_child *child)
- return False;
- }
-
-+ if (fdpair[0] < 0 || fdpair[0] >= FD_SETSIZE) {
-+ DEBUG(0, ("fork_domain_child: bad fd range (%d)\n", fdpair[0]));
-+ errno = EBADF;
-+ return False;
-+ }
-+
- ZERO_STRUCT(state);
- state.pid = sys_getpid();
-
-@@ -1405,6 +1411,7 @@ static bool fork_domain_child(struct winbindd_child *child)
- message_dispatch(winbind_messaging_context());
-
- FD_ZERO(&read_fds);
-+ /* We check state.sock against FD_SETSIZE above. */
- FD_SET(state.sock, &read_fds);
-
- ret = sys_select(state.sock + 1, &read_fds, NULL, NULL, tp);
---
-1.6.4.2
-