samba: bump to version 3.3.15
authorGustavo Zacarias <gustavo@zacarias.com.ar>
Thu, 28 Jul 2011 20:14:03 +0000 (17:14 -0300)
committerPeter Korsgaard <jacmet@sunsite.dk>
Thu, 4 Aug 2011 19:37:38 +0000 (21:37 +0200)
Bump samba to version 3.3.15 and add security patches for CVE-2011-2522
and CVE-2011-2694.

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>
package/samba/samba-00CVE-2011-2694.patch [new file with mode: 0644]
package/samba/samba-01CVE-2011-2522.patch [new file with mode: 0644]
package/samba/samba-CVE-2011-0719.patch [deleted file]
package/samba/samba.mk

diff --git a/package/samba/samba-00CVE-2011-2694.patch b/package/samba/samba-00CVE-2011-2694.patch
new file mode 100644 (file)
index 0000000..167accf
--- /dev/null
@@ -0,0 +1,55 @@
+From d401ccaedaec09ad6900ec24ecaf205bed3e3ac1 Mon Sep 17 00:00:00 2001
+From: Kai Blin <kai@samba.org>
+Date: Thu, 7 Jul 2011 10:03:33 +0200
+Subject: [PATCH] s3 swat: Fix possible XSS attack (bug #8289)
+
+Nobuhiro Tsuji of NTT DATA SECURITY CORPORATION reported a possible XSS attack
+against SWAT, the Samba Web Administration Tool. The attack uses reflection to
+insert arbitrary content into the "change password" page.
+
+This patch fixes the reflection issue by not printing user-specified content on
+the website anymore.
+
+Signed-off-by: Kai Blin <kai@samba.org>
+
+CVE-2011-2694.
+---
+ source/web/swat.c |   14 ++------------
+ 1 files changed, 2 insertions(+), 12 deletions(-)
+
+diff --git a/source/web/swat.c b/source/web/swat.c
+index 9c7294a..434b1ac 100644
+--- a/source/web/swat.c
++++ b/source/web/swat.c
+@@ -1120,11 +1120,9 @@ static void chg_passwd(void)
+       if(cgi_variable(CHG_S_PASSWD_FLAG)) {
+               printf("<p>");
+               if (rslt == True) {
+-                      printf(_(" The passwd for '%s' has been changed."), cgi_variable_nonull(SWAT_USER));
+-                      printf("\n");
++                      printf("%s\n", _(" The passwd has been changed."));
+               } else {
+-                      printf(_(" The passwd for '%s' has NOT been changed."), cgi_variable_nonull(SWAT_USER));
+-                      printf("\n");
++                      printf("%s\n", _(" The passwd has NOT been changed."));
+               }
+       }
+       
+@@ -1138,14 +1136,6 @@ static void passwd_page(void)
+ {
+       const char *new_name = cgi_user_name();
+-      /* 
+-       * After the first time through here be nice. If the user
+-       * changed the User box text to another users name, remember it.
+-       */
+-      if (cgi_variable(SWAT_USER)) {
+-              new_name = cgi_variable_nonull(SWAT_USER);
+-      } 
+-
+       if (!new_name) new_name = "";
+       printf("<H2>%s</H2>\n", _("Server Password Management"));
+-- 
+1.7.1
+
diff --git a/package/samba/samba-01CVE-2011-2522.patch b/package/samba/samba-01CVE-2011-2522.patch
new file mode 100644 (file)
index 0000000..7d48b55
--- /dev/null
@@ -0,0 +1,749 @@
+From b610e0cee563465c6b970647b215f8ae4d0c6599 Mon Sep 17 00:00:00 2001
+From: Kai Blin <kai@samba.org>
+Date: Fri, 8 Jul 2011 12:56:21 +0200
+Subject: [PATCH 01/12] s3 swat: Allow getting the user's HTTP auth password
+
+Signed-off-by: Kai Blin <kai@samba.org>
+---
+ source/web/cgi.c        |    9 +++++++++
+ source/web/swat_proto.h |    1 +
+ 2 files changed, 10 insertions(+), 0 deletions(-)
+
+diff --git a/source/web/cgi.c b/source/web/cgi.c
+index 72aa11c..ccdc3a7 100644
+--- a/source/web/cgi.c
++++ b/source/web/cgi.c
+@@ -42,6 +42,7 @@ static char *query_string;
+ static const char *baseurl;
+ static char *pathinfo;
+ static char *C_user;
++static char *C_pass;
+ static bool inetd_server;
+ static bool got_request;
+@@ -388,6 +389,7 @@ static bool cgi_handle_authorization(char *line)
+                       
+                       /* Save the users name */
+                       C_user = SMB_STRDUP(user);
++                      C_pass = SMB_STRDUP(user_pass);
+                       TALLOC_FREE(pass);
+                       return True;
+               }
+@@ -422,6 +424,13 @@ char *cgi_user_name(void)
+         return(C_user);
+ }
++/***************************************************************************
++return a ptr to the users password
++  ***************************************************************************/
++char *cgi_user_pass(void)
++{
++        return(C_pass);
++}
+ /***************************************************************************
+ handle a file download
+diff --git a/source/web/swat_proto.h b/source/web/swat_proto.h
+index 0f84e4f..76f9c3c 100644
+--- a/source/web/swat_proto.h
++++ b/source/web/swat_proto.h
+@@ -31,6 +31,7 @@ const char *cgi_variable(const char *name);
+ const char *cgi_variable_nonull(const char *name);
+ bool am_root(void);
+ char *cgi_user_name(void);
++char *cgi_user_pass(void);
+ void cgi_setup(const char *rootdir, int auth_required);
+ const char *cgi_baseurl(void);
+ const char *cgi_pathinfo(void);
+-- 
+1.7.1
+
+
+From 3806fec53dcf3b6e5c3fd71917f9d67d47c65e32 Mon Sep 17 00:00:00 2001
+From: Kai Blin <kai@samba.org>
+Date: Fri, 8 Jul 2011 12:57:43 +0200
+Subject: [PATCH 02/12] s3 swat: Add support for anti-XSRF token
+
+Signed-off-by: Kai Blin <kai@samba.org>
+---
+ source/web/swat.c       |   54 +++++++++++++++++++++++++++++++++++++++++++++++
+ source/web/swat_proto.h |    5 ++++
+ 2 files changed, 59 insertions(+), 0 deletions(-)
+
+diff --git a/source/web/swat.c b/source/web/swat.c
+index 434b1ac..e7d84e5 100644
+--- a/source/web/swat.c
++++ b/source/web/swat.c
+@@ -29,6 +29,7 @@
+ #include "includes.h"
+ #include "web/swat_proto.h"
++#include "../lib/crypto/md5.h"
+ static int demo_mode = False;
+ static int passwd_only = False;
+@@ -50,6 +51,7 @@ static int iNumNonAutoPrintServices = 0;
+ #define DISABLE_USER_FLAG "disable_user_flag"
+ #define ENABLE_USER_FLAG "enable_user_flag"
+ #define RHOST "remote_host"
++#define XSRF_TOKEN "xsrf"
+ #define _(x) lang_msg_rotate(talloc_tos(),x)
+@@ -138,6 +140,58 @@ static char *make_parm_name(const char *label)
+       return parmname;
+ }
++void get_xsrf_token(const char *username, const char *pass,
++                  const char *formname, char token_str[33])
++{
++      struct MD5Context md5_ctx;
++      uint8_t token[16];
++      int i;
++
++      token_str[0] = '\0';
++      ZERO_STRUCT(md5_ctx);
++      MD5Init(&md5_ctx);
++
++      MD5Update(&md5_ctx, (uint8_t *)formname, strlen(formname));
++      if (username != NULL) {
++              MD5Update(&md5_ctx, (uint8_t *)username, strlen(username));
++      }
++      if (pass != NULL) {
++              MD5Update(&md5_ctx, (uint8_t *)pass, strlen(pass));
++      }
++
++      MD5Final(token, &md5_ctx);
++
++      for(i = 0; i < sizeof(token); i++) {
++              char tmp[3];
++
++              snprintf(tmp, sizeof(tmp), "%02x", token[i]);
++              strncat(token_str, tmp, sizeof(tmp));
++      }
++}
++
++void print_xsrf_token(const char *username, const char *pass,
++                    const char *formname)
++{
++      char token[33];
++
++      get_xsrf_token(username, pass, formname, token);
++      printf("<input type=\"hidden\" name=\"%s\" value=\"%s\">\n",
++             XSRF_TOKEN, token);
++
++}
++
++bool verify_xsrf_token(const char *formname)
++{
++      char expected[33];
++      const char *username = cgi_user_name();
++      const char *pass = cgi_user_pass();
++      const char *token = cgi_variable_nonull(XSRF_TOKEN);
++
++      get_xsrf_token(username, pass, formname, expected);
++      return (strncmp(expected, token, sizeof(expected)) == 0);
++}
++
++
+ /****************************************************************************
+   include a lump of html in a page 
+ ****************************************************************************/
+diff --git a/source/web/swat_proto.h b/source/web/swat_proto.h
+index 76f9c3c..e66c942 100644
+--- a/source/web/swat_proto.h
++++ b/source/web/swat_proto.h
+@@ -67,5 +67,10 @@ void status_page(void);
+ /* The following definitions come from web/swat.c  */
+ const char *lang_msg_rotate(TALLOC_CTX *ctx, const char *msgid);
++void get_xsrf_token(const char *username, const char *pass,
++                  const char *formname, char token_str[33]);
++void print_xsrf_token(const char *username, const char *pass,
++                    const char *formname);
++bool verify_xsrf_token(const char *formname);
+ #endif /*  _SWAT_PROTO_H_  */
+-- 
+1.7.1
+
+
+From 3f38cf42facc38c19e0448cbae3078b9606b08e4 Mon Sep 17 00:00:00 2001
+From: Kai Blin <kai@samba.org>
+Date: Fri, 8 Jul 2011 12:58:53 +0200
+Subject: [PATCH 03/12] s3 swat: Add XSRF protection to status page
+
+Signed-off-by: Kai Blin <kai@samba.org>
+---
+ source/web/statuspage.c |    7 +++++++
+ 1 files changed, 7 insertions(+), 0 deletions(-)
+
+diff --git a/source/web/statuspage.c b/source/web/statuspage.c
+index 8070ae7..fe545e4 100644
+--- a/source/web/statuspage.c
++++ b/source/web/statuspage.c
+@@ -247,9 +247,14 @@ void status_page(void)
+       int nr_running=0;
+       bool waitup = False;
+       TALLOC_CTX *ctx = talloc_stackframe();
++      const char form_name[] = "status";
+       smbd_pid = pid_to_procid(pidfile_pid("smbd"));
++      if (!verify_xsrf_token(form_name)) {
++              goto output_page;
++      }
++
+       if (cgi_variable("smbd_restart") || cgi_variable("all_restart")) {
+               stop_smbd();
+               start_smbd();
+@@ -326,9 +331,11 @@ void status_page(void)
+       initPid2Machine ();
++output_page:
+       printf("<H2>%s</H2>\n", _("Server Status"));
+       printf("<FORM method=post>\n");
++      print_xsrf_token(cgi_user_name(), cgi_user_pass(), form_name);
+       if (!autorefresh) {
+               printf("<input type=submit value=\"%s\" name=\"autorefresh\">\n", _("Auto Refresh"));
+-- 
+1.7.1
+
+
+From ba996f0ae87f6bf4f19a4918e44dbd6d44a96561 Mon Sep 17 00:00:00 2001
+From: Kai Blin <kai@samba.org>
+Date: Fri, 8 Jul 2011 15:02:53 +0200
+Subject: [PATCH 04/12] s3 swat: Add XSRF protection to viewconfig page
+
+Signed-off-by: Kai Blin <kai@samba.org>
+---
+ source/web/swat.c |    7 +++++++
+ 1 files changed, 7 insertions(+), 0 deletions(-)
+
+diff --git a/source/web/swat.c b/source/web/swat.c
+index e7d84e5..647126f 100644
+--- a/source/web/swat.c
++++ b/source/web/swat.c
+@@ -664,13 +664,20 @@ static void welcome_page(void)
+ static void viewconfig_page(void)
+ {
+       int full_view=0;
++      const char form_name[] = "viewconfig";
++
++      if (!verify_xsrf_token(form_name)) {
++              goto output_page;
++      }
+       if (cgi_variable("full_view")) {
+               full_view = 1;
+       }
++output_page:
+       printf("<H2>%s</H2>\n", _("Current Config"));
+       printf("<form method=post>\n");
++      print_xsrf_token(cgi_user_name(), cgi_user_pass(), form_name);
+       if (full_view) {
+               printf("<input type=submit name=\"normal_view\" value=\"%s\">\n", _("Normal View"));
+-- 
+1.7.1
+
+
+From 94f8482607a175c44436fae456fbda3624629982 Mon Sep 17 00:00:00 2001
+From: Kai Blin <kai@samba.org>
+Date: Fri, 8 Jul 2011 15:03:15 +0200
+Subject: [PATCH 05/12] s3 swat: Add XSRF protection to wizard_params page
+
+Signed-off-by: Kai Blin <kai@samba.org>
+---
+ source/web/swat.c |    7 +++++++
+ 1 files changed, 7 insertions(+), 0 deletions(-)
+
+diff --git a/source/web/swat.c b/source/web/swat.c
+index 647126f..b7eec4a 100644
+--- a/source/web/swat.c
++++ b/source/web/swat.c
+@@ -697,18 +697,25 @@ output_page:
+ static void wizard_params_page(void)
+ {
+       unsigned int parm_filter = FLAG_WIZARD;
++      const char form_name[] = "wizard_params";
+       /* Here we first set and commit all the parameters that were selected
+          in the previous screen. */
+       printf("<H2>%s</H2>\n", _("Wizard Parameter Edit Page"));
++      if (!verify_xsrf_token(form_name)) {
++              goto output_page;
++      }
++
+       if (cgi_variable("Commit")) {
+               commit_parameters(GLOBAL_SECTION_SNUM);
+               save_reload(0);
+       }
++output_page:
+       printf("<form name=\"swatform\" method=post action=wizard_params>\n");
++      print_xsrf_token(cgi_user_name(), cgi_user_pass(), form_name);
+       if (have_write_access) {
+               printf("<input type=submit name=\"Commit\" value=\"Commit Changes\">\n");
+-- 
+1.7.1
+
+
+From eb22fd73060534700d514ec295985549131c7569 Mon Sep 17 00:00:00 2001
+From: Kai Blin <kai@samba.org>
+Date: Fri, 8 Jul 2011 15:03:44 +0200
+Subject: [PATCH 06/12] s3 swat: Add XSRF protection to wizard page
+
+Signed-off-by: Kai Blin <kai@samba.org>
+---
+ source/web/swat.c |    9 ++++++++-
+ 1 files changed, 8 insertions(+), 1 deletions(-)
+
+diff --git a/source/web/swat.c b/source/web/swat.c
+index b7eec4a..b6e0c0f 100644
+--- a/source/web/swat.c
++++ b/source/web/swat.c
+@@ -751,6 +751,11 @@ static void wizard_page(void)
+       int have_home = -1;
+       int HomeExpo = 0;
+       int SerType = 0;
++      const char form_name[] = "wizard";
++
++      if (!verify_xsrf_token(form_name)) {
++              goto output_page;
++      }
+       if (cgi_variable("Rewrite")) {
+               (void) rewritecfg_file();
+@@ -841,10 +846,12 @@ static void wizard_page(void)
+               winstype = 3;
+       role = lp_server_role();
+-      
++
++output_page:
+       /* Here we go ... */
+       printf("<H2>%s</H2>\n", _("Samba Configuration Wizard"));
+       printf("<form method=post action=wizard>\n");
++      print_xsrf_token(cgi_user_name(), cgi_user_pass(), form_name);
+       if (have_write_access) {
+               printf("%s\n", _("The \"Rewrite smb.conf file\" button will clear the smb.conf file of all default values and of comments."));
+-- 
+1.7.1
+
+
+From 8fb3064eeaa3640af6c8b91aa5859d8bfb6d0888 Mon Sep 17 00:00:00 2001
+From: Kai Blin <kai@samba.org>
+Date: Fri, 8 Jul 2011 15:04:12 +0200
+Subject: [PATCH 07/12] s3 swat: Add XSRF protection to globals page
+
+Signed-off-by: Kai Blin <kai@samba.org>
+---
+ source/web/swat.c |    7 +++++++
+ 1 files changed, 7 insertions(+), 0 deletions(-)
+
+diff --git a/source/web/swat.c b/source/web/swat.c
+index b6e0c0f..5d11685 100644
+--- a/source/web/swat.c
++++ b/source/web/swat.c
+@@ -920,9 +920,14 @@ static void globals_page(void)
+ {
+       unsigned int parm_filter = FLAG_BASIC;
+       int mode = 0;
++      const char form_name[] = "globals";
+       printf("<H2>%s</H2>\n", _("Global Parameters"));
++      if (!verify_xsrf_token(form_name)) {
++              goto output_page;
++      }
++
+       if (cgi_variable("Commit")) {
+               commit_parameters(GLOBAL_SECTION_SNUM);
+               save_reload(0);
+@@ -935,7 +940,9 @@ static void globals_page(void)
+       if ( cgi_variable("AdvMode"))
+               mode = 1;
++output_page:
+       printf("<form name=\"swatform\" method=post action=globals>\n");
++      print_xsrf_token(cgi_user_name(), cgi_user_pass(), form_name);
+       ViewModeBoxes( mode );
+       switch ( mode ) {
+-- 
+1.7.1
+
+
+From ef457a20422cfa8231e25b539d2cd87f299686b9 Mon Sep 17 00:00:00 2001
+From: Kai Blin <kai@samba.org>
+Date: Fri, 8 Jul 2011 15:04:48 +0200
+Subject: [PATCH 08/12] s3 swat: Add XSRF protection to shares page
+
+Signed-off-by: Kai Blin <kai@samba.org>
+---
+ source/web/swat.c |   18 +++++++++++++-----
+ 1 files changed, 13 insertions(+), 5 deletions(-)
+
+diff --git a/source/web/swat.c b/source/web/swat.c
+index 5d11685..4544c31 100644
+--- a/source/web/swat.c
++++ b/source/web/swat.c
+@@ -982,11 +982,17 @@ static void shares_page(void)
+       int mode = 0;
+       unsigned int parm_filter = FLAG_BASIC;
+       size_t converted_size;
++      const char form_name[] = "shares";
++
++      printf("<H2>%s</H2>\n", _("Share Parameters"));
++
++      if (!verify_xsrf_token(form_name)) {
++              goto output_page;
++      }
+       if (share)
+               snum = lp_servicenumber(share);
+-      printf("<H2>%s</H2>\n", _("Share Parameters"));
+       if (cgi_variable("Commit") && snum >= 0) {
+               commit_parameters(snum);
+@@ -1012,10 +1018,6 @@ static void shares_page(void)
+               }
+       }
+-      printf("<FORM name=\"swatform\" method=post>\n");
+-
+-      printf("<table>\n");
+-
+       if ( cgi_variable("ViewMode") )
+               mode = atoi(cgi_variable_nonull("ViewMode"));
+       if ( cgi_variable("BasicMode"))
+@@ -1023,6 +1025,12 @@ static void shares_page(void)
+       if ( cgi_variable("AdvMode"))
+               mode = 1;
++output_page:
++      printf("<FORM name=\"swatform\" method=post>\n");
++      print_xsrf_token(cgi_user_name(), cgi_user_pass(), form_name);
++
++      printf("<table>\n");
++
+       ViewModeBoxes( mode );
+       switch ( mode ) {
+               case 0:
+-- 
+1.7.1
+
+
+From 4850456845d2da5e3451716a5ad4ca0ef034e01f Mon Sep 17 00:00:00 2001
+From: Kai Blin <kai@samba.org>
+Date: Fri, 8 Jul 2011 15:05:38 +0200
+Subject: [PATCH 09/12] s3 swat: Add XSRF protection to password page
+
+Signed-off-by: Kai Blin <kai@samba.org>
+---
+ source/web/swat.c |   11 ++++++++---
+ 1 files changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/source/web/swat.c b/source/web/swat.c
+index 4544c31..5242484 100644
+--- a/source/web/swat.c
++++ b/source/web/swat.c
+@@ -1225,12 +1225,15 @@ static void chg_passwd(void)
+ static void passwd_page(void)
+ {
+       const char *new_name = cgi_user_name();
++      const char passwd_form[] = "passwd";
++      const char rpasswd_form[] = "rpasswd";
+       if (!new_name) new_name = "";
+       printf("<H2>%s</H2>\n", _("Server Password Management"));
+       printf("<FORM name=\"swatform\" method=post>\n");
++      print_xsrf_token(cgi_user_name(), cgi_user_pass(), passwd_form);
+       printf("<table>\n");
+@@ -1270,14 +1273,16 @@ static void passwd_page(void)
+        * Do some work if change, add, disable or enable was
+        * requested. It could be this is the first time through this
+        * code, so there isn't anything to do.  */
+-      if ((cgi_variable(CHG_S_PASSWD_FLAG)) || (cgi_variable(ADD_USER_FLAG)) || (cgi_variable(DELETE_USER_FLAG)) ||
+-          (cgi_variable(DISABLE_USER_FLAG)) || (cgi_variable(ENABLE_USER_FLAG))) {
++      if (verify_xsrf_token(passwd_form) &&
++         ((cgi_variable(CHG_S_PASSWD_FLAG)) || (cgi_variable(ADD_USER_FLAG)) || (cgi_variable(DELETE_USER_FLAG)) ||
++          (cgi_variable(DISABLE_USER_FLAG)) || (cgi_variable(ENABLE_USER_FLAG)))) {
+               chg_passwd();           
+       }
+       printf("<H2>%s</H2>\n", _("Client/Server Password Management"));
+       printf("<FORM name=\"swatform\" method=post>\n");
++      print_xsrf_token(cgi_user_name(), cgi_user_pass(), rpasswd_form);
+       printf("<table>\n");
+@@ -1310,7 +1315,7 @@ static void passwd_page(void)
+        * password somewhere other than the server. It could be this
+        * is the first time through this code, so there isn't
+        * anything to do.  */
+-      if (cgi_variable(CHG_R_PASSWD_FLAG)) {
++      if (verify_xsrf_token(passwd_form) && cgi_variable(CHG_R_PASSWD_FLAG)) {
+               chg_passwd();           
+       }
+-- 
+1.7.1
+
+
+From 407ae61fbfc8ee1643a4db8ea9b104f031b32e0f Mon Sep 17 00:00:00 2001
+From: Kai Blin <kai@samba.org>
+Date: Fri, 8 Jul 2011 15:06:13 +0200
+Subject: [PATCH 10/12] s3 swat: Add XSRF protection to printer page
+
+Signed-off-by: Kai Blin <kai@samba.org>
+---
+ source/web/swat.c |   28 ++++++++++++++++++----------
+ 1 files changed, 18 insertions(+), 10 deletions(-)
+
+diff --git a/source/web/swat.c b/source/web/swat.c
+index 5242484..4582a63 100644
+--- a/source/web/swat.c
++++ b/source/web/swat.c
+@@ -1332,18 +1332,15 @@ static void printers_page(void)
+       int i;
+       int mode = 0;
+       unsigned int parm_filter = FLAG_BASIC;
++      const char form_name[] = "printers";
++
++      if (!verify_xsrf_token(form_name)) {
++              goto output_page;
++      }
+       if (share)
+               snum = lp_servicenumber(share);
+-        printf("<H2>%s</H2>\n", _("Printer Parameters"));
+- 
+-        printf("<H3>%s</H3>\n", _("Important Note:"));
+-        printf("%s",_("Printer names marked with [*] in the Choose Printer drop-down box "));
+-        printf("%s",_("are autoloaded printers from "));
+-        printf("<A HREF=\"/swat/help/smb.conf.5.html#printcapname\" target=\"docs\">%s</A>\n", _("Printcap Name"));
+-        printf("%s\n", _("Attempting to delete these printers from SWAT will have no effect."));
+-
+       if (cgi_variable("Commit") && snum >= 0) {
+               commit_parameters(snum);
+               if (snum >= iNumNonAutoPrintServices)
+@@ -1372,8 +1369,6 @@ static void printers_page(void)
+               }
+       }
+-      printf("<FORM name=\"swatform\" method=post>\n");
+-
+       if ( cgi_variable("ViewMode") )
+               mode = atoi(cgi_variable_nonull("ViewMode"));
+         if ( cgi_variable("BasicMode"))
+@@ -1381,6 +1376,19 @@ static void printers_page(void)
+         if ( cgi_variable("AdvMode"))
+                 mode = 1;
++output_page:
++        printf("<H2>%s</H2>\n", _("Printer Parameters"));
++
++        printf("<H3>%s</H3>\n", _("Important Note:"));
++        printf("%s",_("Printer names marked with [*] in the Choose Printer drop-down box "));
++        printf("%s",_("are autoloaded printers from "));
++        printf("<A HREF=\"/swat/help/smb.conf.5.html#printcapname\" target=\"docs\">%s</A>\n", _("Printcap Name"));
++        printf("%s\n", _("Attempting to delete these printers from SWAT will have no effect."));
++
++
++      printf("<FORM name=\"swatform\" method=post>\n");
++      print_xsrf_token(cgi_user_name(), cgi_user_pass(), form_name);
++
+       ViewModeBoxes( mode );
+       switch ( mode ) {
+               case 0:
+-- 
+1.7.1
+
+
+From 11e281228f334bf3d384df5655136f0b4b4068aa Mon Sep 17 00:00:00 2001
+From: Kai Blin <kai@samba.org>
+Date: Sat, 9 Jul 2011 09:52:07 +0200
+Subject: [PATCH 11/12] s3 swat: Add time component to XSRF token
+
+Signed-off-by: Kai Blin <kai@samba.org>
+---
+ source/web/swat.c       |   28 ++++++++++++++++++++++++----
+ source/web/swat_proto.h |    2 +-
+ 2 files changed, 25 insertions(+), 5 deletions(-)
+
+diff --git a/source/web/swat.c b/source/web/swat.c
+index 4582a63..50df66e 100644
+--- a/source/web/swat.c
++++ b/source/web/swat.c
+@@ -52,6 +52,8 @@ static int iNumNonAutoPrintServices = 0;
+ #define ENABLE_USER_FLAG "enable_user_flag"
+ #define RHOST "remote_host"
+ #define XSRF_TOKEN "xsrf"
++#define XSRF_TIME "xsrf_time"
++#define XSRF_TIMEOUT 300
+ #define _(x) lang_msg_rotate(talloc_tos(),x)
+@@ -141,7 +143,7 @@ static char *make_parm_name(const char *label)
+ }
+ void get_xsrf_token(const char *username, const char *pass,
+-                  const char *formname, char token_str[33])
++                  const char *formname, time_t xsrf_time, char token_str[33])
+ {
+       struct MD5Context md5_ctx;
+       uint8_t token[16];
+@@ -152,6 +154,7 @@ void get_xsrf_token(const char *username, const char *pass,
+       MD5Init(&md5_ctx);
+       MD5Update(&md5_ctx, (uint8_t *)formname, strlen(formname));
++      MD5Update(&md5_ctx, (uint8_t *)&xsrf_time, sizeof(time_t));
+       if (username != NULL) {
+               MD5Update(&md5_ctx, (uint8_t *)username, strlen(username));
+       }
+@@ -173,11 +176,13 @@ void print_xsrf_token(const char *username, const char *pass,
+                     const char *formname)
+ {
+       char token[33];
++      time_t xsrf_time = time(NULL);
+-      get_xsrf_token(username, pass, formname, token);
++      get_xsrf_token(username, pass, formname, xsrf_time, token);
+       printf("<input type=\"hidden\" name=\"%s\" value=\"%s\">\n",
+              XSRF_TOKEN, token);
+-
++      printf("<input type=\"hidden\" name=\"%s\" value=\"%lld\">\n",
++             XSRF_TIME, (long long int)xsrf_time);
+ }
+ bool verify_xsrf_token(const char *formname)
+@@ -186,8 +191,23 @@ bool verify_xsrf_token(const char *formname)
+       const char *username = cgi_user_name();
+       const char *pass = cgi_user_pass();
+       const char *token = cgi_variable_nonull(XSRF_TOKEN);
++      const char *time_str = cgi_variable_nonull(XSRF_TIME);
++      time_t xsrf_time = 0;
++      time_t now = time(NULL);
++
++      if (sizeof(time_t) == sizeof(int)) {
++              xsrf_time = atoi(time_str);
++      } else if (sizeof(time_t) == sizeof(long)) {
++              xsrf_time = atol(time_str);
++      } else if (sizeof(time_t) == sizeof(long long)) {
++              xsrf_time = atoll(time_str);
++      }
++
++      if (abs(now - xsrf_time) > XSRF_TIMEOUT) {
++              return false;
++      }
+-      get_xsrf_token(username, pass, formname, expected);
++      get_xsrf_token(username, pass, formname, xsrf_time, expected);
+       return (strncmp(expected, token, sizeof(expected)) == 0);
+ }
+diff --git a/source/web/swat_proto.h b/source/web/swat_proto.h
+index e66c942..424a3af 100644
+--- a/source/web/swat_proto.h
++++ b/source/web/swat_proto.h
+@@ -68,7 +68,7 @@ void status_page(void);
+ const char *lang_msg_rotate(TALLOC_CTX *ctx, const char *msgid);
+ void get_xsrf_token(const char *username, const char *pass,
+-                  const char *formname, char token_str[33]);
++                  const char *formname, time_t xsrf_time, char token_str[33]);
+ void print_xsrf_token(const char *username, const char *pass,
+                     const char *formname);
+ bool verify_xsrf_token(const char *formname);
+-- 
+1.7.1
+
+
+From 3973cfa50024983618a44ffdb9f756b642b85be7 Mon Sep 17 00:00:00 2001
+From: Kai Blin <kai@samba.org>
+Date: Tue, 12 Jul 2011 08:08:24 +0200
+Subject: [PATCH 12/12] s3 swat: Create random nonce in CGI mode
+
+In CGI mode, we don't get access to the user's password, which would
+reduce the hash used so far to parameters an attacker can easily guess.
+To work around this, read the nonce from secrets.tdb or generate one if
+it's not there.
+Also populate the C_user field so we can use that for token creation.
+
+Signed-off-by: Kai Blin <kai@samba.org>
+
+The last 12 patches address bug #8290 (CSRF vulnerability in SWAT).
+This addresses CVE-2011-2522 (Cross-Site Request Forgery in SWAT).
+---
+ source/web/cgi.c  |   18 +++++++++++++++++-
+ source/web/swat.c |    1 -
+ 2 files changed, 17 insertions(+), 2 deletions(-)
+
+diff --git a/source/web/cgi.c b/source/web/cgi.c
+index ccdc3a7..890ac8e 100644
+--- a/source/web/cgi.c
++++ b/source/web/cgi.c
+@@ -19,6 +19,7 @@
+ #include "includes.h"
+ #include "web/swat_proto.h"
++#include "secrets.h"
+ #define MAX_VARIABLES 10000
+@@ -321,7 +322,22 @@ static void cgi_web_auth(void)
+               exit(0);
+       }
+-      setuid(0);
++      C_user = SMB_STRDUP(user);
++
++      if (!setuid(0)) {
++              C_pass = secrets_fetch_generic("root", "SWAT");
++              if (C_pass == NULL) {
++                      char *tmp_pass = NULL;
++                      tmp_pass = generate_random_str(16);
++                      if (tmp_pass == NULL) {
++                              printf("%sFailed to create random nonce for "
++                                     "SWAT session\n<br>%s\n", head, tail);
++                              exit(0);
++                      }
++                      secrets_store_generic("root", "SWAT", tmp_pass);
++                      C_pass = SMB_STRDUP(tmp_pass);
++              }
++      }
+       setuid(pwd->pw_uid);
+       if (geteuid() != pwd->pw_uid || getuid() != pwd->pw_uid) {
+               printf("%sFailed to become user %s - uid=%d/%d<br>%s\n", 
+diff --git a/source/web/swat.c b/source/web/swat.c
+index 50df66e..146f1cf 100644
+--- a/source/web/swat.c
++++ b/source/web/swat.c
+@@ -29,7 +29,6 @@
+ #include "includes.h"
+ #include "web/swat_proto.h"
+-#include "../lib/crypto/md5.h"
+ static int demo_mode = False;
+ static int passwd_only = False;
+-- 
+1.7.1
+
diff --git a/package/samba/samba-CVE-2011-0719.patch b/package/samba/samba-CVE-2011-0719.patch
deleted file mode 100644 (file)
index 1cb8580..0000000
+++ /dev/null
@@ -1,613 +0,0 @@
-From 724e44eed299c618066dec411530aa9f156119ec Mon Sep 17 00:00:00 2001
-From: Karolin Seeger <kseeger@samba.org>
-Date: Sun, 27 Feb 2011 18:28:29 +0100
-Subject: [PATCH] Fix denial of service - memory corruption.
-
-CVE-2011-0719
-
-Fix bug #7949 (DoS in Winbind and smbd with many file descriptors open).
-
-All current released versions of Samba are vulnerable to
-a denial of service caused by memory corruption. Range
-checks on file descriptors being used in the FD_SET macro
-were not present allowing stack corruption. This can cause
-the Samba code to crash or to loop attempting to select
-on a bad file descriptor set.
-
-A connection to a file share, or a local account is needed
-to exploit this problem, either authenticated or unauthenticated
-(guest connection).
-
-Currently we do not believe this flaw is exploitable
-beyond a crash or causing the code to loop, but on the
-advice of our security reviewers we are releasing fixes
-in case an exploit is discovered at a later date.
----
- source/client/client.c          |    4 +++-
- source/client/dnsbrowse.c       |   12 ++++++++++++
- source/lib/events.c             |   13 +++++++++++++
- source/lib/packet.c             |    5 +++++
- source/lib/readline.c           |    5 +++++
- source/lib/select.c             |    6 ++++++
- source/lib/util_sock.c          |   11 +++++++++--
- source/libaddns/dnssock.c       |    6 +++++-
- source/libsmb/nmblib.c          |    5 +++++
- source/nmbd/nmbd_packets.c      |   24 ++++++++++++++++++++++--
- source/nsswitch/wb_common.c     |   22 ++++++++++++++++++++--
- source/printing/printing.c      |    5 +++++
- source/smbd/dnsregister.c       |    6 ++++++
- source/smbd/oplock.c            |    5 ++++-
- source/smbd/oplock_irix.c       |    5 +++++
- source/smbd/process.c           |    2 +-
- source/smbd/server.c            |   29 +++++++++++++++++++++--------
- source/utils/smbfilter.c        |    8 ++++++--
- source/winbindd/winbindd.c      |   12 +++++++++++-
- source/winbindd/winbindd_dual.c |    7 +++++++
- 20 files changed, 171 insertions(+), 21 deletions(-)
-
-diff --git a/source/client/client.c b/source/client/client.c
-index 53bd9e6..a989441 100644
---- a/source/client/client.c
-+++ b/source/client/client.c
-@@ -4379,8 +4379,10 @@ static void readline_callback(void)
-  again:
--      if (cli->fd == -1)
-+      if (cli->fd < 0 || cli->fd >= FD_SETSIZE) {
-+              errno = EBADF;
-               return;
-+      }
-       FD_ZERO(&fds);
-       FD_SET(cli->fd,&fds);
-diff --git a/source/client/dnsbrowse.c b/source/client/dnsbrowse.c
-index 5e3a4de..aa2fb22 100644
---- a/source/client/dnsbrowse.c
-+++ b/source/client/dnsbrowse.c
-@@ -81,6 +81,11 @@ static void do_smb_resolve(struct mdns_smbsrv_result *browsesrv)
-                       TALLOC_FREE(fdset);
-               }
-+              if (mdnsfd < 0 || mdnsfd >= FD_SETSIZE) {
-+                      errno = EBADF;
-+                      break;
-+              }
-+
-               fdsetsz = howmany(mdnsfd + 1, NFDBITS) * sizeof(fd_mask);
-               fdset = TALLOC_ZERO(ctx, fdsetsz);
-               FD_SET(mdnsfd, fdset);
-@@ -183,6 +188,13 @@ int do_smb_browse(void)
-               fdsetsz = howmany(mdnsfd + 1, NFDBITS) * sizeof(fd_mask);
-               fdset = TALLOC_ZERO(ctx, fdsetsz);
-+
-+              if (mdnsfd < 0 || mdnsfd >= FD_SETSIZE) {
-+                      errno = EBADF;
-+                      TALLOC_FREE(ctx);
-+                      return 1;
-+              }
-+
-               FD_SET(mdnsfd, fdset);
-               tv.tv_sec = 1;
-diff --git a/source/lib/events.c b/source/lib/events.c
-index cd20ceb..2ddbab7 100644
---- a/source/lib/events.c
-+++ b/source/lib/events.c
-@@ -140,6 +140,11 @@ struct fd_event *event_add_fd(struct event_context *event_ctx,
- {
-       struct fd_event *fde;
-+      if (fd < 0 || fd >= FD_SETSIZE) {
-+              errno = EBADF;
-+              return NULL;
-+      }
-+
-       if (!(fde = TALLOC_P(mem_ctx, struct fd_event))) {
-               return NULL;
-       }
-@@ -190,6 +195,14 @@ bool event_add_to_select_args(struct event_context *event_ctx,
-       bool ret = False;
-       for (fde = event_ctx->fd_events; fde; fde = fde->next) {
-+              if (fde->fd < 0 || fde->fd >= FD_SETSIZE) {
-+                      /* We ignore here, as it shouldn't be
-+                         possible to add an invalid fde->fd
-+                         but we don't want FD_SET to see an
-+                         invalid fd. */
-+                      continue;
-+              }
-+
-               if (fde->flags & EVENT_FD_READ) {
-                       FD_SET(fde->fd, read_fds);
-                       ret = True;
-diff --git a/source/lib/packet.c b/source/lib/packet.c
-index e048616..512c7f2 100644
---- a/source/lib/packet.c
-+++ b/source/lib/packet.c
-@@ -106,6 +106,11 @@ NTSTATUS packet_fd_read_sync(struct packet_context *ctx)
-       int res;
-       fd_set r_fds;
-+      if (ctx->fd < 0 || ctx->fd >= FD_SETSIZE) {
-+              errno = EBADF;
-+              return map_nt_error_from_unix(errno);
-+      }
-+
-       FD_ZERO(&r_fds);
-       FD_SET(ctx->fd, &r_fds);
-diff --git a/source/lib/readline.c b/source/lib/readline.c
-index 34867aa..70a82f2 100644
---- a/source/lib/readline.c
-+++ b/source/lib/readline.c
-@@ -91,6 +91,11 @@ static char *smb_readline_replacement(const char *prompt, void (*callback)(void)
-               timeout.tv_sec = 5;
-               timeout.tv_usec = 0;
-+              if (fd < 0 || fd >= FD_SETSIZE) {
-+                      errno = EBADF;
-+                      break;
-+              }
-+
-               FD_ZERO(&fds);
-               FD_SET(fd,&fds);
-diff --git a/source/lib/select.c b/source/lib/select.c
-index c3da6a9..2d5f02c 100644
---- a/source/lib/select.c
-+++ b/source/lib/select.c
-@@ -61,6 +61,11 @@ int sys_select(int maxfd, fd_set *readfds, fd_set *writefds, fd_set *errorfds, s
-               if (pipe(select_pipe) == -1)
-                       smb_panic("Could not create select pipe");
-+              if (select_pipe[0] < 0 || select_pipe[0] >= FD_SETSIZE) {
-+                      errno = EBADF;
-+                      return -1;
-+              }
-+
-               /*
-                * These next two lines seem to fix a bug with the Linux
-                * 2.0.x kernel (and probably other UNIXes as well) where
-@@ -87,6 +92,7 @@ int sys_select(int maxfd, fd_set *readfds, fd_set *writefds, fd_set *errorfds, s
-               readfds2 = &readfds_buf;
-               FD_ZERO(readfds2);
-       }
-+
-       FD_SET(select_pipe[0], readfds2);
-       errno = 0;
-diff --git a/source/lib/util_sock.c b/source/lib/util_sock.c
-index 650bd13..8aa2c97 100644
---- a/source/lib/util_sock.c
-+++ b/source/lib/util_sock.c
-@@ -960,6 +960,11 @@ NTSTATUS read_socket_with_timeout(int fd, char *buf,
-       timeout.tv_usec = (long)(1000 * (time_out % 1000));
-       for (nread=0; nread < mincnt; ) {
-+              if (fd < 0 || fd >= FD_SETSIZE) {
-+                      errno = EBADF;
-+                      return map_nt_error_from_unix(EBADF);
-+              }
-+
-               FD_ZERO(&fds);
-               FD_SET(fd,&fds);
-@@ -1492,7 +1497,7 @@ bool open_any_socket_out(struct sockaddr_storage *addrs, int num_addrs,
-       for (i=0; i<num_addrs; i++) {
-               sockets[i] = socket(addrs[i].ss_family, SOCK_STREAM, 0);
--              if (sockets[i] < 0)
-+              if (sockets[i] < 0 || sockets[i] >= FD_SETSIZE)
-                       goto done;
-               set_blocking(sockets[i], false);
-       }
-@@ -1541,8 +1546,10 @@ bool open_any_socket_out(struct sockaddr_storage *addrs, int num_addrs,
-       FD_ZERO(&r_fds);
-       for (i=0; i<num_addrs; i++) {
--              if (sockets[i] == -1)
-+              if (sockets[i] < 0 || sockets[i] >= FD_SETSIZE) {
-+                      /* This cannot happen - ignore if so. */
-                       continue;
-+              }
-               FD_SET(sockets[i], &wr_fds);
-               FD_SET(sockets[i], &r_fds);
-               if (sockets[i]>maxfd)
-diff --git a/source/libaddns/dnssock.c b/source/libaddns/dnssock.c
-index 7c8bd41..f427bd5 100644
---- a/source/libaddns/dnssock.c
-+++ b/source/libaddns/dnssock.c
-@@ -218,7 +218,11 @@ static DNS_ERROR read_all(int fd, uint8 *data, size_t len)
-       while (total < len) {
-               ssize_t ret;
-               int fd_ready;
--              
-+
-+              if (fd < 0 || fd >= FD_SETSIZE) {
-+                      return ERROR_DNS_SOCKET_ERROR;
-+              }
-+
-               FD_ZERO( &rfds );
-               FD_SET( fd, &rfds );
-diff --git a/source/libsmb/nmblib.c b/source/libsmb/nmblib.c
-index bfe5e7b..768e54d 100644
---- a/source/libsmb/nmblib.c
-+++ b/source/libsmb/nmblib.c
-@@ -1097,6 +1097,11 @@ struct packet_struct *receive_packet(int fd,enum packet_type type,int t)
-       struct timeval timeout;
-       int ret;
-+      if (fd < 0 || fd >= FD_SETSIZE) {
-+              errno = EBADF;
-+              return NULL;
-+      }
-+
-       FD_ZERO(&fds);
-       FD_SET(fd,&fds);
-       timeout.tv_sec = t/1000;
-diff --git a/source/nmbd/nmbd_packets.c b/source/nmbd/nmbd_packets.c
-index 4b97819..03e5362 100644
---- a/source/nmbd/nmbd_packets.c
-+++ b/source/nmbd/nmbd_packets.c
-@@ -1683,7 +1683,7 @@ static bool create_listen_fdset(fd_set **ppset, int **psock_array, int *listen_n
-       for (subrec = FIRST_SUBNET; subrec; subrec = NEXT_SUBNET_EXCLUDING_UNICAST(subrec))
-               count++;
--      if((count*2) + 2 > FD_SETSIZE) {
-+      if((count*2) + 2 >= FD_SETSIZE) {
-               DEBUG(0,("create_listen_fdset: Too many file descriptors needed (%d). We can \
- only use %d.\n", (count*2) + 2, FD_SETSIZE));
-               SAFE_FREE(pset);
-@@ -1699,24 +1699,44 @@ only use %d.\n", (count*2) + 2, FD_SETSIZE));
-       FD_ZERO(pset);
-       /* Add in the broadcast socket on 137. */
-+      if (ClientNMB < 0 || ClientNMB >= FD_SETSIZE) {
-+              errno = EBADF;
-+              SAFE_FREE(pset);
-+              return True;
-+      }
-+
-       FD_SET(ClientNMB,pset);
-       sock_array[num++] = ClientNMB;
-       *maxfd = MAX( *maxfd, ClientNMB);
-       /* Add in the 137 sockets on all the interfaces. */
-       for (subrec = FIRST_SUBNET; subrec; subrec = NEXT_SUBNET_EXCLUDING_UNICAST(subrec)) {
-+              if (subrec->nmb_sock < 0 || subrec->nmb_sock >= FD_SETSIZE) {
-+                      /* We have to ignore sockets outside FD_SETSIZE. */
-+                      continue;
-+              }
-               FD_SET(subrec->nmb_sock,pset);
-               sock_array[num++] = subrec->nmb_sock;
-               *maxfd = MAX( *maxfd, subrec->nmb_sock);
-       }
-       /* Add in the broadcast socket on 138. */
-+      if (ClientDGRAM < 0 || ClientDGRAM >= FD_SETSIZE) {
-+              errno = EBADF;
-+              SAFE_FREE(pset);
-+              return True;
-+      }
-+
-       FD_SET(ClientDGRAM,pset);
-       sock_array[num++] = ClientDGRAM;
-       *maxfd = MAX( *maxfd, ClientDGRAM);
-       /* Add in the 138 sockets on all the interfaces. */
-       for (subrec = FIRST_SUBNET; subrec; subrec = NEXT_SUBNET_EXCLUDING_UNICAST(subrec)) {
-+              if (subrec->dgram_sock < 0 || subrec->dgram_sock >= FD_SETSIZE) {
-+                      /* We have to ignore sockets outside FD_SETSIZE. */
-+                      continue;
-+              }
-               FD_SET(subrec->dgram_sock,pset);
-               sock_array[num++] = subrec->dgram_sock;
-               *maxfd = MAX( *maxfd, subrec->dgram_sock);
-@@ -1767,7 +1787,7 @@ bool listen_for_packets(bool run_election)
- #ifndef SYNC_DNS
-       dns_fd = asyncdns_fd();
--      if (dns_fd != -1) {
-+      if (dns_fd >= 0 && dns_fd < FD_SETSIZE) {
-               FD_SET(dns_fd, &r_fds);
-               maxfd = MAX( maxfd, dns_fd);
-       }
-diff --git a/source/nsswitch/wb_common.c b/source/nsswitch/wb_common.c
-index a164621..4f76bd0 100644
---- a/source/nsswitch/wb_common.c
-+++ b/source/nsswitch/wb_common.c
-@@ -240,6 +240,12 @@ static int winbind_named_pipe_sock(const char *dir)
-               switch (errno) {
-                       case EINPROGRESS:
-+
-+                              if (fd < 0 || fd >= FD_SETSIZE) {
-+                                      errno = EBADF;
-+                                      goto error_out;
-+                              }
-+
-                               FD_ZERO(&w_fds);
-                               FD_SET(fd, &w_fds);
-                               tv.tv_sec = CONNECT_TIMEOUT - wait_time;
-@@ -383,7 +389,13 @@ int winbind_write_sock(void *buffer, int count, int recursing, int need_priv)
-       while(nwritten < count) {
-               struct timeval tv;
-               fd_set r_fds;
--              
-+
-+              if (winbindd_fd < 0 || winbindd_fd >= FD_SETSIZE) {
-+                      errno = EBADF;
-+                      winbind_close_sock();
-+                      return -1;
-+              }
-+
-               /* Catch pipe close on other end by checking if a read()
-                  call would not block by calling select(). */
-@@ -443,7 +455,13 @@ int winbind_read_sock(void *buffer, int count)
-       while(nread < count) {
-               struct timeval tv;
-               fd_set r_fds;
--              
-+
-+              if (winbindd_fd < 0 || winbindd_fd >= FD_SETSIZE) {
-+                      errno = EBADF;
-+                      winbind_close_sock();
-+                      return -1;
-+              }
-+
-               /* Catch pipe close on other end by checking if a read()
-                  call would not block by calling select(). */
-diff --git a/source/printing/printing.c b/source/printing/printing.c
-index a9272eb..c3b8c61 100644
---- a/source/printing/printing.c
-+++ b/source/printing/printing.c
-@@ -1407,6 +1407,11 @@ void start_background_queue(void)
-               exit(1);
-       }
-+      if (pause_pipe[1] < 0 || pause_pipe[1] >= FD_SETSIZE) {
-+              DEBUG(5,("start_background_queue: pipe fd out of range.\n"));
-+              exit(1);
-+      }
-+
-       background_lpq_updater_pid = sys_fork();
-       if (background_lpq_updater_pid == -1) {
-diff --git a/source/smbd/dnsregister.c b/source/smbd/dnsregister.c
-index f02739e..3c689b9 100644
---- a/source/smbd/dnsregister.c
-+++ b/source/smbd/dnsregister.c
-@@ -125,6 +125,9 @@ void dns_register_smbd(struct dns_reg_state ** dns_state_ptr,
-        */
-       if (dns_state->srv_ref != NULL) {
-               mdnsd_conn_fd = DNSServiceRefSockFD(dns_state->srv_ref);
-+              if (mdnsd_conn_fd < 0 || mdnsd_conn_fd >= FD_SETSIZE) {
-+                      return;
-+              }
-               FD_SET(mdnsd_conn_fd, listen_set);
-               return;
-       }
-@@ -156,6 +159,9 @@ void dns_register_smbd(struct dns_reg_state ** dns_state_ptr,
-       }
-       mdnsd_conn_fd = DNSServiceRefSockFD(dns_state->srv_ref);
-+      if (mdnsd_conn_fd < 0 || mdnsd_conn_fd >= FD_SETSIZE) {
-+              return;
-+      }
-       FD_SET(mdnsd_conn_fd, listen_set);
-       *maxfd = MAX(*maxfd, mdnsd_conn_fd);
-       *timeout = timeval_zero();
-diff --git a/source/smbd/oplock.c b/source/smbd/oplock.c
-index a07d05d..5ae3fdf 100644
---- a/source/smbd/oplock.c
-+++ b/source/smbd/oplock.c
-@@ -241,7 +241,10 @@ bool downgrade_oplock(files_struct *fsp)
- int oplock_notify_fd(void)
- {
-       if (koplocks) {
--              return koplocks->notification_fd;
-+              int fd = koplocks->notification_fd;
-+              if (fd < 0 || fd >= FD_SETSIZE) {
-+                      return -1;
-+              }
-       }
-       return -1;
-diff --git a/source/smbd/oplock_irix.c b/source/smbd/oplock_irix.c
-index 8c287c9..6e86fac 100644
---- a/source/smbd/oplock_irix.c
-+++ b/source/smbd/oplock_irix.c
-@@ -284,6 +284,11 @@ struct kernel_oplocks *irix_init_kernel_oplocks(void)
-               return False;
-       }
-+      if (pfd[0] < 0 || pfd[0] >= FD_SETSIZE) {
-+              DEBUG(0,("setup_kernel_oplock_pipe: fd out of range.\n"));
-+              return False;
-+      }
-+
-       oplock_pipe_read = pfd[0];
-       oplock_pipe_write = pfd[1];
-diff --git a/source/smbd/process.c b/source/smbd/process.c
-index 403c7c6..9b8f29b 100644
---- a/source/smbd/process.c
-+++ b/source/smbd/process.c
-@@ -698,7 +698,7 @@ static void async_processing(fd_set *pfds)
- static int select_on_fd(int fd, int maxfd, fd_set *fds)
- {
--      if (fd != -1) {
-+      if (fd != -1 && fd < FD_SETSIZE) {
-               FD_SET(fd, fds);
-               maxfd = MAX(maxfd, fd);
-       }
-diff --git a/source/smbd/server.c b/source/smbd/server.c
-index 5129484..a670334 100644
---- a/source/smbd/server.c
-+++ b/source/smbd/server.c
-@@ -209,7 +209,13 @@ static bool open_sockets_inetd(void)
-       /* Started from inetd. fd 0 is the socket. */
-       /* We will abort gracefully when the client or remote system 
-          goes away */
--      smbd_set_server_fd(dup(0));
-+      int fd = dup(0);
-+
-+      if (fd < 0 || fd >= FD_SETSIZE) {
-+              return false;
-+      }
-+
-+      smbd_set_server_fd(fd);
-       
-       /* close our standard file descriptors */
-       close_low_fds(False); /* Don't close stderr */
-@@ -436,7 +442,8 @@ static bool open_sockets_smbd(bool is_daemon, bool interactive, const char *smb_
-                                                       num_sockets == 0 ? 0 : 2,
-                                                       ifss,
-                                                       true);
--                              if(s == -1) {
-+                              if(s < 0 || s >= FD_SETSIZE) {
-+                                      close(s);
-                                       continue;
-                               }
-@@ -516,7 +523,7 @@ static bool open_sockets_smbd(bool is_daemon, bool interactive, const char *smb_
-                                               num_sockets == 0 ? 0 : 2,
-                                               &ss,
-                                               true);
--                              if (s == -1) {
-+                              if (s < 0 || s >= FD_SETSIZE) {
-                                       continue;
-                               }
-@@ -709,6 +716,7 @@ static bool open_sockets_smbd(bool is_daemon, bool interactive, const char *smb_
-                       struct sockaddr addr;
-                       socklen_t in_addrlen = sizeof(addr);
-                       pid_t child = 0;
-+                      int fd;
-                       s = -1;
-                       for(i = 0; i < num_sockets; i++) {
-@@ -721,16 +729,21 @@ static bool open_sockets_smbd(bool is_daemon, bool interactive, const char *smb_
-                               }
-                       }
--                      smbd_set_server_fd(accept(s,&addr,&in_addrlen));
--
--                      if (smbd_server_fd() == -1 && errno == EINTR)
-+                      fd = accept(s,&addr,&in_addrlen);
-+                      if (fd == -1 && errno == EINTR)
-                               continue;
--
--                      if (smbd_server_fd() == -1) {
-+                      if (fd == -1) {
-                               DEBUG(2,("open_sockets_smbd: accept: %s\n",
-                                        strerror(errno)));
-                               continue;
-                       }
-+                      if (fd < 0 || fd >= FD_SETSIZE) {
-+                              DEBUG(2,("open_sockets_smbd: bad fd %d\n",
-+                                      fd ));
-+                              continue;
-+                      }
-+
-+                      smbd_set_server_fd(fd);
-                       /* Ensure child is set to blocking mode */
-                       set_blocking(smbd_server_fd(),True);
-diff --git a/source/utils/smbfilter.c b/source/utils/smbfilter.c
-index 1e22a40..45f9207 100644
---- a/source/utils/smbfilter.c
-+++ b/source/utils/smbfilter.c
-@@ -162,8 +162,8 @@ static void filter_child(int c, struct sockaddr_storage *dest_ss)
-               int num;
-               
-               FD_ZERO(&fds);
--              if (s != -1) FD_SET(s, &fds);
--              if (c != -1) FD_SET(c, &fds);
-+              if (s >= 0 && s < FD_SETSIZE) FD_SET(s, &fds);
-+              if (c >= 0 && c < FD_SETSIZE) FD_SET(c, &fds);
-               num = sys_select_intr(MAX(s+1, c+1),&fds,NULL,NULL,NULL);
-               if (num <= 0) continue;
-@@ -235,6 +235,10 @@ static void start_filter(char *desthost)
-               struct sockaddr_storage ss;
-               socklen_t in_addrlen = sizeof(ss);
-               
-+              if (s < 0 || s >= FD_SETSIZE) {
-+                      break;
-+              }
-+
-               FD_ZERO(&fds);
-               FD_SET(s, &fds);
-diff --git a/source/winbindd/winbindd.c b/source/winbindd/winbindd.c
-index 1d618e2..6b5c251 100644
---- a/source/winbindd/winbindd.c
-+++ b/source/winbindd/winbindd.c
-@@ -836,7 +836,8 @@ static void process_loop(void)
-       listen_sock = open_winbindd_socket();
-       listen_priv_sock = open_winbindd_priv_socket();
--      if (listen_sock == -1 || listen_priv_sock == -1) {
-+      if (listen_sock < 0 || listen_sock >= FD_SETSIZE ||
-+                      listen_priv_sock < 0 || listen_priv_sock >= FD_SETSIZE) {
-               perror("open_winbind_socket");
-               exit(1);
-       }
-@@ -861,6 +862,9 @@ static void process_loop(void)
-       FD_ZERO(&r_fds);
-       FD_ZERO(&w_fds);
-+
-+      /* We check the range for listen_sock and
-+         listen_priv_sock above. */
-       FD_SET(listen_sock, &r_fds);
-       FD_SET(listen_priv_sock, &r_fds);
-@@ -890,6 +894,12 @@ static void process_loop(void)
-       }
-       for (ev = fd_events; ev; ev = ev->next) {
-+              if (ev->fd < 0 || ev->fd >= FD_SETSIZE) {
-+                      /* Ignore here - event_add_to_select_args
-+                         should make this impossible. */
-+                      continue;
-+              }
-+
-               if (ev->flags & EVENT_FD_READ) {
-                       FD_SET(ev->fd, &r_fds);
-                       maxfd = MAX(ev->fd, maxfd);
-diff --git a/source/winbindd/winbindd_dual.c b/source/winbindd/winbindd_dual.c
-index ff004f2..b30ec20 100644
---- a/source/winbindd/winbindd_dual.c
-+++ b/source/winbindd/winbindd_dual.c
-@@ -1250,6 +1250,12 @@ static bool fork_domain_child(struct winbindd_child *child)
-               return False;
-       }
-+      if (fdpair[0] < 0 || fdpair[0] >= FD_SETSIZE) {
-+              DEBUG(0, ("fork_domain_child: bad fd range (%d)\n", fdpair[0]));
-+              errno = EBADF;
-+              return False;
-+      }
-+
-       ZERO_STRUCT(state);
-       state.pid = sys_getpid();
-@@ -1405,6 +1411,7 @@ static bool fork_domain_child(struct winbindd_child *child)
-               message_dispatch(winbind_messaging_context());
-               FD_ZERO(&read_fds);
-+              /* We check state.sock against FD_SETSIZE above. */
-               FD_SET(state.sock, &read_fds);
-               ret = sys_select(state.sock + 1, &read_fds, NULL, NULL, tp);
--- 
-1.6.4.2
-
index a3bd63cb77b888a76734fccc2ea950e839bded2d..dfc7636846cf43db8045de39a7adb155dbbdfd5b 100644 (file)
@@ -3,9 +3,10 @@
 # samba
 #
 #############################################################
-SAMBA_VERSION:=3.3.14
-SAMBA_SOURCE:=samba-$(SAMBA_VERSION).tar.gz
-SAMBA_SITE:=http://samba.org/samba/ftp/stable/
+
+SAMBA_VERSION = 3.3.15
+SAMBA_SOURCE = samba-$(SAMBA_VERSION).tar.gz
+SAMBA_SITE = http://samba.org/samba/ftp/stable/
 
 SAMBA_SUBDIR = source
 SAMBA_AUTORECONF = NO