[Buildroot] [PATCH 3/3] samba: bump to version 3.3.15

Gustavo Zacarias gustavo at zacarias.com.ar
Thu Jul 28 20:14:03 UTC 2011


Bump samba to version 3.3.15 and add security patches for CVE-2011-2522
and CVE-2011-2694.

Signed-off-by: Gustavo Zacarias <gustavo at zacarias.com.ar>
---
 package/samba/samba-00CVE-2011-2694.patch |   55 +++
 package/samba/samba-01CVE-2011-2522.patch |  749 +++++++++++++++++++++++++++++
 package/samba/samba-CVE-2011-0719.patch   |  613 -----------------------
 package/samba/samba.mk                    |    7 +-
 4 files changed, 808 insertions(+), 616 deletions(-)
 create mode 100644 package/samba/samba-00CVE-2011-2694.patch
 create mode 100644 package/samba/samba-01CVE-2011-2522.patch
 delete mode 100644 package/samba/samba-CVE-2011-0719.patch

diff --git a/package/samba/samba-00CVE-2011-2694.patch b/package/samba/samba-00CVE-2011-2694.patch
new file mode 100644
index 0000000..167accf
--- /dev/null
+++ b/package/samba/samba-00CVE-2011-2694.patch
@@ -0,0 +1,55 @@
+From d401ccaedaec09ad6900ec24ecaf205bed3e3ac1 Mon Sep 17 00:00:00 2001
+From: Kai Blin <kai at samba.org>
+Date: Thu, 7 Jul 2011 10:03:33 +0200
+Subject: [PATCH] s3 swat: Fix possible XSS attack (bug #8289)
+
+Nobuhiro Tsuji of NTT DATA SECURITY CORPORATION reported a possible XSS attack
+against SWAT, the Samba Web Administration Tool. The attack uses reflection to
+insert arbitrary content into the "change password" page.
+
+This patch fixes the reflection issue by not printing user-specified content on
+the website anymore.
+
+Signed-off-by: Kai Blin <kai at samba.org>
+
+CVE-2011-2694.
+---
+ source/web/swat.c |   14 ++------------
+ 1 files changed, 2 insertions(+), 12 deletions(-)
+
+diff --git a/source/web/swat.c b/source/web/swat.c
+index 9c7294a..434b1ac 100644
+--- a/source/web/swat.c
++++ b/source/web/swat.c
+@@ -1120,11 +1120,9 @@ static void chg_passwd(void)
+ 	if(cgi_variable(CHG_S_PASSWD_FLAG)) {
+ 		printf("<p>");
+ 		if (rslt == True) {
+-			printf(_(" The passwd for '%s' has been changed."), cgi_variable_nonull(SWAT_USER));
+-			printf("\n");
++			printf("%s\n", _(" The passwd has been changed."));
+ 		} else {
+-			printf(_(" The passwd for '%s' has NOT been changed."), cgi_variable_nonull(SWAT_USER));
+-			printf("\n");
++			printf("%s\n", _(" The passwd has NOT been changed."));
+ 		}
+ 	}
+ 	
+@@ -1138,14 +1136,6 @@ static void passwd_page(void)
+ {
+ 	const char *new_name = cgi_user_name();
+ 
+-	/* 
+-	 * After the first time through here be nice. If the user
+-	 * changed the User box text to another users name, remember it.
+-	 */
+-	if (cgi_variable(SWAT_USER)) {
+-		new_name = cgi_variable_nonull(SWAT_USER);
+-	} 
+-
+ 	if (!new_name) new_name = "";
+ 
+ 	printf("<H2>%s</H2>\n", _("Server Password Management"));
+-- 
+1.7.1
+
diff --git a/package/samba/samba-01CVE-2011-2522.patch b/package/samba/samba-01CVE-2011-2522.patch
new file mode 100644
index 0000000..7d48b55
--- /dev/null
+++ b/package/samba/samba-01CVE-2011-2522.patch
@@ -0,0 +1,749 @@
+From b610e0cee563465c6b970647b215f8ae4d0c6599 Mon Sep 17 00:00:00 2001
+From: Kai Blin <kai at samba.org>
+Date: Fri, 8 Jul 2011 12:56:21 +0200
+Subject: [PATCH 01/12] s3 swat: Allow getting the user's HTTP auth password
+
+Signed-off-by: Kai Blin <kai at samba.org>
+---
+ source/web/cgi.c        |    9 +++++++++
+ source/web/swat_proto.h |    1 +
+ 2 files changed, 10 insertions(+), 0 deletions(-)
+
+diff --git a/source/web/cgi.c b/source/web/cgi.c
+index 72aa11c..ccdc3a7 100644
+--- a/source/web/cgi.c
++++ b/source/web/cgi.c
+@@ -42,6 +42,7 @@ static char *query_string;
+ static const char *baseurl;
+ static char *pathinfo;
+ static char *C_user;
++static char *C_pass;
+ static bool inetd_server;
+ static bool got_request;
+ 
+@@ -388,6 +389,7 @@ static bool cgi_handle_authorization(char *line)
+ 			
+ 			/* Save the users name */
+ 			C_user = SMB_STRDUP(user);
++			C_pass = SMB_STRDUP(user_pass);
+ 			TALLOC_FREE(pass);
+ 			return True;
+ 		}
+@@ -422,6 +424,13 @@ char *cgi_user_name(void)
+         return(C_user);
+ }
+ 
++/***************************************************************************
++return a ptr to the users password
++  ***************************************************************************/
++char *cgi_user_pass(void)
++{
++        return(C_pass);
++}
+ 
+ /***************************************************************************
+ handle a file download
+diff --git a/source/web/swat_proto.h b/source/web/swat_proto.h
+index 0f84e4f..76f9c3c 100644
+--- a/source/web/swat_proto.h
++++ b/source/web/swat_proto.h
+@@ -31,6 +31,7 @@ const char *cgi_variable(const char *name);
+ const char *cgi_variable_nonull(const char *name);
+ bool am_root(void);
+ char *cgi_user_name(void);
++char *cgi_user_pass(void);
+ void cgi_setup(const char *rootdir, int auth_required);
+ const char *cgi_baseurl(void);
+ const char *cgi_pathinfo(void);
+-- 
+1.7.1
+
+
+From 3806fec53dcf3b6e5c3fd71917f9d67d47c65e32 Mon Sep 17 00:00:00 2001
+From: Kai Blin <kai at samba.org>
+Date: Fri, 8 Jul 2011 12:57:43 +0200
+Subject: [PATCH 02/12] s3 swat: Add support for anti-XSRF token
+
+Signed-off-by: Kai Blin <kai at samba.org>
+---
+ source/web/swat.c       |   54 +++++++++++++++++++++++++++++++++++++++++++++++
+ source/web/swat_proto.h |    5 ++++
+ 2 files changed, 59 insertions(+), 0 deletions(-)
+
+diff --git a/source/web/swat.c b/source/web/swat.c
+index 434b1ac..e7d84e5 100644
+--- a/source/web/swat.c
++++ b/source/web/swat.c
+@@ -29,6 +29,7 @@
+ 
+ #include "includes.h"
+ #include "web/swat_proto.h"
++#include "../lib/crypto/md5.h"
+ 
+ static int demo_mode = False;
+ static int passwd_only = False;
+@@ -50,6 +51,7 @@ static int iNumNonAutoPrintServices = 0;
+ #define DISABLE_USER_FLAG "disable_user_flag"
+ #define ENABLE_USER_FLAG "enable_user_flag"
+ #define RHOST "remote_host"
++#define XSRF_TOKEN "xsrf"
+ 
+ #define _(x) lang_msg_rotate(talloc_tos(),x)
+ 
+@@ -138,6 +140,58 @@ static char *make_parm_name(const char *label)
+ 	return parmname;
+ }
+ 
++void get_xsrf_token(const char *username, const char *pass,
++		    const char *formname, char token_str[33])
++{
++	struct MD5Context md5_ctx;
++	uint8_t token[16];
++	int i;
++
++	token_str[0] = '\0';
++	ZERO_STRUCT(md5_ctx);
++	MD5Init(&md5_ctx);
++
++	MD5Update(&md5_ctx, (uint8_t *)formname, strlen(formname));
++	if (username != NULL) {
++		MD5Update(&md5_ctx, (uint8_t *)username, strlen(username));
++	}
++	if (pass != NULL) {
++		MD5Update(&md5_ctx, (uint8_t *)pass, strlen(pass));
++	}
++
++	MD5Final(token, &md5_ctx);
++
++	for(i = 0; i < sizeof(token); i++) {
++		char tmp[3];
++
++		snprintf(tmp, sizeof(tmp), "%02x", token[i]);
++		strncat(token_str, tmp, sizeof(tmp));
++	}
++}
++
++void print_xsrf_token(const char *username, const char *pass,
++		      const char *formname)
++{
++	char token[33];
++
++	get_xsrf_token(username, pass, formname, token);
++	printf("<input type=\"hidden\" name=\"%s\" value=\"%s\">\n",
++	       XSRF_TOKEN, token);
++
++}
++
++bool verify_xsrf_token(const char *formname)
++{
++	char expected[33];
++	const char *username = cgi_user_name();
++	const char *pass = cgi_user_pass();
++	const char *token = cgi_variable_nonull(XSRF_TOKEN);
++
++	get_xsrf_token(username, pass, formname, expected);
++	return (strncmp(expected, token, sizeof(expected)) == 0);
++}
++
++
+ /****************************************************************************
+   include a lump of html in a page 
+ ****************************************************************************/
+diff --git a/source/web/swat_proto.h b/source/web/swat_proto.h
+index 76f9c3c..e66c942 100644
+--- a/source/web/swat_proto.h
++++ b/source/web/swat_proto.h
+@@ -67,5 +67,10 @@ void status_page(void);
+ /* The following definitions come from web/swat.c  */
+ 
+ const char *lang_msg_rotate(TALLOC_CTX *ctx, const char *msgid);
++void get_xsrf_token(const char *username, const char *pass,
++		    const char *formname, char token_str[33]);
++void print_xsrf_token(const char *username, const char *pass,
++		      const char *formname);
++bool verify_xsrf_token(const char *formname);
+ 
+ #endif /*  _SWAT_PROTO_H_  */
+-- 
+1.7.1
+
+
+From 3f38cf42facc38c19e0448cbae3078b9606b08e4 Mon Sep 17 00:00:00 2001
+From: Kai Blin <kai at samba.org>
+Date: Fri, 8 Jul 2011 12:58:53 +0200
+Subject: [PATCH 03/12] s3 swat: Add XSRF protection to status page
+
+Signed-off-by: Kai Blin <kai at samba.org>
+---
+ source/web/statuspage.c |    7 +++++++
+ 1 files changed, 7 insertions(+), 0 deletions(-)
+
+diff --git a/source/web/statuspage.c b/source/web/statuspage.c
+index 8070ae7..fe545e4 100644
+--- a/source/web/statuspage.c
++++ b/source/web/statuspage.c
+@@ -247,9 +247,14 @@ void status_page(void)
+ 	int nr_running=0;
+ 	bool waitup = False;
+ 	TALLOC_CTX *ctx = talloc_stackframe();
++	const char form_name[] = "status";
+ 
+ 	smbd_pid = pid_to_procid(pidfile_pid("smbd"));
+ 
++	if (!verify_xsrf_token(form_name)) {
++		goto output_page;
++	}
++
+ 	if (cgi_variable("smbd_restart") || cgi_variable("all_restart")) {
+ 		stop_smbd();
+ 		start_smbd();
+@@ -326,9 +331,11 @@ void status_page(void)
+ 
+ 	initPid2Machine ();
+ 
++output_page:
+ 	printf("<H2>%s</H2>\n", _("Server Status"));
+ 
+ 	printf("<FORM method=post>\n");
++	print_xsrf_token(cgi_user_name(), cgi_user_pass(), form_name);
+ 
+ 	if (!autorefresh) {
+ 		printf("<input type=submit value=\"%s\" name=\"autorefresh\">\n", _("Auto Refresh"));
+-- 
+1.7.1
+
+
+From ba996f0ae87f6bf4f19a4918e44dbd6d44a96561 Mon Sep 17 00:00:00 2001
+From: Kai Blin <kai at samba.org>
+Date: Fri, 8 Jul 2011 15:02:53 +0200
+Subject: [PATCH 04/12] s3 swat: Add XSRF protection to viewconfig page
+
+Signed-off-by: Kai Blin <kai at samba.org>
+---
+ source/web/swat.c |    7 +++++++
+ 1 files changed, 7 insertions(+), 0 deletions(-)
+
+diff --git a/source/web/swat.c b/source/web/swat.c
+index e7d84e5..647126f 100644
+--- a/source/web/swat.c
++++ b/source/web/swat.c
+@@ -664,13 +664,20 @@ static void welcome_page(void)
+ static void viewconfig_page(void)
+ {
+ 	int full_view=0;
++	const char form_name[] = "viewconfig";
++
++	if (!verify_xsrf_token(form_name)) {
++		goto output_page;
++	}
+ 
+ 	if (cgi_variable("full_view")) {
+ 		full_view = 1;
+ 	}
+ 
++output_page:
+ 	printf("<H2>%s</H2>\n", _("Current Config"));
+ 	printf("<form method=post>\n");
++	print_xsrf_token(cgi_user_name(), cgi_user_pass(), form_name);
+ 
+ 	if (full_view) {
+ 		printf("<input type=submit name=\"normal_view\" value=\"%s\">\n", _("Normal View"));
+-- 
+1.7.1
+
+
+From 94f8482607a175c44436fae456fbda3624629982 Mon Sep 17 00:00:00 2001
+From: Kai Blin <kai at samba.org>
+Date: Fri, 8 Jul 2011 15:03:15 +0200
+Subject: [PATCH 05/12] s3 swat: Add XSRF protection to wizard_params page
+
+Signed-off-by: Kai Blin <kai at samba.org>
+---
+ source/web/swat.c |    7 +++++++
+ 1 files changed, 7 insertions(+), 0 deletions(-)
+
+diff --git a/source/web/swat.c b/source/web/swat.c
+index 647126f..b7eec4a 100644
+--- a/source/web/swat.c
++++ b/source/web/swat.c
+@@ -697,18 +697,25 @@ output_page:
+ static void wizard_params_page(void)
+ {
+ 	unsigned int parm_filter = FLAG_WIZARD;
++	const char form_name[] = "wizard_params";
+ 
+ 	/* Here we first set and commit all the parameters that were selected
+  	   in the previous screen. */
+ 
+ 	printf("<H2>%s</H2>\n", _("Wizard Parameter Edit Page"));
+ 
++	if (!verify_xsrf_token(form_name)) {
++		goto output_page;
++	}
++
+ 	if (cgi_variable("Commit")) {
+ 		commit_parameters(GLOBAL_SECTION_SNUM);
+ 		save_reload(0);
+ 	}
+ 
++output_page:
+ 	printf("<form name=\"swatform\" method=post action=wizard_params>\n");
++	print_xsrf_token(cgi_user_name(), cgi_user_pass(), form_name);
+ 
+ 	if (have_write_access) {
+ 		printf("<input type=submit name=\"Commit\" value=\"Commit Changes\">\n");
+-- 
+1.7.1
+
+
+From eb22fd73060534700d514ec295985549131c7569 Mon Sep 17 00:00:00 2001
+From: Kai Blin <kai at samba.org>
+Date: Fri, 8 Jul 2011 15:03:44 +0200
+Subject: [PATCH 06/12] s3 swat: Add XSRF protection to wizard page
+
+Signed-off-by: Kai Blin <kai at samba.org>
+---
+ source/web/swat.c |    9 ++++++++-
+ 1 files changed, 8 insertions(+), 1 deletions(-)
+
+diff --git a/source/web/swat.c b/source/web/swat.c
+index b7eec4a..b6e0c0f 100644
+--- a/source/web/swat.c
++++ b/source/web/swat.c
+@@ -751,6 +751,11 @@ static void wizard_page(void)
+ 	int have_home = -1;
+ 	int HomeExpo = 0;
+ 	int SerType = 0;
++	const char form_name[] = "wizard";
++
++	if (!verify_xsrf_token(form_name)) {
++		goto output_page;
++	}
+ 
+ 	if (cgi_variable("Rewrite")) {
+ 		(void) rewritecfg_file();
+@@ -841,10 +846,12 @@ static void wizard_page(void)
+ 		winstype = 3;
+ 
+ 	role = lp_server_role();
+-	
++
++output_page:
+ 	/* Here we go ... */
+ 	printf("<H2>%s</H2>\n", _("Samba Configuration Wizard"));
+ 	printf("<form method=post action=wizard>\n");
++	print_xsrf_token(cgi_user_name(), cgi_user_pass(), form_name);
+ 
+ 	if (have_write_access) {
+ 		printf("%s\n", _("The \"Rewrite smb.conf file\" button will clear the smb.conf file of all default values and of comments."));
+-- 
+1.7.1
+
+
+From 8fb3064eeaa3640af6c8b91aa5859d8bfb6d0888 Mon Sep 17 00:00:00 2001
+From: Kai Blin <kai at samba.org>
+Date: Fri, 8 Jul 2011 15:04:12 +0200
+Subject: [PATCH 07/12] s3 swat: Add XSRF protection to globals page
+
+Signed-off-by: Kai Blin <kai at samba.org>
+---
+ source/web/swat.c |    7 +++++++
+ 1 files changed, 7 insertions(+), 0 deletions(-)
+
+diff --git a/source/web/swat.c b/source/web/swat.c
+index b6e0c0f..5d11685 100644
+--- a/source/web/swat.c
++++ b/source/web/swat.c
+@@ -920,9 +920,14 @@ static void globals_page(void)
+ {
+ 	unsigned int parm_filter = FLAG_BASIC;
+ 	int mode = 0;
++	const char form_name[] = "globals";
+ 
+ 	printf("<H2>%s</H2>\n", _("Global Parameters"));
+ 
++	if (!verify_xsrf_token(form_name)) {
++		goto output_page;
++	}
++
+ 	if (cgi_variable("Commit")) {
+ 		commit_parameters(GLOBAL_SECTION_SNUM);
+ 		save_reload(0);
+@@ -935,7 +940,9 @@ static void globals_page(void)
+ 	if ( cgi_variable("AdvMode"))
+ 		mode = 1;
+ 
++output_page:
+ 	printf("<form name=\"swatform\" method=post action=globals>\n");
++	print_xsrf_token(cgi_user_name(), cgi_user_pass(), form_name);
+ 
+ 	ViewModeBoxes( mode );
+ 	switch ( mode ) {
+-- 
+1.7.1
+
+
+From ef457a20422cfa8231e25b539d2cd87f299686b9 Mon Sep 17 00:00:00 2001
+From: Kai Blin <kai at samba.org>
+Date: Fri, 8 Jul 2011 15:04:48 +0200
+Subject: [PATCH 08/12] s3 swat: Add XSRF protection to shares page
+
+Signed-off-by: Kai Blin <kai at samba.org>
+---
+ source/web/swat.c |   18 +++++++++++++-----
+ 1 files changed, 13 insertions(+), 5 deletions(-)
+
+diff --git a/source/web/swat.c b/source/web/swat.c
+index 5d11685..4544c31 100644
+--- a/source/web/swat.c
++++ b/source/web/swat.c
+@@ -982,11 +982,17 @@ static void shares_page(void)
+ 	int mode = 0;
+ 	unsigned int parm_filter = FLAG_BASIC;
+ 	size_t converted_size;
++	const char form_name[] = "shares";
++
++	printf("<H2>%s</H2>\n", _("Share Parameters"));
++
++	if (!verify_xsrf_token(form_name)) {
++		goto output_page;
++	}
+ 
+ 	if (share)
+ 		snum = lp_servicenumber(share);
+ 
+-	printf("<H2>%s</H2>\n", _("Share Parameters"));
+ 
+ 	if (cgi_variable("Commit") && snum >= 0) {
+ 		commit_parameters(snum);
+@@ -1012,10 +1018,6 @@ static void shares_page(void)
+ 		}
+ 	}
+ 
+-	printf("<FORM name=\"swatform\" method=post>\n");
+-
+-	printf("<table>\n");
+-
+ 	if ( cgi_variable("ViewMode") )
+ 		mode = atoi(cgi_variable_nonull("ViewMode"));
+ 	if ( cgi_variable("BasicMode"))
+@@ -1023,6 +1025,12 @@ static void shares_page(void)
+ 	if ( cgi_variable("AdvMode"))
+ 		mode = 1;
+ 
++output_page:
++	printf("<FORM name=\"swatform\" method=post>\n");
++	print_xsrf_token(cgi_user_name(), cgi_user_pass(), form_name);
++
++	printf("<table>\n");
++
+ 	ViewModeBoxes( mode );
+ 	switch ( mode ) {
+ 		case 0:
+-- 
+1.7.1
+
+
+From 4850456845d2da5e3451716a5ad4ca0ef034e01f Mon Sep 17 00:00:00 2001
+From: Kai Blin <kai at samba.org>
+Date: Fri, 8 Jul 2011 15:05:38 +0200
+Subject: [PATCH 09/12] s3 swat: Add XSRF protection to password page
+
+Signed-off-by: Kai Blin <kai at samba.org>
+---
+ source/web/swat.c |   11 ++++++++---
+ 1 files changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/source/web/swat.c b/source/web/swat.c
+index 4544c31..5242484 100644
+--- a/source/web/swat.c
++++ b/source/web/swat.c
+@@ -1225,12 +1225,15 @@ static void chg_passwd(void)
+ static void passwd_page(void)
+ {
+ 	const char *new_name = cgi_user_name();
++	const char passwd_form[] = "passwd";
++	const char rpasswd_form[] = "rpasswd";
+ 
+ 	if (!new_name) new_name = "";
+ 
+ 	printf("<H2>%s</H2>\n", _("Server Password Management"));
+ 
+ 	printf("<FORM name=\"swatform\" method=post>\n");
++	print_xsrf_token(cgi_user_name(), cgi_user_pass(), passwd_form);
+ 
+ 	printf("<table>\n");
+ 
+@@ -1270,14 +1273,16 @@ static void passwd_page(void)
+ 	 * Do some work if change, add, disable or enable was
+ 	 * requested. It could be this is the first time through this
+ 	 * code, so there isn't anything to do.  */
+-	if ((cgi_variable(CHG_S_PASSWD_FLAG)) || (cgi_variable(ADD_USER_FLAG)) || (cgi_variable(DELETE_USER_FLAG)) ||
+-	    (cgi_variable(DISABLE_USER_FLAG)) || (cgi_variable(ENABLE_USER_FLAG))) {
++	if (verify_xsrf_token(passwd_form) &&
++	   ((cgi_variable(CHG_S_PASSWD_FLAG)) || (cgi_variable(ADD_USER_FLAG)) || (cgi_variable(DELETE_USER_FLAG)) ||
++	    (cgi_variable(DISABLE_USER_FLAG)) || (cgi_variable(ENABLE_USER_FLAG)))) {
+ 		chg_passwd();		
+ 	}
+ 
+ 	printf("<H2>%s</H2>\n", _("Client/Server Password Management"));
+ 
+ 	printf("<FORM name=\"swatform\" method=post>\n");
++	print_xsrf_token(cgi_user_name(), cgi_user_pass(), rpasswd_form);
+ 
+ 	printf("<table>\n");
+ 
+@@ -1310,7 +1315,7 @@ static void passwd_page(void)
+ 	 * password somewhere other than the server. It could be this
+ 	 * is the first time through this code, so there isn't
+ 	 * anything to do.  */
+-	if (cgi_variable(CHG_R_PASSWD_FLAG)) {
++	if (verify_xsrf_token(passwd_form) && cgi_variable(CHG_R_PASSWD_FLAG)) {
+ 		chg_passwd();		
+ 	}
+ 
+-- 
+1.7.1
+
+
+From 407ae61fbfc8ee1643a4db8ea9b104f031b32e0f Mon Sep 17 00:00:00 2001
+From: Kai Blin <kai at samba.org>
+Date: Fri, 8 Jul 2011 15:06:13 +0200
+Subject: [PATCH 10/12] s3 swat: Add XSRF protection to printer page
+
+Signed-off-by: Kai Blin <kai at samba.org>
+---
+ source/web/swat.c |   28 ++++++++++++++++++----------
+ 1 files changed, 18 insertions(+), 10 deletions(-)
+
+diff --git a/source/web/swat.c b/source/web/swat.c
+index 5242484..4582a63 100644
+--- a/source/web/swat.c
++++ b/source/web/swat.c
+@@ -1332,18 +1332,15 @@ static void printers_page(void)
+ 	int i;
+ 	int mode = 0;
+ 	unsigned int parm_filter = FLAG_BASIC;
++	const char form_name[] = "printers";
++
++	if (!verify_xsrf_token(form_name)) {
++		goto output_page;
++	}
+ 
+ 	if (share)
+ 		snum = lp_servicenumber(share);
+ 
+-        printf("<H2>%s</H2>\n", _("Printer Parameters"));
+- 
+-        printf("<H3>%s</H3>\n", _("Important Note:"));
+-        printf("%s",_("Printer names marked with [*] in the Choose Printer drop-down box "));
+-        printf("%s",_("are autoloaded printers from "));
+-        printf("<A HREF=\"/swat/help/smb.conf.5.html#printcapname\" target=\"docs\">%s</A>\n", _("Printcap Name"));
+-        printf("%s\n", _("Attempting to delete these printers from SWAT will have no effect."));
+-
+ 	if (cgi_variable("Commit") && snum >= 0) {
+ 		commit_parameters(snum);
+ 		if (snum >= iNumNonAutoPrintServices)
+@@ -1372,8 +1369,6 @@ static void printers_page(void)
+ 		}
+ 	}
+ 
+-	printf("<FORM name=\"swatform\" method=post>\n");
+-
+ 	if ( cgi_variable("ViewMode") )
+ 		mode = atoi(cgi_variable_nonull("ViewMode"));
+         if ( cgi_variable("BasicMode"))
+@@ -1381,6 +1376,19 @@ static void printers_page(void)
+         if ( cgi_variable("AdvMode"))
+                 mode = 1;
+ 
++output_page:
++        printf("<H2>%s</H2>\n", _("Printer Parameters"));
++
++        printf("<H3>%s</H3>\n", _("Important Note:"));
++        printf("%s",_("Printer names marked with [*] in the Choose Printer drop-down box "));
++        printf("%s",_("are autoloaded printers from "));
++        printf("<A HREF=\"/swat/help/smb.conf.5.html#printcapname\" target=\"docs\">%s</A>\n", _("Printcap Name"));
++        printf("%s\n", _("Attempting to delete these printers from SWAT will have no effect."));
++
++
++	printf("<FORM name=\"swatform\" method=post>\n");
++	print_xsrf_token(cgi_user_name(), cgi_user_pass(), form_name);
++
+ 	ViewModeBoxes( mode );
+ 	switch ( mode ) {
+ 		case 0:
+-- 
+1.7.1
+
+
+From 11e281228f334bf3d384df5655136f0b4b4068aa Mon Sep 17 00:00:00 2001
+From: Kai Blin <kai at samba.org>
+Date: Sat, 9 Jul 2011 09:52:07 +0200
+Subject: [PATCH 11/12] s3 swat: Add time component to XSRF token
+
+Signed-off-by: Kai Blin <kai at samba.org>
+---
+ source/web/swat.c       |   28 ++++++++++++++++++++++++----
+ source/web/swat_proto.h |    2 +-
+ 2 files changed, 25 insertions(+), 5 deletions(-)
+
+diff --git a/source/web/swat.c b/source/web/swat.c
+index 4582a63..50df66e 100644
+--- a/source/web/swat.c
++++ b/source/web/swat.c
+@@ -52,6 +52,8 @@ static int iNumNonAutoPrintServices = 0;
+ #define ENABLE_USER_FLAG "enable_user_flag"
+ #define RHOST "remote_host"
+ #define XSRF_TOKEN "xsrf"
++#define XSRF_TIME "xsrf_time"
++#define XSRF_TIMEOUT 300
+ 
+ #define _(x) lang_msg_rotate(talloc_tos(),x)
+ 
+@@ -141,7 +143,7 @@ static char *make_parm_name(const char *label)
+ }
+ 
+ void get_xsrf_token(const char *username, const char *pass,
+-		    const char *formname, char token_str[33])
++		    const char *formname, time_t xsrf_time, char token_str[33])
+ {
+ 	struct MD5Context md5_ctx;
+ 	uint8_t token[16];
+@@ -152,6 +154,7 @@ void get_xsrf_token(const char *username, const char *pass,
+ 	MD5Init(&md5_ctx);
+ 
+ 	MD5Update(&md5_ctx, (uint8_t *)formname, strlen(formname));
++	MD5Update(&md5_ctx, (uint8_t *)&xsrf_time, sizeof(time_t));
+ 	if (username != NULL) {
+ 		MD5Update(&md5_ctx, (uint8_t *)username, strlen(username));
+ 	}
+@@ -173,11 +176,13 @@ void print_xsrf_token(const char *username, const char *pass,
+ 		      const char *formname)
+ {
+ 	char token[33];
++	time_t xsrf_time = time(NULL);
+ 
+-	get_xsrf_token(username, pass, formname, token);
++	get_xsrf_token(username, pass, formname, xsrf_time, token);
+ 	printf("<input type=\"hidden\" name=\"%s\" value=\"%s\">\n",
+ 	       XSRF_TOKEN, token);
+-
++	printf("<input type=\"hidden\" name=\"%s\" value=\"%lld\">\n",
++	       XSRF_TIME, (long long int)xsrf_time);
+ }
+ 
+ bool verify_xsrf_token(const char *formname)
+@@ -186,8 +191,23 @@ bool verify_xsrf_token(const char *formname)
+ 	const char *username = cgi_user_name();
+ 	const char *pass = cgi_user_pass();
+ 	const char *token = cgi_variable_nonull(XSRF_TOKEN);
++	const char *time_str = cgi_variable_nonull(XSRF_TIME);
++	time_t xsrf_time = 0;
++	time_t now = time(NULL);
++
++	if (sizeof(time_t) == sizeof(int)) {
++		xsrf_time = atoi(time_str);
++	} else if (sizeof(time_t) == sizeof(long)) {
++		xsrf_time = atol(time_str);
++	} else if (sizeof(time_t) == sizeof(long long)) {
++		xsrf_time = atoll(time_str);
++	}
++
++	if (abs(now - xsrf_time) > XSRF_TIMEOUT) {
++		return false;
++	}
+ 
+-	get_xsrf_token(username, pass, formname, expected);
++	get_xsrf_token(username, pass, formname, xsrf_time, expected);
+ 	return (strncmp(expected, token, sizeof(expected)) == 0);
+ }
+ 
+diff --git a/source/web/swat_proto.h b/source/web/swat_proto.h
+index e66c942..424a3af 100644
+--- a/source/web/swat_proto.h
++++ b/source/web/swat_proto.h
+@@ -68,7 +68,7 @@ void status_page(void);
+ 
+ const char *lang_msg_rotate(TALLOC_CTX *ctx, const char *msgid);
+ void get_xsrf_token(const char *username, const char *pass,
+-		    const char *formname, char token_str[33]);
++		    const char *formname, time_t xsrf_time, char token_str[33]);
+ void print_xsrf_token(const char *username, const char *pass,
+ 		      const char *formname);
+ bool verify_xsrf_token(const char *formname);
+-- 
+1.7.1
+
+
+From 3973cfa50024983618a44ffdb9f756b642b85be7 Mon Sep 17 00:00:00 2001
+From: Kai Blin <kai at samba.org>
+Date: Tue, 12 Jul 2011 08:08:24 +0200
+Subject: [PATCH 12/12] s3 swat: Create random nonce in CGI mode
+
+In CGI mode, we don't get access to the user's password, which would
+reduce the hash used so far to parameters an attacker can easily guess.
+To work around this, read the nonce from secrets.tdb or generate one if
+it's not there.
+Also populate the C_user field so we can use that for token creation.
+
+Signed-off-by: Kai Blin <kai at samba.org>
+
+The last 12 patches address bug #8290 (CSRF vulnerability in SWAT).
+This addresses CVE-2011-2522 (Cross-Site Request Forgery in SWAT).
+---
+ source/web/cgi.c  |   18 +++++++++++++++++-
+ source/web/swat.c |    1 -
+ 2 files changed, 17 insertions(+), 2 deletions(-)
+
+diff --git a/source/web/cgi.c b/source/web/cgi.c
+index ccdc3a7..890ac8e 100644
+--- a/source/web/cgi.c
++++ b/source/web/cgi.c
+@@ -19,6 +19,7 @@
+ 
+ #include "includes.h"
+ #include "web/swat_proto.h"
++#include "secrets.h"
+ 
+ #define MAX_VARIABLES 10000
+ 
+@@ -321,7 +322,22 @@ static void cgi_web_auth(void)
+ 		exit(0);
+ 	}
+ 
+-	setuid(0);
++	C_user = SMB_STRDUP(user);
++
++	if (!setuid(0)) {
++		C_pass = secrets_fetch_generic("root", "SWAT");
++		if (C_pass == NULL) {
++			char *tmp_pass = NULL;
++			tmp_pass = generate_random_str(16);
++			if (tmp_pass == NULL) {
++				printf("%sFailed to create random nonce for "
++				       "SWAT session\n<br>%s\n", head, tail);
++				exit(0);
++			}
++			secrets_store_generic("root", "SWAT", tmp_pass);
++			C_pass = SMB_STRDUP(tmp_pass);
++		}
++	}
+ 	setuid(pwd->pw_uid);
+ 	if (geteuid() != pwd->pw_uid || getuid() != pwd->pw_uid) {
+ 		printf("%sFailed to become user %s - uid=%d/%d<br>%s\n", 
+diff --git a/source/web/swat.c b/source/web/swat.c
+index 50df66e..146f1cf 100644
+--- a/source/web/swat.c
++++ b/source/web/swat.c
+@@ -29,7 +29,6 @@
+ 
+ #include "includes.h"
+ #include "web/swat_proto.h"
+-#include "../lib/crypto/md5.h"
+ 
+ static int demo_mode = False;
+ static int passwd_only = False;
+-- 
+1.7.1
+
diff --git a/package/samba/samba-CVE-2011-0719.patch b/package/samba/samba-CVE-2011-0719.patch
deleted file mode 100644
index 1cb8580..0000000
--- a/package/samba/samba-CVE-2011-0719.patch
+++ /dev/null
@@ -1,613 +0,0 @@
-From 724e44eed299c618066dec411530aa9f156119ec Mon Sep 17 00:00:00 2001
-From: Karolin Seeger <kseeger at samba.org>
-Date: Sun, 27 Feb 2011 18:28:29 +0100
-Subject: [PATCH] Fix denial of service - memory corruption.
-
-CVE-2011-0719
-
-Fix bug #7949 (DoS in Winbind and smbd with many file descriptors open).
-
-All current released versions of Samba are vulnerable to
-a denial of service caused by memory corruption. Range
-checks on file descriptors being used in the FD_SET macro
-were not present allowing stack corruption. This can cause
-the Samba code to crash or to loop attempting to select
-on a bad file descriptor set.
-
-A connection to a file share, or a local account is needed
-to exploit this problem, either authenticated or unauthenticated
-(guest connection).
-
-Currently we do not believe this flaw is exploitable
-beyond a crash or causing the code to loop, but on the
-advice of our security reviewers we are releasing fixes
-in case an exploit is discovered at a later date.
----
- source/client/client.c          |    4 +++-
- source/client/dnsbrowse.c       |   12 ++++++++++++
- source/lib/events.c             |   13 +++++++++++++
- source/lib/packet.c             |    5 +++++
- source/lib/readline.c           |    5 +++++
- source/lib/select.c             |    6 ++++++
- source/lib/util_sock.c          |   11 +++++++++--
- source/libaddns/dnssock.c       |    6 +++++-
- source/libsmb/nmblib.c          |    5 +++++
- source/nmbd/nmbd_packets.c      |   24 ++++++++++++++++++++++--
- source/nsswitch/wb_common.c     |   22 ++++++++++++++++++++--
- source/printing/printing.c      |    5 +++++
- source/smbd/dnsregister.c       |    6 ++++++
- source/smbd/oplock.c            |    5 ++++-
- source/smbd/oplock_irix.c       |    5 +++++
- source/smbd/process.c           |    2 +-
- source/smbd/server.c            |   29 +++++++++++++++++++++--------
- source/utils/smbfilter.c        |    8 ++++++--
- source/winbindd/winbindd.c      |   12 +++++++++++-
- source/winbindd/winbindd_dual.c |    7 +++++++
- 20 files changed, 171 insertions(+), 21 deletions(-)
-
-diff --git a/source/client/client.c b/source/client/client.c
-index 53bd9e6..a989441 100644
---- a/source/client/client.c
-+++ b/source/client/client.c
-@@ -4379,8 +4379,10 @@ static void readline_callback(void)
- 
-  again:
- 
--	if (cli->fd == -1)
-+	if (cli->fd < 0 || cli->fd >= FD_SETSIZE) {
-+		errno = EBADF;
- 		return;
-+	}
- 
- 	FD_ZERO(&fds);
- 	FD_SET(cli->fd,&fds);
-diff --git a/source/client/dnsbrowse.c b/source/client/dnsbrowse.c
-index 5e3a4de..aa2fb22 100644
---- a/source/client/dnsbrowse.c
-+++ b/source/client/dnsbrowse.c
-@@ -81,6 +81,11 @@ static void do_smb_resolve(struct mdns_smbsrv_result *browsesrv)
- 			TALLOC_FREE(fdset);
- 		}
- 
-+		if (mdnsfd < 0 || mdnsfd >= FD_SETSIZE) {
-+			errno = EBADF;
-+			break;
-+		}
-+
- 		fdsetsz = howmany(mdnsfd + 1, NFDBITS) * sizeof(fd_mask);
- 		fdset = TALLOC_ZERO(ctx, fdsetsz);
- 		FD_SET(mdnsfd, fdset);
-@@ -183,6 +188,13 @@ int do_smb_browse(void)
- 
- 		fdsetsz = howmany(mdnsfd + 1, NFDBITS) * sizeof(fd_mask);
- 		fdset = TALLOC_ZERO(ctx, fdsetsz);
-+
-+		if (mdnsfd < 0 || mdnsfd >= FD_SETSIZE) {
-+			errno = EBADF;
-+			TALLOC_FREE(ctx);
-+			return 1;
-+		}
-+
- 		FD_SET(mdnsfd, fdset);
- 
- 		tv.tv_sec = 1;
-diff --git a/source/lib/events.c b/source/lib/events.c
-index cd20ceb..2ddbab7 100644
---- a/source/lib/events.c
-+++ b/source/lib/events.c
-@@ -140,6 +140,11 @@ struct fd_event *event_add_fd(struct event_context *event_ctx,
- {
- 	struct fd_event *fde;
- 
-+	if (fd < 0 || fd >= FD_SETSIZE) {
-+		errno = EBADF;
-+		return NULL;
-+	}
-+
- 	if (!(fde = TALLOC_P(mem_ctx, struct fd_event))) {
- 		return NULL;
- 	}
-@@ -190,6 +195,14 @@ bool event_add_to_select_args(struct event_context *event_ctx,
- 	bool ret = False;
- 
- 	for (fde = event_ctx->fd_events; fde; fde = fde->next) {
-+		if (fde->fd < 0 || fde->fd >= FD_SETSIZE) {
-+			/* We ignore here, as it shouldn't be
-+			   possible to add an invalid fde->fd
-+			   but we don't want FD_SET to see an
-+			   invalid fd. */
-+			continue;
-+		}
-+
- 		if (fde->flags & EVENT_FD_READ) {
- 			FD_SET(fde->fd, read_fds);
- 			ret = True;
-diff --git a/source/lib/packet.c b/source/lib/packet.c
-index e048616..512c7f2 100644
---- a/source/lib/packet.c
-+++ b/source/lib/packet.c
-@@ -106,6 +106,11 @@ NTSTATUS packet_fd_read_sync(struct packet_context *ctx)
- 	int res;
- 	fd_set r_fds;
- 
-+	if (ctx->fd < 0 || ctx->fd >= FD_SETSIZE) {
-+		errno = EBADF;
-+		return map_nt_error_from_unix(errno);
-+	}
-+
- 	FD_ZERO(&r_fds);
- 	FD_SET(ctx->fd, &r_fds);
- 
-diff --git a/source/lib/readline.c b/source/lib/readline.c
-index 34867aa..70a82f2 100644
---- a/source/lib/readline.c
-+++ b/source/lib/readline.c
-@@ -91,6 +91,11 @@ static char *smb_readline_replacement(const char *prompt, void (*callback)(void)
- 		timeout.tv_sec = 5;
- 		timeout.tv_usec = 0;
- 
-+		if (fd < 0 || fd >= FD_SETSIZE) {
-+			errno = EBADF;
-+			break;
-+		}
-+
- 		FD_ZERO(&fds);
- 		FD_SET(fd,&fds);
- 
-diff --git a/source/lib/select.c b/source/lib/select.c
-index c3da6a9..2d5f02c 100644
---- a/source/lib/select.c
-+++ b/source/lib/select.c
-@@ -61,6 +61,11 @@ int sys_select(int maxfd, fd_set *readfds, fd_set *writefds, fd_set *errorfds, s
- 		if (pipe(select_pipe) == -1)
- 			smb_panic("Could not create select pipe");
- 
-+		if (select_pipe[0] < 0 || select_pipe[0] >= FD_SETSIZE) {
-+			errno = EBADF;
-+			return -1;
-+		}
-+
- 		/*
- 		 * These next two lines seem to fix a bug with the Linux
- 		 * 2.0.x kernel (and probably other UNIXes as well) where
-@@ -87,6 +92,7 @@ int sys_select(int maxfd, fd_set *readfds, fd_set *writefds, fd_set *errorfds, s
- 		readfds2 = &readfds_buf;
- 		FD_ZERO(readfds2);
- 	}
-+
- 	FD_SET(select_pipe[0], readfds2);
- 
- 	errno = 0;
-diff --git a/source/lib/util_sock.c b/source/lib/util_sock.c
-index 650bd13..8aa2c97 100644
---- a/source/lib/util_sock.c
-+++ b/source/lib/util_sock.c
-@@ -960,6 +960,11 @@ NTSTATUS read_socket_with_timeout(int fd, char *buf,
- 	timeout.tv_usec = (long)(1000 * (time_out % 1000));
- 
- 	for (nread=0; nread < mincnt; ) {
-+		if (fd < 0 || fd >= FD_SETSIZE) {
-+			errno = EBADF;
-+			return map_nt_error_from_unix(EBADF);
-+		}
-+
- 		FD_ZERO(&fds);
- 		FD_SET(fd,&fds);
- 
-@@ -1492,7 +1497,7 @@ bool open_any_socket_out(struct sockaddr_storage *addrs, int num_addrs,
- 
- 	for (i=0; i<num_addrs; i++) {
- 		sockets[i] = socket(addrs[i].ss_family, SOCK_STREAM, 0);
--		if (sockets[i] < 0)
-+		if (sockets[i] < 0 || sockets[i] >= FD_SETSIZE)
- 			goto done;
- 		set_blocking(sockets[i], false);
- 	}
-@@ -1541,8 +1546,10 @@ bool open_any_socket_out(struct sockaddr_storage *addrs, int num_addrs,
- 	FD_ZERO(&r_fds);
- 
- 	for (i=0; i<num_addrs; i++) {
--		if (sockets[i] == -1)
-+		if (sockets[i] < 0 || sockets[i] >= FD_SETSIZE) {
-+			/* This cannot happen - ignore if so. */
- 			continue;
-+		}
- 		FD_SET(sockets[i], &wr_fds);
- 		FD_SET(sockets[i], &r_fds);
- 		if (sockets[i]>maxfd)
-diff --git a/source/libaddns/dnssock.c b/source/libaddns/dnssock.c
-index 7c8bd41..f427bd5 100644
---- a/source/libaddns/dnssock.c
-+++ b/source/libaddns/dnssock.c
-@@ -218,7 +218,11 @@ static DNS_ERROR read_all(int fd, uint8 *data, size_t len)
- 	while (total < len) {
- 		ssize_t ret;
- 		int fd_ready;
--		
-+
-+		if (fd < 0 || fd >= FD_SETSIZE) {
-+			return ERROR_DNS_SOCKET_ERROR;
-+		}
-+
- 		FD_ZERO( &rfds );
- 		FD_SET( fd, &rfds );
- 
-diff --git a/source/libsmb/nmblib.c b/source/libsmb/nmblib.c
-index bfe5e7b..768e54d 100644
---- a/source/libsmb/nmblib.c
-+++ b/source/libsmb/nmblib.c
-@@ -1097,6 +1097,11 @@ struct packet_struct *receive_packet(int fd,enum packet_type type,int t)
- 	struct timeval timeout;
- 	int ret;
- 
-+	if (fd < 0 || fd >= FD_SETSIZE) {
-+		errno = EBADF;
-+		return NULL;
-+	}
-+
- 	FD_ZERO(&fds);
- 	FD_SET(fd,&fds);
- 	timeout.tv_sec = t/1000;
-diff --git a/source/nmbd/nmbd_packets.c b/source/nmbd/nmbd_packets.c
-index 4b97819..03e5362 100644
---- a/source/nmbd/nmbd_packets.c
-+++ b/source/nmbd/nmbd_packets.c
-@@ -1683,7 +1683,7 @@ static bool create_listen_fdset(fd_set **ppset, int **psock_array, int *listen_n
- 	for (subrec = FIRST_SUBNET; subrec; subrec = NEXT_SUBNET_EXCLUDING_UNICAST(subrec))
- 		count++;
- 
--	if((count*2) + 2 > FD_SETSIZE) {
-+	if((count*2) + 2 >= FD_SETSIZE) {
- 		DEBUG(0,("create_listen_fdset: Too many file descriptors needed (%d). We can \
- only use %d.\n", (count*2) + 2, FD_SETSIZE));
- 		SAFE_FREE(pset);
-@@ -1699,24 +1699,44 @@ only use %d.\n", (count*2) + 2, FD_SETSIZE));
- 	FD_ZERO(pset);
- 
- 	/* Add in the broadcast socket on 137. */
-+	if (ClientNMB < 0 || ClientNMB >= FD_SETSIZE) {
-+		errno = EBADF;
-+		SAFE_FREE(pset);
-+		return True;
-+	}
-+
- 	FD_SET(ClientNMB,pset);
- 	sock_array[num++] = ClientNMB;
- 	*maxfd = MAX( *maxfd, ClientNMB);
- 
- 	/* Add in the 137 sockets on all the interfaces. */
- 	for (subrec = FIRST_SUBNET; subrec; subrec = NEXT_SUBNET_EXCLUDING_UNICAST(subrec)) {
-+		if (subrec->nmb_sock < 0 || subrec->nmb_sock >= FD_SETSIZE) {
-+			/* We have to ignore sockets outside FD_SETSIZE. */
-+			continue;
-+		}
- 		FD_SET(subrec->nmb_sock,pset);
- 		sock_array[num++] = subrec->nmb_sock;
- 		*maxfd = MAX( *maxfd, subrec->nmb_sock);
- 	}
- 
- 	/* Add in the broadcast socket on 138. */
-+	if (ClientDGRAM < 0 || ClientDGRAM >= FD_SETSIZE) {
-+		errno = EBADF;
-+		SAFE_FREE(pset);
-+		return True;
-+	}
-+
- 	FD_SET(ClientDGRAM,pset);
- 	sock_array[num++] = ClientDGRAM;
- 	*maxfd = MAX( *maxfd, ClientDGRAM);
- 
- 	/* Add in the 138 sockets on all the interfaces. */
- 	for (subrec = FIRST_SUBNET; subrec; subrec = NEXT_SUBNET_EXCLUDING_UNICAST(subrec)) {
-+		if (subrec->dgram_sock < 0 || subrec->dgram_sock >= FD_SETSIZE) {
-+			/* We have to ignore sockets outside FD_SETSIZE. */
-+			continue;
-+		}
- 		FD_SET(subrec->dgram_sock,pset);
- 		sock_array[num++] = subrec->dgram_sock;
- 		*maxfd = MAX( *maxfd, subrec->dgram_sock);
-@@ -1767,7 +1787,7 @@ bool listen_for_packets(bool run_election)
- 
- #ifndef SYNC_DNS
- 	dns_fd = asyncdns_fd();
--	if (dns_fd != -1) {
-+	if (dns_fd >= 0 && dns_fd < FD_SETSIZE) {
- 		FD_SET(dns_fd, &r_fds);
- 		maxfd = MAX( maxfd, dns_fd);
- 	}
-diff --git a/source/nsswitch/wb_common.c b/source/nsswitch/wb_common.c
-index a164621..4f76bd0 100644
---- a/source/nsswitch/wb_common.c
-+++ b/source/nsswitch/wb_common.c
-@@ -240,6 +240,12 @@ static int winbind_named_pipe_sock(const char *dir)
- 
- 		switch (errno) {
- 			case EINPROGRESS:
-+
-+				if (fd < 0 || fd >= FD_SETSIZE) {
-+					errno = EBADF;
-+					goto error_out;
-+				}
-+
- 				FD_ZERO(&w_fds);
- 				FD_SET(fd, &w_fds);
- 				tv.tv_sec = CONNECT_TIMEOUT - wait_time;
-@@ -383,7 +389,13 @@ int winbind_write_sock(void *buffer, int count, int recursing, int need_priv)
- 	while(nwritten < count) {
- 		struct timeval tv;
- 		fd_set r_fds;
--		
-+
-+		if (winbindd_fd < 0 || winbindd_fd >= FD_SETSIZE) {
-+			errno = EBADF;
-+			winbind_close_sock();
-+			return -1;
-+		}
-+
- 		/* Catch pipe close on other end by checking if a read()
- 		   call would not block by calling select(). */
- 
-@@ -443,7 +455,13 @@ int winbind_read_sock(void *buffer, int count)
- 	while(nread < count) {
- 		struct timeval tv;
- 		fd_set r_fds;
--		
-+
-+		if (winbindd_fd < 0 || winbindd_fd >= FD_SETSIZE) {
-+			errno = EBADF;
-+			winbind_close_sock();
-+			return -1;
-+		}
-+
- 		/* Catch pipe close on other end by checking if a read()
- 		   call would not block by calling select(). */
- 
-diff --git a/source/printing/printing.c b/source/printing/printing.c
-index a9272eb..c3b8c61 100644
---- a/source/printing/printing.c
-+++ b/source/printing/printing.c
-@@ -1407,6 +1407,11 @@ void start_background_queue(void)
- 		exit(1);
- 	}
- 
-+	if (pause_pipe[1] < 0 || pause_pipe[1] >= FD_SETSIZE) {
-+		DEBUG(5,("start_background_queue: pipe fd out of range.\n"));
-+		exit(1);
-+	}
-+
- 	background_lpq_updater_pid = sys_fork();
- 
- 	if (background_lpq_updater_pid == -1) {
-diff --git a/source/smbd/dnsregister.c b/source/smbd/dnsregister.c
-index f02739e..3c689b9 100644
---- a/source/smbd/dnsregister.c
-+++ b/source/smbd/dnsregister.c
-@@ -125,6 +125,9 @@ void dns_register_smbd(struct dns_reg_state ** dns_state_ptr,
- 	 */
- 	if (dns_state->srv_ref != NULL) {
- 		mdnsd_conn_fd = DNSServiceRefSockFD(dns_state->srv_ref);
-+		if (mdnsd_conn_fd < 0 || mdnsd_conn_fd >= FD_SETSIZE) {
-+			return;
-+		}
- 		FD_SET(mdnsd_conn_fd, listen_set);
- 		return;
- 	}
-@@ -156,6 +159,9 @@ void dns_register_smbd(struct dns_reg_state ** dns_state_ptr,
- 	}
- 
- 	mdnsd_conn_fd = DNSServiceRefSockFD(dns_state->srv_ref);
-+	if (mdnsd_conn_fd < 0 || mdnsd_conn_fd >= FD_SETSIZE) {
-+		return;
-+	}
- 	FD_SET(mdnsd_conn_fd, listen_set);
- 	*maxfd = MAX(*maxfd, mdnsd_conn_fd);
- 	*timeout = timeval_zero();
-diff --git a/source/smbd/oplock.c b/source/smbd/oplock.c
-index a07d05d..5ae3fdf 100644
---- a/source/smbd/oplock.c
-+++ b/source/smbd/oplock.c
-@@ -241,7 +241,10 @@ bool downgrade_oplock(files_struct *fsp)
- int oplock_notify_fd(void)
- {
- 	if (koplocks) {
--		return koplocks->notification_fd;
-+		int fd = koplocks->notification_fd;
-+		if (fd < 0 || fd >= FD_SETSIZE) {
-+			return -1;
-+		}
- 	}
- 
- 	return -1;
-diff --git a/source/smbd/oplock_irix.c b/source/smbd/oplock_irix.c
-index 8c287c9..6e86fac 100644
---- a/source/smbd/oplock_irix.c
-+++ b/source/smbd/oplock_irix.c
-@@ -284,6 +284,11 @@ struct kernel_oplocks *irix_init_kernel_oplocks(void)
- 		return False;
- 	}
- 
-+	if (pfd[0] < 0 || pfd[0] >= FD_SETSIZE) {
-+		DEBUG(0,("setup_kernel_oplock_pipe: fd out of range.\n"));
-+		return False;
-+	}
-+
- 	oplock_pipe_read = pfd[0];
- 	oplock_pipe_write = pfd[1];
- 
-diff --git a/source/smbd/process.c b/source/smbd/process.c
-index 403c7c6..9b8f29b 100644
---- a/source/smbd/process.c
-+++ b/source/smbd/process.c
-@@ -698,7 +698,7 @@ static void async_processing(fd_set *pfds)
- 
- static int select_on_fd(int fd, int maxfd, fd_set *fds)
- {
--	if (fd != -1) {
-+	if (fd != -1 && fd < FD_SETSIZE) {
- 		FD_SET(fd, fds);
- 		maxfd = MAX(maxfd, fd);
- 	}
-diff --git a/source/smbd/server.c b/source/smbd/server.c
-index 5129484..a670334 100644
---- a/source/smbd/server.c
-+++ b/source/smbd/server.c
-@@ -209,7 +209,13 @@ static bool open_sockets_inetd(void)
- 	/* Started from inetd. fd 0 is the socket. */
- 	/* We will abort gracefully when the client or remote system 
- 	   goes away */
--	smbd_set_server_fd(dup(0));
-+	int fd = dup(0);
-+
-+	if (fd < 0 || fd >= FD_SETSIZE) {
-+		return false;
-+	}
-+
-+	smbd_set_server_fd(fd);
- 	
- 	/* close our standard file descriptors */
- 	close_low_fds(False); /* Don't close stderr */
-@@ -436,7 +442,8 @@ static bool open_sockets_smbd(bool is_daemon, bool interactive, const char *smb_
- 							num_sockets == 0 ? 0 : 2,
- 							ifss,
- 							true);
--				if(s == -1) {
-+				if(s < 0 || s >= FD_SETSIZE) {
-+					close(s);
- 					continue;
- 				}
- 
-@@ -516,7 +523,7 @@ static bool open_sockets_smbd(bool is_daemon, bool interactive, const char *smb_
- 						num_sockets == 0 ? 0 : 2,
- 						&ss,
- 						true);
--				if (s == -1) {
-+				if (s < 0 || s >= FD_SETSIZE) {
- 					continue;
- 				}
- 
-@@ -709,6 +716,7 @@ static bool open_sockets_smbd(bool is_daemon, bool interactive, const char *smb_
- 			struct sockaddr addr;
- 			socklen_t in_addrlen = sizeof(addr);
- 			pid_t child = 0;
-+			int fd;
- 
- 			s = -1;
- 			for(i = 0; i < num_sockets; i++) {
-@@ -721,16 +729,21 @@ static bool open_sockets_smbd(bool is_daemon, bool interactive, const char *smb_
- 				}
- 			}
- 
--			smbd_set_server_fd(accept(s,&addr,&in_addrlen));
--
--			if (smbd_server_fd() == -1 && errno == EINTR)
-+			fd = accept(s,&addr,&in_addrlen);
-+			if (fd == -1 && errno == EINTR)
- 				continue;
--
--			if (smbd_server_fd() == -1) {
-+			if (fd == -1) {
- 				DEBUG(2,("open_sockets_smbd: accept: %s\n",
- 					 strerror(errno)));
- 				continue;
- 			}
-+			if (fd < 0 || fd >= FD_SETSIZE) {
-+				DEBUG(2,("open_sockets_smbd: bad fd %d\n",
-+					fd ));
-+				continue;
-+			}
-+
-+			smbd_set_server_fd(fd);
- 
- 			/* Ensure child is set to blocking mode */
- 			set_blocking(smbd_server_fd(),True);
-diff --git a/source/utils/smbfilter.c b/source/utils/smbfilter.c
-index 1e22a40..45f9207 100644
---- a/source/utils/smbfilter.c
-+++ b/source/utils/smbfilter.c
-@@ -162,8 +162,8 @@ static void filter_child(int c, struct sockaddr_storage *dest_ss)
- 		int num;
- 		
- 		FD_ZERO(&fds);
--		if (s != -1) FD_SET(s, &fds);
--		if (c != -1) FD_SET(c, &fds);
-+		if (s >= 0 && s < FD_SETSIZE) FD_SET(s, &fds);
-+		if (c >= 0 && c < FD_SETSIZE) FD_SET(c, &fds);
- 
- 		num = sys_select_intr(MAX(s+1, c+1),&fds,NULL,NULL,NULL);
- 		if (num <= 0) continue;
-@@ -235,6 +235,10 @@ static void start_filter(char *desthost)
- 		struct sockaddr_storage ss;
- 		socklen_t in_addrlen = sizeof(ss);
- 		
-+		if (s < 0 || s >= FD_SETSIZE) {
-+			break;
-+		}
-+
- 		FD_ZERO(&fds);
- 		FD_SET(s, &fds);
- 
-diff --git a/source/winbindd/winbindd.c b/source/winbindd/winbindd.c
-index 1d618e2..6b5c251 100644
---- a/source/winbindd/winbindd.c
-+++ b/source/winbindd/winbindd.c
-@@ -836,7 +836,8 @@ static void process_loop(void)
- 	listen_sock = open_winbindd_socket();
- 	listen_priv_sock = open_winbindd_priv_socket();
- 
--	if (listen_sock == -1 || listen_priv_sock == -1) {
-+	if (listen_sock < 0 || listen_sock >= FD_SETSIZE ||
-+			listen_priv_sock < 0 || listen_priv_sock >= FD_SETSIZE) {
- 		perror("open_winbind_socket");
- 		exit(1);
- 	}
-@@ -861,6 +862,9 @@ static void process_loop(void)
- 
- 	FD_ZERO(&r_fds);
- 	FD_ZERO(&w_fds);
-+
-+	/* We check the range for listen_sock and
-+	   listen_priv_sock above. */
- 	FD_SET(listen_sock, &r_fds);
- 	FD_SET(listen_priv_sock, &r_fds);
- 
-@@ -890,6 +894,12 @@ static void process_loop(void)
- 	}
- 
- 	for (ev = fd_events; ev; ev = ev->next) {
-+		if (ev->fd < 0 || ev->fd >= FD_SETSIZE) {
-+			/* Ignore here - event_add_to_select_args
-+			   should make this impossible. */
-+			continue;
-+		}
-+
- 		if (ev->flags & EVENT_FD_READ) {
- 			FD_SET(ev->fd, &r_fds);
- 			maxfd = MAX(ev->fd, maxfd);
-diff --git a/source/winbindd/winbindd_dual.c b/source/winbindd/winbindd_dual.c
-index ff004f2..b30ec20 100644
---- a/source/winbindd/winbindd_dual.c
-+++ b/source/winbindd/winbindd_dual.c
-@@ -1250,6 +1250,12 @@ static bool fork_domain_child(struct winbindd_child *child)
- 		return False;
- 	}
- 
-+	if (fdpair[0] < 0 || fdpair[0] >= FD_SETSIZE) {
-+		DEBUG(0, ("fork_domain_child: bad fd range (%d)\n", fdpair[0]));
-+		errno = EBADF;
-+		return False;
-+	}
-+
- 	ZERO_STRUCT(state);
- 	state.pid = sys_getpid();
- 
-@@ -1405,6 +1411,7 @@ static bool fork_domain_child(struct winbindd_child *child)
- 		message_dispatch(winbind_messaging_context());
- 
- 		FD_ZERO(&read_fds);
-+		/* We check state.sock against FD_SETSIZE above. */
- 		FD_SET(state.sock, &read_fds);
- 
- 		ret = sys_select(state.sock + 1, &read_fds, NULL, NULL, tp);
--- 
-1.6.4.2
-
diff --git a/package/samba/samba.mk b/package/samba/samba.mk
index a3bd63c..dfc7636 100644
--- a/package/samba/samba.mk
+++ b/package/samba/samba.mk
@@ -3,9 +3,10 @@
 # samba
 #
 #############################################################
-SAMBA_VERSION:=3.3.14
-SAMBA_SOURCE:=samba-$(SAMBA_VERSION).tar.gz
-SAMBA_SITE:=http://samba.org/samba/ftp/stable/
+
+SAMBA_VERSION = 3.3.15
+SAMBA_SOURCE = samba-$(SAMBA_VERSION).tar.gz
+SAMBA_SITE = http://samba.org/samba/ftp/stable/
 
 SAMBA_SUBDIR = source
 SAMBA_AUTORECONF = NO
-- 
1.7.3.4




More information about the buildroot mailing list