summaryrefslogtreecommitdiffstats
path: root/openwrt/package/samba/patches
diff options
context:
space:
mode:
Diffstat (limited to 'openwrt/package/samba/patches')
-rw-r--r--openwrt/package/samba/patches/100-samba.patch489
-rw-r--r--openwrt/package/samba/patches/200-security.patch606
-rw-r--r--openwrt/package/samba/patches/250-writex.patch152
-rw-r--r--openwrt/package/samba/patches/300-shared_lib_ldflags_fix.patch25
-rw-r--r--openwrt/package/samba/patches/301-config_files_path.patch25
5 files changed, 0 insertions, 1297 deletions
diff --git a/openwrt/package/samba/patches/100-samba.patch b/openwrt/package/samba/patches/100-samba.patch
deleted file mode 100644
index 3bfeed359..000000000
--- a/openwrt/package/samba/patches/100-samba.patch
+++ /dev/null
@@ -1,489 +0,0 @@
-diff -ruN samba-2.0.10.orig/source/include/smb.h samba-2.0.10/source/include/smb.h
---- samba-2.0.10.orig/source/include/smb.h 2001-06-23 10:52:20.000000000 +0200
-+++ samba-2.0.10/source/include/smb.h 2006-03-06 22:21:12.000000000 +0100
-@@ -115,6 +115,22 @@
- * Usage:
- * DEBUGADD( 2, ("Some additional text.\n") );
- */
-+
-+#ifdef NDEBUG
-+
-+#define DEBUGLVL( level ) \
-+ ( (0 == (level)) \
-+ && dbghdr( level, FILE_MACRO, FUNCTION_MACRO, (__LINE__) ) )
-+
-+#define DEBUG( level, body ) \
-+ (void)( (0 == (level)) \
-+ && (dbghdr( level, FILE_MACRO, FUNCTION_MACRO, (__LINE__) )) \
-+ && (dbgtext body) )
-+
-+#define DEBUGADD( level, body ) \
-+ (void)( (0 == (level)) && (dbgtext body) )
-+
-+#else
- #define DEBUGLVL( level ) \
- ( (DEBUGLEVEL >= (level)) \
- && dbghdr( level, FILE_MACRO, FUNCTION_MACRO, (__LINE__) ) )
-@@ -140,7 +156,7 @@
- (void)( (DEBUGLEVEL >= (level)) && (dbgtext body) )
-
- #endif
--
-+#endif
- /* End Debugging code section.
- * -------------------------------------------------------------------------- **
- */
-@@ -1612,7 +1628,9 @@
- #define CAP_LOCK_AND_READ 0x0100
- #define CAP_NT_FIND 0x0200
- #define CAP_DFS 0x1000
-+#define CAP_W2K_SMBS 0x2000
- #define CAP_LARGE_READX 0x4000
-+#define CAP_LARGE_WRITEX 0x8000
- #define CAP_EXTENDED_SECURITY 0x80000000
-
- /* protocol types. It assumes that higher protocols include lower protocols
-diff -ruN samba-2.0.10.orig/source/Makefile.in samba-2.0.10/source/Makefile.in
---- samba-2.0.10.orig/source/Makefile.in 2000-03-16 23:57:08.000000000 +0100
-+++ samba-2.0.10/source/Makefile.in 2006-03-06 22:21:12.000000000 +0100
-@@ -37,8 +37,8 @@
- # set these to where to find various files
- # These can be overridden by command line switches (see smbd(8))
- # or in smb.conf (see smb.conf(5))
--SMBLOGFILE = $(VARDIR)/log.smb
--NMBLOGFILE = $(VARDIR)/log.nmb
-+SMBLOGFILE = $(VARDIR)/smb
-+NMBLOGFILE = $(VARDIR)/nmb
- CONFIGFILE = $(LIBDIR)/smb.conf
- LMHOSTSFILE = $(LIBDIR)/lmhosts
- DRIVERFILE = $(LIBDIR)/printers.def
-@@ -55,7 +55,7 @@
- LOCKDIR = @lockdir@
-
- # The directory where code page definition files go
--CODEPAGEDIR = $(LIBDIR)/codepages
-+CODEPAGEDIR = $(BASEDIR)/codepages
-
- # The current codepage definition list.
- CODEPAGELIST= 437 737 775 850 852 861 932 866 949 950 936 1251 ISO8859-1 ISO8859-2 ISO8859-5 ISO8859-7 KOI8-R
-@@ -82,6 +82,7 @@
- PROGS2 = bin/rpcclient bin/smbpasswd bin/make_smbcodepage bin/make_unicodemap @WRAP@ @WRAP32@
- MPROGS = @MPROGS@
- PROGS = $(PROGS1) $(PROGS2) $(MPROGS) bin/nmblookup bin/make_printerdef
-+SHAREDPROGS = bin/smbd.shared bin/nmbd.shared bin/smbpasswd.shared
-
- SCRIPTS = $(srcdir)/script/smbtar $(srcdir)/script/addtosmbpass $(srcdir)/script/convert_smbpasswd
-
-@@ -159,6 +160,8 @@
- $(RPC_SERVER_OBJ) $(RPC_CLIENT_OBJ) $(RPC_PARSE_OBJ) \
- $(LOCKING_OBJ) $(PASSDB_OBJ) $(PRINTING_OBJ) $(PROFILE_OBJ) $(LIB_OBJ)
-
-+SMBDSHARED_OBJ = $(SMBD_OBJ1) $(RPC_SERVER_OBJ) \
-+ $(LOCKING_OBJ) $(PROFILE_OBJ) #$(PRINTING_OBJ)
-
- NMBD_OBJ1 = nmbd/asyncdns.o nmbd/nmbd.o nmbd/nmbd_become_dmb.o \
- nmbd/nmbd_become_lmb.o nmbd/nmbd_browserdb.o \
-@@ -176,6 +179,8 @@
- NMBD_OBJ = $(NMBD_OBJ1) $(PARAM_OBJ) $(LIBSMB_OBJ) $(UBIQX_OBJ) \
- $(LIB_OBJ)
-
-+NMBDSHARED_OBJ = $(NMBD_OBJ1)
-+
- SWAT_OBJ = web/cgi.o web/diagnose.o web/startstop.o web/statuspage.o \
- web/swat.o $(LIBSMB_OBJ) $(LOCKING_OBJ) \
- $(PARAM_OBJ) $(PASSDB_OBJ) $(RPC_CLIENT_OBJ) $(RPC_PARSE_OBJ) \
-@@ -207,6 +212,8 @@
- SMBPASSWD_OBJ = utils/smbpasswd.o $(PARAM_OBJ) $(LIBSMB_OBJ) $(PASSDB_OBJ) \
- $(UBIQX_OBJ) $(RPC_CLIENT_OBJ) $(RPC_PARSE_OBJ) $(LIB_OBJ)
-
-+SMBPASSWDSHARED_OBJ = utils/smbpasswd.o
-+
- RPCCLIENT_OBJ = rpcclient/rpcclient.o \
- rpcclient/display.o \
- rpcclient/cmd_lsarpc.o \
-@@ -265,6 +272,11 @@
- PROTO_OBJ = $(SMBD_OBJ) $(NMBD_OBJ) $(SWAT_OBJ) $(CLIENT_OBJ) \
- $(RPCCLIENT_OBJ) $(SMBWRAPPER_OBJ) $(SMBTORTURE_OBJ)
-
-+LIBSMBSHARED_OBJ = $(LIB_OBJ) $(LIBSMB_OBJ) $(PARAM_OBJ) $(UBIQX_OBJ) \
-+ $(PASSDB_OBJ) $(RPC_PARSE_OBJ) #$(RPC_CLIENT_OBJ)
-+
-+LIBSMB_PICOBJS = $(LIBSMBSHARED_OBJ:.o=.po)
-+
- PICOBJS = $(SMBWRAPPER_OBJ:.o=.po)
- PICOBJS32 = $(SMBWRAPPER_OBJ:.o=.po32)
-
-@@ -274,6 +286,8 @@
-
- all : CHECK $(SPROGS) $(PROGS)
-
-+shared : CHECK $(SHAREDPROGS)
-+
- smbwrapper : CHECK bin/smbsh bin/smbwrapper.@SHLIBEXT@ @WRAP32@
-
- smbtorture : CHECK bin/smbtorture
-@@ -359,10 +373,18 @@
- @echo Linking $@
- @$(CC) $(FLAGS) -o $@ $(SMBD_OBJ) $(LDFLAGS) $(LIBS)
-
-+bin/smbd.shared: $(SMBDSHARED_OBJ) bin/libsmb.@SHLIBEXT@ bin/.dummy
-+ @echo Linking $@
-+ @$(CC) $(FLAGS) -o $@ $(SMBDSHARED_OBJ) $(LDFLAGS) $(LIBS) -Lbin -lsmb
-+
- bin/nmbd: $(NMBD_OBJ) bin/.dummy
- @echo Linking $@
- @$(CC) $(FLAGS) -o $@ $(NMBD_OBJ) $(LDFLAGS) $(LIBS)
-
-+bin/nmbd.shared: $(NMBDSHARED_OBJ) bin/libsmb.@SHLIBEXT@ bin/.dummy
-+ @echo Linking $@
-+ @$(CC) $(FLAGS) -o $@ $(NMBDSHARED_OBJ) $(LDFLAGS) $(LIBS) -Lbin -lsmb
-+
- bin/swat: $(SWAT_OBJ) bin/.dummy
- @echo Linking $@
- @$(CC) $(FLAGS) -o $@ $(SWAT_OBJ) $(LDFLAGS) $(LIBS)
-@@ -411,6 +433,10 @@
- @echo Linking $@
- @$(CC) $(FLAGS) -o $@ $(SMBPASSWD_OBJ) $(LDFLAGS) $(LIBS)
-
-+bin/smbpasswd.shared: $(SMBPASSWDSHARED_OBJ) bin/libsmb.@SHLIBEXT@ bin/.dummy
-+ @echo Linking $@
-+ @$(CC) $(FLAGS) -o $@ $(SMBPASSWDSHARED_OBJ) $(LDFLAGS) $(LIBS) -Lbin -lsmb
-+
- bin/make_smbcodepage: $(MAKE_SMBCODEPAGE_OBJ) bin/.dummy
- @echo Linking $@
- @$(CC) $(FLAGS) -o $@ $(MAKE_SMBCODEPAGE_OBJ) $(LDFLAGS) $(LIBS)
-@@ -459,6 +485,10 @@
- @echo Linking $@
- @$(CC) $(FLAGS) -o $@ $(SMBSH_OBJ) $(LDFLAGS) $(LIBS)
-
-+bin/libsmb.@SHLIBEXT@: $(LIBSMB_PICOBJS) bin/.dummy
-+ @echo Linking shared library $@
-+ @$(LD) @LDSHFLAGS@ -o $@ $(LIBSMB_PICOBJS) $(LIBS)
-+
- install: installbin installman installscripts installcp installswat
-
- installdirs:
-@@ -518,7 +548,7 @@
- ctags `find . -name "*.[ch]" | grep -v /CVS/`
-
- realclean: clean
-- -rm -f config.log $(PROGS) $(SPROGS) bin/.dummy
-+ -rm -f config.log $(PROGS) $(SPROGS) $(SHAREDPROGS) bin/.dummy
- -rmdir bin
-
- distclean: realclean
-diff -ruN samba-2.0.10.orig/source/nmbd/nmbd_mynames.c samba-2.0.10/source/nmbd/nmbd_mynames.c
---- samba-2.0.10.orig/source/nmbd/nmbd_mynames.c 2000-03-16 23:59:24.000000000 +0100
-+++ samba-2.0.10/source/nmbd/nmbd_mynames.c 2006-03-06 22:21:12.000000000 +0100
-@@ -215,8 +215,8 @@
- */
- if( !is_refresh_already_queued( subrec, namerec) )
- refresh_name( subrec, namerec, NULL, NULL, NULL );
-- namerec->data.death_time += lp_max_ttl();
-- namerec->data.refresh_time += MIN(lp_max_ttl(), MAX_REFRESH_TIME);
-+ namerec->data.death_time = t + lp_max_ttl();
-+ namerec->data.refresh_time = t + MIN(lp_max_ttl(), MAX_REFRESH_TIME);
- }
- }
- }
-diff -ruN samba-2.0.10.orig/source/smbd/close.c samba-2.0.10/source/smbd/close.c
---- samba-2.0.10.orig/source/smbd/close.c 2000-04-21 19:43:13.000000000 +0200
-+++ samba-2.0.10/source/smbd/close.c 2006-03-06 22:21:12.000000000 +0100
-@@ -122,11 +122,11 @@
- last_reference = True;
-
- fsp->fd_ptr = NULL;
--
-+#ifdef PRINTING
- /* NT uses smbclose to start a print - weird */
- if (normal_close && fsp->print_file)
- print_file(conn, fsp);
--
-+#endif
- /* check for magic scripts */
- if (normal_close) {
- check_magic(fsp,conn);
-diff -ruN samba-2.0.10.orig/source/smbd/ipc.c samba-2.0.10/source/smbd/ipc.c
---- samba-2.0.10.orig/source/smbd/ipc.c 2000-03-30 00:20:06.000000000 +0200
-+++ samba-2.0.10/source/smbd/ipc.c 2006-03-06 22:21:12.000000000 +0100
-@@ -472,7 +472,7 @@
- PACK(desc,t,v);
- }
-
--
-+#ifdef PRINTING
- /****************************************************************************
- get a print queue
- ****************************************************************************/
-@@ -1004,7 +1004,7 @@
-
- return True;
- }
--
-+#endif
- /****************************************************************************
- get info level for a server list query
- ****************************************************************************/
-@@ -1834,7 +1834,7 @@
-
- return(True);
- }
--
-+#ifdef PRINTING
- /****************************************************************************
- delete a print job
- Form: <W> <>
-@@ -2091,7 +2091,7 @@
-
- return(True);
- }
--
-+#endif
-
- /****************************************************************************
- get info about the server
-@@ -2756,7 +2756,7 @@
-
- return(True);
- }
--
-+#ifdef PRINTING
- /****************************************************************************
- api_WPrintJobEnumerate
- ****************************************************************************/
-@@ -3189,7 +3189,7 @@
- DEBUG(4,("WPrintPortEnum: errorcode %d\n",desc.errcode));
- return(True);
- }
--
-+#endif
- /****************************************************************************
- Start the first part of an RPC reply which began with an SMBtrans request.
- ****************************************************************************/
-@@ -3407,6 +3407,7 @@
- {"RNetUserGetInfo", 56, api_RNetUserGetInfo,0},
- {"NetUserGetGroups", 59, api_NetUserGetGroups,0},
- {"NetWkstaGetInfo", 63, api_NetWkstaGetInfo,0},
-+#ifdef PRINTING
- {"DosPrintQEnum", 69, api_DosPrintQEnum,0},
- {"DosPrintQGetInfo", 70, api_DosPrintQGetInfo,0},
- {"WPrintQueuePause", 74, api_WPrintQueuePurge,0},
-@@ -3418,16 +3419,21 @@
- {"RDosPrintJobResume",83, api_RDosPrintJobDel,0},
- {"WPrintDestEnum", 84, api_WPrintDestEnum,0},
- {"WPrintDestGetInfo", 85, api_WPrintDestGetInfo,0},
-+#endif
- {"NetRemoteTOD", 91, api_NetRemoteTOD,0},
-+#ifdef PRINTING
- {"WPrintQueuePurge", 103, api_WPrintQueuePurge,0},
-+#endif
- {"NetServerEnum", 104, api_RNetServerEnum,0},
- {"WAccessGetUserPerms",105, api_WAccessGetUserPerms,0},
- {"SetUserPassword", 115, api_SetUserPassword,0},
- {"WWkstaUserLogon", 132, api_WWkstaUserLogon,0},
-+#ifdef PRINTING
- {"PrintJobInfo", 147, api_PrintJobInfo,0},
- {"WPrintDriverEnum", 205, api_WPrintDriverEnum,0},
- {"WPrintQProcEnum", 206, api_WPrintQProcEnum,0},
- {"WPrintPortEnum", 207, api_WPrintPortEnum,0},
-+#endif
- {"SamOEMChangePassword", 214, api_SamOEMChangePassword,0},
- {NULL, -1, api_Unsupported,0}};
-
-diff -ruN samba-2.0.10.orig/source/smbd/negprot.c samba-2.0.10/source/smbd/negprot.c
---- samba-2.0.10.orig/source/smbd/negprot.c 2000-03-16 23:59:47.000000000 +0100
-+++ samba-2.0.10/source/smbd/negprot.c 2006-03-06 22:21:12.000000000 +0100
-@@ -160,7 +160,7 @@
- /* dual names + lock_and_read + nt SMBs + remote API calls */
- int capabilities = CAP_NT_FIND|CAP_LOCK_AND_READ|
- (lp_nt_smb_support() ? CAP_NT_SMBS | CAP_RPC_REMOTE_APIS : 0) |
-- (SMB_OFF_T_BITS == 64 ? CAP_LARGE_FILES : 0);
-+ (SMB_OFF_T_BITS == 64 ? CAP_LARGE_FILES | CAP_LARGE_READX | CAP_LARGE_WRITEX /*| CAP_W2K_SMBS*/ : 0);
-
-
- /*
-diff -ruN samba-2.0.10.orig/source/smbd/password.c samba-2.0.10/source/smbd/password.c
---- samba-2.0.10.orig/source/smbd/password.c 2000-03-16 23:59:48.000000000 +0100
-+++ samba-2.0.10/source/smbd/password.c 2006-03-06 22:21:12.000000000 +0100
-@@ -1149,7 +1149,7 @@
-
- return(True);
- }
--
-+#ifdef RPCCLIENT
- /***********************************************************************
- Connect to a remote machine for domain security authentication
- given a name or IP address.
-@@ -1504,3 +1504,4 @@
- cli_shutdown(&cli);
- return True;
- }
-+#endif
-diff -ruN samba-2.0.10.orig/source/smbd/process.c samba-2.0.10/source/smbd/process.c
---- samba-2.0.10.orig/source/smbd/process.c 2000-04-15 02:21:27.000000000 +0200
-+++ samba-2.0.10/source/smbd/process.c 2006-03-06 22:21:12.000000000 +0100
-@@ -343,10 +343,12 @@
- {SMBlseek,"SMBlseek",reply_lseek,AS_USER},
- {SMBflush,"SMBflush",reply_flush,AS_USER},
- {SMBctemp,"SMBctemp",reply_ctemp,AS_USER | QUEUE_IN_OPLOCK },
-+#ifdef PRINTING
- {SMBsplopen,"SMBsplopen",reply_printopen,AS_USER | QUEUE_IN_OPLOCK },
- {SMBsplclose,"SMBsplclose",reply_printclose,AS_USER},
- {SMBsplretq,"SMBsplretq",reply_printqueue,AS_USER},
- {SMBsplwr,"SMBsplwr",reply_printwrite,AS_USER},
-+#endif
- {SMBlock,"SMBlock",reply_lock,AS_USER},
- {SMBunlock,"SMBunlock",reply_unlock,AS_USER},
-
-@@ -908,7 +910,7 @@
- DEBUG(2,("Closing idle connection 2.\n"));
- return False;
- }
--
-+#ifdef RPCLIENT
- if(global_machine_password_needs_changing)
- {
- unsigned char trust_passwd_hash[16];
-@@ -954,7 +956,7 @@
- trust_password_unlock();
- global_machine_password_needs_changing = False;
- }
--
-+#endif
- /*
- * Check to see if we have any blocking locks
- * outstanding on the queue.
-diff -ruN samba-2.0.10.orig/source/smbd/reply.c samba-2.0.10/source/smbd/reply.c
---- samba-2.0.10.orig/source/smbd/reply.c 2001-06-23 10:51:24.000000000 +0200
-+++ samba-2.0.10/source/smbd/reply.c 2006-03-06 22:21:12.000000000 +0100
-@@ -597,12 +597,12 @@
-
- if (!check_domain_match(orig_user, domain))
- return False;
--
-+#ifdef RPCCLIENT
- ret = domain_client_validate(orig_user, domain,
- smb_apasswd, smb_apasslen,
- smb_ntpasswd, smb_ntpasslen,
- &user_exists);
--
-+#endif
- if(ret) {
- /*
- * User validated ok against Domain controller.
-@@ -2991,7 +2991,7 @@
- return -1;
- }
-
--
-+#ifdef PRINTING
- /****************************************************************************
- reply to a printopen
- ****************************************************************************/
-@@ -3176,7 +3176,7 @@
-
- return(outsize);
- }
--
-+#endif
-
- /****************************************************************************
- reply to a mkdir
-diff -ruN samba-2.0.10.orig/source/smbd/server.c samba-2.0.10/source/smbd/server.c
---- samba-2.0.10.orig/source/smbd/server.c 2000-03-16 23:59:52.000000000 +0100
-+++ samba-2.0.10/source/smbd/server.c 2006-03-06 22:21:12.000000000 +0100
-@@ -300,9 +300,9 @@
- lp_killunused(conn_snum_used);
-
- ret = lp_load(servicesf,False,False,True);
--
-+#ifdef PRINTING
- load_printers();
--
-+#endif
- /* perhaps the config filename is now set */
- if (!test)
- reload_services(True);
-diff -ruN samba-2.0.10.orig/source/smbd/service.c samba-2.0.10/source/smbd/service.c
---- samba-2.0.10.orig/source/smbd/service.c 2000-03-16 23:59:52.000000000 +0100
-+++ samba-2.0.10/source/smbd/service.c 2006-03-06 22:21:12.000000000 +0100
-@@ -121,7 +121,7 @@
- }
- }
- }
--
-+#ifdef PRINTING
- /* If we still don't have a service, attempt to add it as a printer. */
- if (iService < 0)
- {
-@@ -146,7 +146,7 @@
- DEBUG(3,("%s is not a valid printer name\n", service));
- }
- }
--
-+#endif
- /* just possibly it's a default service? */
- if (iService < 0)
- {
-diff -ruN samba-2.0.10.orig/source/utils/smbpasswd.c samba-2.0.10/source/utils/smbpasswd.c
---- samba-2.0.10.orig/source/utils/smbpasswd.c 2000-03-16 23:59:57.000000000 +0100
-+++ samba-2.0.10/source/utils/smbpasswd.c 2006-03-06 22:21:12.000000000 +0100
-@@ -71,7 +71,7 @@
- }
- exit(1);
- }
--
-+#ifdef RPCCLIENT
- /*********************************************************
- Join a domain.
- **********************************************************/
-@@ -143,7 +143,7 @@
-
- return (int)ret;
- }
--
-+#endif
-
- static void set_line_buffering(FILE *f)
- {
-@@ -335,13 +335,13 @@
- if((local_flags & (LOCAL_ADD_USER|LOCAL_DELETE_USER)) && ((remote_machine != NULL) || joining_domain)) {
- usage();
- }
--
-+#ifdef RPCCLIENT
- if(joining_domain) {
- if (argc != 0)
- usage();
- return join_domain(new_domain, remote_machine);
- }
--
-+#endif
- /*
- * Deal with root - can add a user, but only locally.
- */
-diff -ruN samba-2.0.10.orig/source/web/swat.c samba-2.0.10/source/web/swat.c
---- samba-2.0.10.orig/source/web/swat.c 2000-04-11 19:36:36.000000000 +0200
-+++ samba-2.0.10/source/web/swat.c 2006-03-06 22:21:12.000000000 +0100
-@@ -357,8 +357,9 @@
- return 0;
- }
- iNumNonAutoPrintServices = lp_numservices();
-+#ifdef PRINTING
- load_printers();
--
-+#endif
- return 1;
- }
-
-@@ -997,8 +998,9 @@
- charset_initialise();
- load_config(True);
- iNumNonAutoPrintServices = lp_numservices();
-+#ifdef PRINTING
- load_printers();
--
-+#endif
- cgi_setup(SWATDIR, !demo_mode);
-
- print_header();
diff --git a/openwrt/package/samba/patches/200-security.patch b/openwrt/package/samba/patches/200-security.patch
deleted file mode 100644
index 8e51549e1..000000000
--- a/openwrt/package/samba/patches/200-security.patch
+++ /dev/null
@@ -1,606 +0,0 @@
-diff -ruN samba-2.0.10.orig/source/include/smb.h samba-2.0.10/source/include/smb.h
---- samba-2.0.10.orig/source/include/smb.h 2006-03-06 22:25:08.000000000 +0100
-+++ samba-2.0.10/source/include/smb.h 2006-03-06 22:25:53.000000000 +0100
-@@ -272,6 +272,7 @@
- #define ERRlock 33 /* Lock request conflicts with existing lock */
- #define ERRunsup 50 /* Request unsupported, returned by Win 95, RJS 20Jun98 */
- #define ERRfilexists 80 /* File in operation already exists */
-+#define ERRinvalidparam 87
- #define ERRcannotopen 110 /* Cannot open the file specified */
- #define ERRunknownlevel 124
- #define ERRrename 183
-@@ -1911,4 +1912,7 @@
-
- #define SAFE_NETBIOS_CHARS ". -_"
-
-+#ifndef SAFE_FREE
-+#define SAFE_FREE(x) do { if ((x) != NULL) {free((x)); (x)=NULL;} } while(0)
-+#endif
- #endif /* _SMB_H */
-diff -ruN samba-2.0.10.orig/source/include/version.h samba-2.0.10/source/include/version.h
---- samba-2.0.10.orig/source/include/version.h 2001-06-23 15:23:59.000000000 +0200
-+++ samba-2.0.10/source/include/version.h 2006-03-06 22:25:53.000000000 +0100
-@@ -1 +1 @@
--#define VERSION "2.0.10"
-+#define VERSION "2.0.10-security-rollup"
-diff -ruN samba-2.0.10.orig/source/smbd/filename.c samba-2.0.10/source/smbd/filename.c
---- samba-2.0.10.orig/source/smbd/filename.c 2000-03-16 23:59:44.000000000 +0100
-+++ samba-2.0.10/source/smbd/filename.c 2006-03-06 22:25:53.000000000 +0100
-@@ -172,7 +172,7 @@
- * StrnCpy always null terminates.
- */
-
-- StrnCpy(orig_name, full_orig_name, namelen);
-+ StrnCpy(orig_name, full_orig_name, MIN(namelen, sizeof(orig_name)-1));
- if(!case_sensitive)
- strupper( orig_name );
-
-diff -ruN samba-2.0.10.orig/source/smbd/ipc.c samba-2.0.10/source/smbd/ipc.c
---- samba-2.0.10.orig/source/smbd/ipc.c 2006-03-06 22:25:08.000000000 +0100
-+++ samba-2.0.10/source/smbd/ipc.c 2006-03-06 22:25:53.000000000 +0100
-@@ -3556,18 +3556,18 @@
- uint16 *setup=NULL;
- int outsize = 0;
- uint16 vuid = SVAL(inbuf,smb_uid);
-- int tpscnt = SVAL(inbuf,smb_vwv0);
-- int tdscnt = SVAL(inbuf,smb_vwv1);
-- int mprcnt = SVAL(inbuf,smb_vwv2);
-- int mdrcnt = SVAL(inbuf,smb_vwv3);
-- int msrcnt = CVAL(inbuf,smb_vwv4);
-+ unsigned int tpscnt = SVAL(inbuf,smb_vwv0);
-+ unsigned int tdscnt = SVAL(inbuf,smb_vwv1);
-+ unsigned int mprcnt = SVAL(inbuf,smb_vwv2);
-+ unsigned int mdrcnt = SVAL(inbuf,smb_vwv3);
-+ unsigned int msrcnt = CVAL(inbuf,smb_vwv4);
- BOOL close_on_completion = BITSETW(inbuf+smb_vwv5,0);
- BOOL one_way = BITSETW(inbuf+smb_vwv5,1);
-- int pscnt = SVAL(inbuf,smb_vwv9);
-- int psoff = SVAL(inbuf,smb_vwv10);
-- int dscnt = SVAL(inbuf,smb_vwv11);
-- int dsoff = SVAL(inbuf,smb_vwv12);
-- int suwcnt = CVAL(inbuf,smb_vwv13);
-+ unsigned int pscnt = SVAL(inbuf,smb_vwv9);
-+ unsigned int psoff = SVAL(inbuf,smb_vwv10);
-+ unsigned int dscnt = SVAL(inbuf,smb_vwv11);
-+ unsigned int dsoff = SVAL(inbuf,smb_vwv12);
-+ unsigned int suwcnt = CVAL(inbuf,smb_vwv13);
-
- memset(name, '\0',sizeof(name));
- fstrcpy(name,smb_buf(inbuf));
-@@ -3578,26 +3578,44 @@
-
- if (tdscnt) {
- if((data = (char *)malloc(tdscnt)) == NULL) {
-- DEBUG(0,("reply_trans: data malloc fail for %d bytes !\n", tdscnt));
-+ DEBUG(0,("reply_trans: data malloc fail for %u bytes !\n", tdscnt));
- return(ERROR(ERRDOS,ERRnomem));
- }
-+ if ((dsoff+dscnt < dsoff) || (dsoff+dscnt < dscnt))
-+ goto bad_param;
-+ if (smb_base(inbuf)+dsoff+dscnt > inbuf + size)
-+ goto bad_param;
-+
- memcpy(data,smb_base(inbuf)+dsoff,dscnt);
- }
-
- if (tpscnt) {
- if((params = (char *)malloc(tpscnt)) == NULL) {
-- DEBUG(0,("reply_trans: param malloc fail for %d bytes !\n", tpscnt));
-+ DEBUG(0,("reply_trans: param malloc fail for %u bytes !\n", tpscnt));
-+ SAFE_FREE(data);
- return(ERROR(ERRDOS,ERRnomem));
- }
-+ if ((psoff+pscnt < psoff) || (psoff+pscnt < pscnt))
-+ goto bad_param;
-+ if (smb_base(inbuf)+psoff+pscnt > inbuf + size)
-+ goto bad_param;
-+
- memcpy(params,smb_base(inbuf)+psoff,pscnt);
- }
-
- if (suwcnt) {
- int i;
- if((setup = (uint16 *)malloc(suwcnt*sizeof(uint16))) == NULL) {
-- DEBUG(0,("reply_trans: setup malloc fail for %d bytes !\n", (int)(suwcnt * sizeof(uint16))));
-- return(ERROR(ERRDOS,ERRnomem));
-- }
-+ DEBUG(0,("reply_trans: setup malloc fail for %u bytes !\n", (unsigned int)(suwcnt * sizeof(uint16))));
-+ SAFE_FREE(data);
-+ SAFE_FREE(params);
-+ return(ERROR(ERRDOS,ERRnomem));
-+ }
-+ if (inbuf+smb_vwv14+(suwcnt*SIZEOFWORD) > inbuf + size)
-+ goto bad_param;
-+ if ((smb_vwv14+(suwcnt*SIZEOFWORD) < smb_vwv14) || (smb_vwv14+(suwcnt*SIZEOFWORD) < (suwcnt*SIZEOFWORD)))
-+ goto bad_param;
-+
- for (i=0;i<suwcnt;i++)
- setup[i] = SVAL(inbuf,smb_vwv14+i*SIZEOFWORD);
- }
-@@ -3614,7 +3632,7 @@
- /* receive the rest of the trans packet */
- while (pscnt < tpscnt || dscnt < tdscnt) {
- BOOL ret;
-- int pcnt,poff,dcnt,doff,pdisp,ddisp;
-+ unsigned int pcnt,poff,dcnt,doff,pdisp,ddisp;
-
- ret = receive_next_smb(inbuf,bufsize,SMB_SECONDARY_WAIT);
-
-@@ -3625,19 +3643,19 @@
- DEBUG(0,("reply_trans: %s in getting secondary trans response.\n",
- (smb_read_error == READ_ERROR) ? "error" : "timeout" ));
- }
-- if (params)
-- free(params);
-- if (data)
-- free(data);
-- if (setup)
-- free(setup);
-+ SAFE_FREE(params);
-+ SAFE_FREE(data);
-+ SAFE_FREE(setup);
- return(ERROR(ERRSRV,ERRerror));
- }
-
- show_msg(inbuf);
-
-- tpscnt = SVAL(inbuf,smb_vwv0);
-- tdscnt = SVAL(inbuf,smb_vwv1);
-+ /* Revise total_params and total_data in case they have changed downwards */
-+ if (SVAL(inbuf,smb_vwv0) < tpscnt)
-+ tpscnt = SVAL(inbuf,smb_vwv0);
-+ if (SVAL(inbuf,smb_vwv1) < tdscnt)
-+ tdscnt = SVAL(inbuf,smb_vwv1);
-
- pcnt = SVAL(inbuf,smb_vwv2);
- poff = SVAL(inbuf,smb_vwv3);
-@@ -3650,17 +3668,36 @@
- pscnt += pcnt;
- dscnt += dcnt;
-
-- if (dscnt > tdscnt || pscnt > tpscnt) {
-- exit_server("invalid trans parameters\n");
-- }
-+ if (dscnt > tdscnt || pscnt > tpscnt)
-+ goto bad_param;
-
-- if (pcnt)
-+ if (pcnt) {
-+ if (pdisp+pcnt >= tpscnt)
-+ goto bad_param;
-+ if ((pdisp+pcnt < pdisp) || (pdisp+pcnt < pcnt))
-+ goto bad_param;
-+ if (smb_base(inbuf) + poff + pcnt >= inbuf + bufsize)
-+ goto bad_param;
-+ if (params + pdisp < params)
-+ goto bad_param;
-+
- memcpy(params+pdisp,smb_base(inbuf)+poff,pcnt);
-- if (dcnt)
-+ }
-+
-+ if (dcnt) {
-+ if (ddisp+dcnt >= tdscnt)
-+ goto bad_param;
-+ if ((ddisp+dcnt < ddisp) || (ddisp+dcnt < dcnt))
-+ goto bad_param;
-+ if (smb_base(inbuf) + doff + dcnt >= inbuf + bufsize)
-+ goto bad_param;
-+ if (data + ddisp < data)
-+ goto bad_param;
-+
- memcpy(data+ddisp,smb_base(inbuf)+doff,dcnt);
-+ }
- }
--
--
-+
- DEBUG(3,("trans <%s> data=%d params=%d setup=%d\n",
- name,tdscnt,tpscnt,suwcnt));
-
-@@ -3700,4 +3737,12 @@
- return(ERROR(ERRSRV,ERRnosupport));
-
- return(outsize);
-+
-+ bad_param:
-+
-+ DEBUG(0,("reply_trans: invalid trans parameters\n"));
-+ SAFE_FREE(data);
-+ SAFE_FREE(params);
-+ SAFE_FREE(setup);
-+ return(ERROR(ERRSRV,ERRerror));
- }
-diff -ruN samba-2.0.10.orig/source/smbd/nttrans.c samba-2.0.10/source/smbd/nttrans.c
---- samba-2.0.10.orig/source/smbd/nttrans.c 2000-04-24 19:27:30.000000000 +0200
-+++ samba-2.0.10/source/smbd/nttrans.c 2006-03-06 22:25:53.000000000 +0100
-@@ -2575,11 +2575,14 @@
- params = (char *)malloc(total_parameter_count);
- if (total_data_count > 0)
- data = (char *)malloc(total_data_count);
--
-+
- if ((total_parameter_count && !params) || (total_data_count && !data) ||
- (setup_count && !setup)) {
-+ SAFE_FREE(setup);
-+ SAFE_FREE(params);
-+ SAFE_FREE(data);
- DEBUG(0,("reply_nttrans : Out of memory\n"));
-- return(ERROR(ERRDOS,ERRnomem));
-+ return ERROR(ERRDOS,ERRnomem);
- }
-
- /* Copy the param and data bytes sent with this request into
-@@ -2588,64 +2591,112 @@
- num_data_sofar = data_count;
-
- if (parameter_count > total_parameter_count || data_count > total_data_count)
-- exit_server("reply_nttrans: invalid sizes in packet.\n");
-+ goto bad_param;
-
- if(setup) {
-- memcpy( setup, &inbuf[smb_nt_SetupStart], setup_count);
- DEBUG(10,("reply_nttrans: setup_count = %d\n", setup_count));
-- dump_data(10, setup, setup_count);
-+ if ((smb_nt_SetupStart + setup_count < smb_nt_SetupStart) ||
-+ (smb_nt_SetupStart + setup_count < setup_count))
-+ goto bad_param;
-+ if (smb_nt_SetupStart + setup_count > length)
-+ goto bad_param;
-+
-+ memcpy( setup, &inbuf[smb_nt_SetupStart], setup_count);
- }
- if(params) {
-- memcpy( params, smb_base(inbuf) + parameter_offset, parameter_count);
- DEBUG(10,("reply_nttrans: parameter_count = %d\n", parameter_count));
-- dump_data(10, params, parameter_count);
-+ if ((parameter_offset + parameter_count < parameter_offset) ||
-+ (parameter_offset + parameter_count < parameter_count))
-+ goto bad_param;
-+ if (smb_base(inbuf) + parameter_offset + parameter_count > inbuf + length)
-+ goto bad_param;
-+
-+ memcpy( params, smb_base(inbuf) + parameter_offset, parameter_count);
- }
- if(data) {
-- memcpy( data, smb_base(inbuf) + data_offset, data_count);
- DEBUG(10,("reply_nttrans: data_count = %d\n",data_count));
-- dump_data(10, data, data_count);
-+ if ((data_offset + data_count < data_offset) || (data_offset + data_count < data_count))
-+ goto bad_param;
-+ if (smb_base(inbuf) + data_offset + data_count > inbuf + length)
-+ goto bad_param;
-+
-+ memcpy( data, smb_base(inbuf) + data_offset, data_count);
-+
- }
-
- if(num_data_sofar < total_data_count || num_params_sofar < total_parameter_count) {
- /* We need to send an interim response then receive the rest
- of the parameter/data bytes */
- outsize = set_message(outbuf,0,0,True);
-- send_smb(Client,outbuf);
-+ if (!send_smb(Client,outbuf))
-+ exit_server("reply_nttrans: send_smb failed.");
-
- while( num_data_sofar < total_data_count || num_params_sofar < total_parameter_count) {
- BOOL ret;
--
-+ uint32 parameter_displacement;
-+ uint32 data_displacement;
-+
- ret = receive_next_smb(inbuf,bufsize,SMB_SECONDARY_WAIT);
--
-+
- if((ret && (CVAL(inbuf, smb_com) != SMBnttranss)) || !ret) {
-- outsize = set_message(outbuf,0,0,True);
-- if(ret) {
-- DEBUG(0,("reply_nttrans: Invalid secondary nttrans packet\n"));
-- } else {
-- DEBUG(0,("reply_nttrans: %s in getting secondary nttrans response.\n",
-- (smb_read_error == READ_ERROR) ? "error" : "timeout" ));
-+ outsize = set_message(outbuf,0,0,True);
-+ if(ret) {
-+ DEBUG(0,("reply_nttrans: Invalid secondary nttrans packet\n"));
-+ } else {
-+ DEBUG(0,("reply_nttrans: %s in getting secondary nttrans response.\n",
-+ (smb_read_error == READ_ERROR) ? "error" : "timeout" ));
- }
-- if(params)
-- free(params);
-- if(data)
-- free(data);
-- if(setup)
-- free(setup);
-- return(ERROR(ERRSRV,ERRerror));
-+ goto bad_param;
- }
-
- /* Revise total_params and total_data in case they have changed downwards */
-- total_parameter_count = IVAL(inbuf, smb_nts_TotalParameterCount);
-- total_data_count = IVAL(inbuf, smb_nts_TotalDataCount);
-- num_params_sofar += (parameter_count = IVAL(inbuf,smb_nts_ParameterCount));
-- num_data_sofar += ( data_count = IVAL(inbuf, smb_nts_DataCount));
-- if (num_params_sofar > total_parameter_count || num_data_sofar > total_data_count)
-- exit_server("reply_nttrans2: data overflow in secondary nttrans packet\n");
--
-- memcpy( &params[ IVAL(inbuf, smb_nts_ParameterDisplacement)],
-- smb_base(inbuf) + IVAL(inbuf, smb_nts_ParameterOffset), parameter_count);
-- memcpy( &data[IVAL(inbuf, smb_nts_DataDisplacement)],
-- smb_base(inbuf)+ IVAL(inbuf, smb_nts_DataOffset), data_count);
-+ if (IVAL(inbuf, smb_nts_TotalParameterCount) < total_parameter_count)
-+ total_parameter_count = IVAL(inbuf, smb_nts_TotalParameterCount);
-+ if (IVAL(inbuf, smb_nts_TotalDataCount) < total_data_count)
-+ total_data_count = IVAL(inbuf, smb_nts_TotalDataCount);
-+
-+ parameter_count = IVAL(inbuf,smb_nts_ParameterCount);
-+ parameter_offset = IVAL(inbuf, smb_nts_ParameterOffset);
-+ parameter_displacement = IVAL(inbuf, smb_nts_ParameterDisplacement);
-+ num_params_sofar += parameter_count;
-+
-+ data_count = IVAL(inbuf, smb_nts_DataCount);
-+ data_displacement = IVAL(inbuf, smb_nts_DataDisplacement);
-+ data_offset = IVAL(inbuf, smb_nts_DataOffset);
-+ num_data_sofar += data_count;
-+
-+ if (num_params_sofar > total_parameter_count || num_data_sofar > total_data_count) {
-+ DEBUG(0,("reply_nttrans2: data overflow in secondary nttrans packet"));
-+ goto bad_param;
-+ }
-+
-+ if (parameter_count) {
-+ if (parameter_displacement + parameter_count >= total_parameter_count)
-+ goto bad_param;
-+ if ((parameter_displacement + parameter_count < parameter_displacement) ||
-+ (parameter_displacement + parameter_count < parameter_count))
-+ goto bad_param;
-+ if (smb_base(inbuf) + parameter_offset + parameter_count >= inbuf + bufsize)
-+ goto bad_param;
-+ if (params + parameter_displacement < params)
-+ goto bad_param;
-+
-+ memcpy( &params[parameter_displacement], smb_base(inbuf) + parameter_offset, parameter_count);
-+ }
-+
-+ if (data_count) {
-+ if (data_displacement + data_count >= total_data_count)
-+ goto bad_param;
-+ if ((data_displacement + data_count < data_displacement) ||
-+ (data_displacement + data_count < data_count))
-+ goto bad_param;
-+ if (smb_base(inbuf) + data_offset + data_count >= inbuf + bufsize)
-+ goto bad_param;
-+ if (data + data_displacement < data)
-+ goto bad_param;
-+
-+ memcpy( &data[data_displacement], smb_base(inbuf)+ data_offset, data_count);
-+ }
- }
- }
-
-@@ -2714,4 +2765,10 @@
- return outsize; /* If a correct response was needed the call_nt_transact_xxxx
- calls have already sent it. If outsize != -1 then it is
- returning an error packet. */
-+ bad_param:
-+
-+ SAFE_FREE(params);
-+ SAFE_FREE(data);
-+ SAFE_FREE(setup);
-+ return ERROR(ERRDOS,ERRinvalidparam);
- }
-diff -ruN samba-2.0.10.orig/source/smbd/password.c samba-2.0.10/source/smbd/password.c
---- samba-2.0.10.orig/source/smbd/password.c 2006-03-06 22:25:08.000000000 +0100
-+++ samba-2.0.10/source/smbd/password.c 2006-03-06 22:25:53.000000000 +0100
-@@ -770,7 +770,7 @@
- if (!ok && lp_username(snum)) {
- char *auser;
- pstring user_list;
-- StrnCpy(user_list,lp_username(snum),sizeof(pstring));
-+ StrnCpy(user_list,lp_username(snum),sizeof(pstring)-1);
-
- pstring_sub(user_list,"%S",lp_servicename(snum));
-
-diff -ruN samba-2.0.10.orig/source/smbd/reply.c samba-2.0.10/source/smbd/reply.c
---- samba-2.0.10.orig/source/smbd/reply.c 2006-03-06 22:25:08.000000000 +0100
-+++ samba-2.0.10/source/smbd/reply.c 2006-03-06 22:25:53.000000000 +0100
-@@ -1413,6 +1413,9 @@
-
- for (i=numentries;(i<maxentries) && !finished;i++)
- {
-+ /* check to make sure we have room in the buffer */
-+ if ( ((PTR_DIFF(p, outbuf))+DIR_STRUCT_SIZE) > BUFFER_SIZE )
-+ break;
- finished =
- !get_dir_entry(conn,mask,dirtype,fname,&size,&mode,&date,check_descend);
- if (!finished)
-@@ -3122,6 +3125,9 @@
-
-
- for (i=first;i<first+num_to_get;i++) {
-+ /* check to make sure we have room in the buffer */
-+ if ( (PTR_DIFF(p, outbuf)+28) > BUFFER_SIZE )
-+ break;
- put_dos_date2(p,0,queue[i].time);
- CVAL(p,4) = (queue[i].status==LPQ_PRINTING?2:3);
- SSVAL(p,5,printjob_encode(SNUM(conn),
-diff -ruN samba-2.0.10.orig/source/smbd/trans2.c samba-2.0.10/source/smbd/trans2.c
---- samba-2.0.10.orig/source/smbd/trans2.c 2000-04-24 19:27:31.000000000 +0200
-+++ samba-2.0.10/source/smbd/trans2.c 2006-03-06 22:25:53.000000000 +0100
-@@ -201,7 +201,6 @@
- int16 open_ofun = SVAL(params,12);
- int32 open_size = IVAL(params,14);
- char *pname = &params[28];
-- int16 namelen = strlen(pname)+1;
-
- pstring fname;
- mode_t unixmode;
-@@ -213,7 +212,7 @@
- BOOL bad_path = False;
- files_struct *fsp;
-
-- StrnCpy(fname,pname,namelen);
-+ pstrcpy(fname,pname);
-
- DEBUG(3,("trans2open %s mode=%d attr=%d ofun=%d size=%d\n",
- fname,open_mode, open_attr, open_ofun, open_size));
-@@ -2185,7 +2184,7 @@
- unsigned int suwcnt = SVAL(inbuf, smb_suwcnt);
- unsigned int tran_call = SVAL(inbuf, smb_setup0);
- char *params = NULL, *data = NULL;
-- int num_params, num_params_sofar, num_data, num_data_sofar;
-+ unsigned int num_params, num_params_sofar, num_data, num_data_sofar;
-
- if(global_oplock_break && (tran_call == TRANSACT2_OPEN)) {
- /* Queue this open message as we are the process of an
-@@ -2203,8 +2202,9 @@
- /* All trans2 messages we handle have smb_sucnt == 1 - ensure this
- is so as a sanity check */
- if (suwcnt != 1) {
-- DEBUG(2,("Invalid smb_sucnt in trans2 call\n"));
-- return(ERROR(ERRSRV,ERRerror));
-+ DEBUG(2,("Invalid smb_sucnt in trans2 call(%u)\n",suwcnt));
-+ DEBUG(2,("Transaction is %d\n",tran_call));
-+ ERROR(ERRDOS,ERRinvalidparam);
- }
-
- /* Allocate the space for the maximum needed parameters and data */
-@@ -2215,11 +2215,9 @@
-
- if ((total_params && !params) || (total_data && !data)) {
- DEBUG(2,("Out of memory in reply_trans2\n"));
-- if(params)
-- free(params);
-- if(data)
-- free(data);
-- return(ERROR(ERRDOS,ERRnomem));
-+ SAFE_FREE(params);
-+ SAFE_FREE(data);
-+ return ERROR(ERRDOS,ERRnomem);
- }
-
- /* Copy the param and data bytes sent with this request into
-@@ -2230,20 +2228,37 @@
- if (num_params > total_params || num_data > total_data)
- exit_server("invalid params in reply_trans2");
-
-- if(params)
-- memcpy( params, smb_base(inbuf) + SVAL(inbuf, smb_psoff), num_params);
-- if(data)
-- memcpy( data, smb_base(inbuf) + SVAL(inbuf, smb_dsoff), num_data);
-+ if(params) {
-+ unsigned int psoff = SVAL(inbuf, smb_psoff);
-+ if ((psoff + num_params < psoff) || (psoff + num_params < num_params))
-+ goto bad_param;
-+ if (smb_base(inbuf) + psoff + num_params > inbuf + length)
-+ goto bad_param;
-+ memcpy( params, smb_base(inbuf) + psoff, num_params);
-+ }
-+ if(data) {
-+ unsigned int dsoff = SVAL(inbuf, smb_dsoff);
-+ if ((dsoff + num_data < dsoff) || (dsoff + num_data < num_data))
-+ goto bad_param;
-+ if (smb_base(inbuf) + dsoff + num_data > inbuf + length)
-+ goto bad_param;
-+ memcpy( data, smb_base(inbuf) + dsoff, num_data);
-+ }
-
- if(num_data_sofar < total_data || num_params_sofar < total_params) {
- /* We need to send an interim response then receive the rest
- of the parameter/data bytes */
- outsize = set_message(outbuf,0,0,True);
-- send_smb(Client,outbuf);
-+ if (!send_smb(Client,outbuf))
-+ exit_server("reply_trans2: send_smb failed.");
-
- while (num_data_sofar < total_data ||
- num_params_sofar < total_params) {
- BOOL ret;
-+ unsigned int param_disp;
-+ unsigned int param_off;
-+ unsigned int data_disp;
-+ unsigned int data_off;
-
- ret = receive_next_smb(inbuf,bufsize,SMB_SECONDARY_WAIT);
-
-@@ -2255,26 +2270,55 @@
- else
- DEBUG(0,("reply_trans2: %s in getting secondary trans2 response.\n",
- (smb_read_error == READ_ERROR) ? "error" : "timeout" ));
-- if(params)
-- free(params);
-- if(data)
-- free(data);
-- return(ERROR(ERRSRV,ERRerror));
-+ goto bad_param;
- }
-
- /* Revise total_params and total_data in case
- they have changed downwards */
-- total_params = SVAL(inbuf, smb_tpscnt);
-- total_data = SVAL(inbuf, smb_tdscnt);
-- num_params_sofar += (num_params = SVAL(inbuf,smb_spscnt));
-- num_data_sofar += ( num_data = SVAL(inbuf, smb_sdscnt));
-+ if (SVAL(inbuf, smb_tpscnt) < total_params)
-+ total_params = SVAL(inbuf, smb_tpscnt);
-+ if (SVAL(inbuf, smb_tdscnt) < total_data)
-+ total_data = SVAL(inbuf, smb_tdscnt);
-+
-+ num_params = SVAL(inbuf,smb_spscnt);
-+ param_off = SVAL(inbuf, smb_spsoff);
-+ param_disp = SVAL(inbuf, smb_spsdisp);
-+ num_params_sofar += num_params;
-+
-+ num_data = SVAL(inbuf, smb_sdscnt);
-+ data_off = SVAL(inbuf, smb_sdsoff);
-+ data_disp = SVAL(inbuf, smb_sdsdisp);
-+ num_data_sofar += num_data;
-+
- if (num_params_sofar > total_params || num_data_sofar > total_data)
-- exit_server("data overflow in trans2");
-+ goto bad_param;
-
-- memcpy( &params[ SVAL(inbuf, smb_spsdisp)],
-- smb_base(inbuf) + SVAL(inbuf, smb_spsoff), num_params);
-- memcpy( &data[SVAL(inbuf, smb_sdsdisp)],
-- smb_base(inbuf)+ SVAL(inbuf, smb_sdsoff), num_data);
-+ if (num_params) {
-+ if (param_disp + num_params >= total_params)
-+ goto bad_param;
-+ if ((param_disp + num_params < param_disp) ||
-+ (param_disp + num_params < num_params))
-+ goto bad_param;
-+ if (smb_base(inbuf) + param_off + num_params >= inbuf + bufsize)
-+ goto bad_param;
-+ if (params + param_disp < params)
-+ goto bad_param;
-+
-+ memcpy( &params[param_disp], smb_base(inbuf) + param_off, num_params);
-+ }
-+ if (num_data) {
-+ if (data_disp + num_data >= total_data)
-+ goto bad_param;
-+ if ((data_disp + num_data < data_disp) ||
-+ (data_disp + num_data < num_data))
-+ goto bad_param;
-+ if (smb_base(inbuf) + data_off + num_data >= inbuf + bufsize)
-+ goto bad_param;
-+ if (data + data_disp < data)
-+ goto bad_param;
-+
-+ memcpy( &data[data_disp], smb_base(inbuf) + data_off, num_data);
-+ }
- }
- }
-
-@@ -2367,4 +2411,10 @@
- return outsize; /* If a correct response was needed the
- call_trans2xxx calls have already sent
- it. If outsize != -1 then it is returning */
-+
-+ bad_param:
-+
-+ SAFE_FREE(params);
-+ SAFE_FREE(data);
-+ return (ERROR(ERRDOS,ERRinvalidparam));
- }
diff --git a/openwrt/package/samba/patches/250-writex.patch b/openwrt/package/samba/patches/250-writex.patch
deleted file mode 100644
index ed0495e92..000000000
--- a/openwrt/package/samba/patches/250-writex.patch
+++ /dev/null
@@ -1,152 +0,0 @@
-diff -ruN samba-2.0.10.orig/source/include/smb.h samba-2.0.10/source/include/smb.h
---- samba-2.0.10.orig/source/include/smb.h 2006-03-06 22:25:53.000000000 +0100
-+++ samba-2.0.10/source/include/smb.h 2006-03-06 22:27:31.000000000 +0100
-@@ -24,8 +24,14 @@
- #ifndef _SMB_H
- #define _SMB_H
-
-+#if defined(LARGE_SMB_OFF_T)
-+#define BUFFER_SIZE (128*1024)
-+#else /* no large readwrite possible */
- #define BUFFER_SIZE (0xFFFF)
-+#endif
-+
- #define SAFETY_MARGIN 1024
-+#define LARGE_WRITEX_HDR_SIZE 65
-
- #define NMB_PORT 137
- #define DGRAM_PORT 138
-diff -ruN samba-2.0.10.orig/source/lib/util_sock.c samba-2.0.10/source/lib/util_sock.c
---- samba-2.0.10.orig/source/lib/util_sock.c 2000-03-16 23:59:18.000000000 +0100
-+++ samba-2.0.10/source/lib/util_sock.c 2006-03-06 22:27:31.000000000 +0100
-@@ -649,19 +649,21 @@
- memset(buffer,'\0',smb_size + 100);
-
- len = read_smb_length_return_keepalive(fd,buffer,timeout);
-- if (len < 0)
-- {
-+ if (len < 0) {
- DEBUG(10,("receive_smb: length < 0!\n"));
- return(False);
- }
-
-- if (len > BUFFER_SIZE) {
-+ /*
-+ * A WRITEX with CAP_LARGE_WRITEX can be 64k worth of data plus 65 bytes
-+ * of header. Don't print the error if this fits.... JRA.
-+ */
-+
-+ if (len > (BUFFER_SIZE + LARGE_WRITEX_HDR_SIZE)) {
- DEBUG(0,("Invalid packet length! (%d bytes).\n",len));
- if (len > BUFFER_SIZE + (SAFETY_MARGIN/2))
-- {
- exit(1);
- }
-- }
-
- if(len > 0) {
- ret = read_socket_data(fd,buffer+4,len);
-diff -ruN samba-2.0.10.orig/source/smbd/oplock.c samba-2.0.10/source/smbd/oplock.c
---- samba-2.0.10.orig/source/smbd/oplock.c 2000-04-25 04:32:14.000000000 +0200
-+++ samba-2.0.10/source/smbd/oplock.c 2006-03-06 22:27:31.000000000 +0100
-@@ -887,13 +887,13 @@
- messages crossing on the wire.
- */
-
-- if((inbuf = (char *)malloc(BUFFER_SIZE + SAFETY_MARGIN))==NULL)
-+ if((inbuf = (char *)malloc(BUFFER_SIZE + LARGE_WRITEX_HDR_SIZE + SAFETY_MARGIN))==NULL)
- {
- DEBUG(0,("oplock_break: malloc fail for input buffer.\n"));
- return False;
- }
-
-- if((outbuf = (char *)malloc(BUFFER_SIZE + SAFETY_MARGIN))==NULL)
-+ if((outbuf = (char *)malloc(BUFFER_SIZE + LARGE_WRITEX_HDR_SIZE + SAFETY_MARGIN))==NULL)
- {
- DEBUG(0,("oplock_break: malloc fail for output buffer.\n"));
- free(inbuf);
-diff -ruN samba-2.0.10.orig/source/smbd/process.c samba-2.0.10/source/smbd/process.c
---- samba-2.0.10.orig/source/smbd/process.c 2006-03-06 22:25:28.000000000 +0100
-+++ samba-2.0.10/source/smbd/process.c 2006-03-06 22:27:31.000000000 +0100
-@@ -995,8 +995,8 @@
- time_t last_timeout_processing_time = time(NULL);
- unsigned int num_smbs = 0;
-
-- InBuffer = (char *)malloc(BUFFER_SIZE + SAFETY_MARGIN);
-- OutBuffer = (char *)malloc(BUFFER_SIZE + SAFETY_MARGIN);
-+ InBuffer = (char *)malloc(BUFFER_SIZE + LARGE_WRITEX_HDR_SIZE + SAFETY_MARGIN);
-+ OutBuffer = (char *)malloc(BUFFER_SIZE + LARGE_WRITEX_HDR_SIZE + SAFETY_MARGIN);
- if ((InBuffer == NULL) || (OutBuffer == NULL))
- return;
-
-@@ -1027,7 +1027,7 @@
- /* free up temporary memory */
- lp_talloc_free();
-
-- while(!receive_message_or_smb(InBuffer,BUFFER_SIZE,select_timeout,&got_smb))
-+ while(!receive_message_or_smb(InBuffer,BUFFER_SIZE+LARGE_WRITEX_HDR_SIZE,select_timeout,&got_smb))
- {
- if(!timeout_processing( deadtime, &select_timeout, &last_timeout_processing_time))
- return;
-diff -ruN samba-2.0.10.orig/source/smbd/reply.c samba-2.0.10/source/smbd/reply.c
---- samba-2.0.10.orig/source/smbd/reply.c 2006-03-06 22:25:53.000000000 +0100
-+++ samba-2.0.10/source/smbd/reply.c 2006-03-06 22:27:31.000000000 +0100
-@@ -2551,17 +2551,28 @@
- size_t numtowrite = SVAL(inbuf,smb_vwv10);
- BOOL write_through = BITSETW(inbuf+smb_vwv7,0);
- ssize_t nwritten = -1;
-- int smb_doff = SVAL(inbuf,smb_vwv11);
-+ unsigned int smb_doff = SVAL(inbuf,smb_vwv11);
-+ unsigned int smblen = smb_len(inbuf);
- char *data;
-+ BOOL large_writeX = ((CVAL(inbuf,smb_wct) == 14) && (smblen > 0xFFFF));
-
- /* If it's an IPC, pass off the pipe handler. */
-- if (IS_IPC(conn))
-+ if (IS_IPC(conn)) {
- return reply_pipe_write_and_X(inbuf,outbuf,length,bufsize);
-+ }
-
- CHECK_FSP(fsp,conn);
- CHECK_WRITE(fsp);
- CHECK_ERROR(fsp);
-
-+ /* Deal with possible LARGE_WRITEX */
-+ if (large_writeX)
-+ numtowrite |= ((((size_t)SVAL(inbuf,smb_vwv9)) & 1 )<<16);
-+
-+ if(smb_doff > smblen || (smb_doff + numtowrite > smblen)) {
-+ return(ERROR(ERRDOS,ERRbadmem));
-+ }
-+
- data = smb_base(inbuf) + smb_doff;
-
- if(CVAL(inbuf,smb_wct) == 14) {
-@@ -2586,8 +2597,9 @@
- #endif /* LARGE_SMB_OFF_T */
- }
-
-- if (is_locked(fsp,conn,numtowrite,startpos, F_WRLCK))
-+ if (is_locked(fsp,conn,(SMB_BIG_UINT)numtowrite,(SMB_BIG_UINT)startpos, WRITE_LOCK)) {
- return(ERROR(ERRDOS,ERRlock));
-+ }
-
- /* X/Open SMB protocol says that, unlike SMBwrite
- if the length is zero then NO truncation is
-@@ -2598,12 +2610,15 @@
- else
- nwritten = write_file(fsp,data,startpos,numtowrite);
-
-- if(((nwritten == 0) && (numtowrite != 0))||(nwritten < 0))
-+ if(((nwritten == 0) && (numtowrite != 0))||(nwritten < 0)) {
- return(UNIXERROR(ERRDOS,ERRnoaccess));
-+ }
-
- set_message(outbuf,6,0,True);
-
- SSVAL(outbuf,smb_vwv2,nwritten);
-+ if (large_writeX)
-+ SSVAL(outbuf,smb_vwv4,(nwritten>>16)&1);
-
- if (nwritten < (ssize_t)numtowrite) {
- CVAL(outbuf,smb_rcls) = ERRHRD;
diff --git a/openwrt/package/samba/patches/300-shared_lib_ldflags_fix.patch b/openwrt/package/samba/patches/300-shared_lib_ldflags_fix.patch
deleted file mode 100644
index 7428facc4..000000000
--- a/openwrt/package/samba/patches/300-shared_lib_ldflags_fix.patch
+++ /dev/null
@@ -1,25 +0,0 @@
---- samba-2.0.10/source/Makefile.in.orig 2005-08-20 20:34:44.000000000 +0200
-+++ samba-2.0.10/source/Makefile.in 2005-08-20 20:36:27.000000000 +0200
-@@ -475,11 +475,11 @@
-
- bin/smbwrapper.@SHLIBEXT@: $(PICOBJS)
- @echo Linking shared library $@
-- @$(LD) @LDSHFLAGS@ -o $@ $(PICOBJS) $(LIBS)
-+ @$(LD) @LDSHFLAGS@ -o $@ $(PICOBJS) $(LDFLAGS) $(LIBS)
-
- bin/smbwrapper.32.@SHLIBEXT@: $(PICOBJS32)
- @echo Linking shared library $@
-- @$(LD) -32 @LDSHFLAGS@ -o $@ $(PICOBJS32) $(LIBS)
-+ @$(LD) -32 @LDSHFLAGS@ -o $@ $(PICOBJS32) $(LDFLAGS) $(LIBS)
-
- bin/smbsh: $(SMBSH_OBJ) bin/.dummy
- @echo Linking $@
-@@ -487,7 +487,7 @@
-
- bin/libsmb.@SHLIBEXT@: $(LIBSMB_PICOBJS) bin/.dummy
- @echo Linking shared library $@
-- @$(LD) @LDSHFLAGS@ -o $@ $(LIBSMB_PICOBJS) $(LIBS)
-+ @$(LD) @LDSHFLAGS@ -o $@ $(LIBSMB_PICOBJS) $(LDFLAGS) $(LIBS)
-
- install: installbin installman installscripts installcp installswat
-
diff --git a/openwrt/package/samba/patches/301-config_files_path.patch b/openwrt/package/samba/patches/301-config_files_path.patch
deleted file mode 100644
index 089d9f6ef..000000000
--- a/openwrt/package/samba/patches/301-config_files_path.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-diff -ruN samba-2.0.10-old/source/Makefile.in samba-2.0.10-new/source/Makefile.in
---- samba-2.0.10-old/source/Makefile.in 2005-08-22 03:03:17.000000000 +0200
-+++ samba-2.0.10-new/source/Makefile.in 2005-08-22 03:08:23.000000000 +0200
-@@ -31,6 +31,8 @@
- MANDIR = @mandir@
- SAMBABOOK = @sambabook@
-
-+CONFIGDIR = @sysconfdir@
-+
- # The permissions to give the executables
- INSTALLPERMS = 0755
-
-@@ -39,9 +41,9 @@
- # or in smb.conf (see smb.conf(5))
- SMBLOGFILE = $(VARDIR)/smb
- NMBLOGFILE = $(VARDIR)/nmb
--CONFIGFILE = $(LIBDIR)/smb.conf
--LMHOSTSFILE = $(LIBDIR)/lmhosts
--DRIVERFILE = $(LIBDIR)/printers.def
-+CONFIGFILE = $(CONFIGDIR)/smb.conf
-+LMHOSTSFILE = $(CONFIGDIR)/lmhosts
-+DRIVERFILE = $(CONFIGDIR)/printers.def
- PASSWD_PROGRAM = /bin/passwd
- # This is where smbpasswd et al go
- PRIVATEDIR = @privatedir@