From 9d3aefb5e05df0f61bb79ebc1c06669eb58b0cbc Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@fedoraproject.org>
Date: Nov 21 2007 23:43:13 +0000
Subject: * Wed Nov 21 2007 Simo Sorce <ssorce@redhat.com> 3.0.27a-0.fc7

- Upstream official fix for regression in CVE-2007-4572
- More fixes including 2 former patches we had in the package

---

diff --git a/.cvsignore b/.cvsignore
index 70a873a..a4fc550 100644
--- a/.cvsignore
+++ b/.cvsignore
@@ -1 +1 @@
-samba-3.0.27.tar.gz
+samba-3.0.27a.tar.gz
diff --git a/samba-3.0.26a-winbindd-padding.patch b/samba-3.0.26a-winbindd-padding.patch
deleted file mode 100644
index 762bfaa..0000000
--- a/samba-3.0.26a-winbindd-padding.patch
+++ /dev/null
@@ -1,24 +0,0 @@
---- samba-3.0.26a/source/nsswitch/winbindd_nss.h.orig	2007-10-18 12:43:25.000000000 -0400
-+++ samba-3.0.26a/source/nsswitch/winbindd_nss.h	2007-10-18 12:43:41.000000000 -0400
-@@ -319,7 +319,7 @@
- 		   The size is the sizeof the union without the padding aligned on 
- 		   an 8 byte boundary.   --jerry */
- 
--		char padding[1560];
-+		char padding[1800];
- 	} data;
- 	union {
- 		SMB_TIME_T padding;
---- samba-3.0.26a/source/nsswitch/winbindd.c.orig	2007-10-18 12:44:24.000000000 -0400
-+++ samba-3.0.26a/source/nsswitch/winbindd.c	2007-10-18 12:44:55.000000000 -0400
-@@ -540,8 +540,8 @@
- 	}
- 
- 	if (*(uint32 *)(&state->request) != sizeof(state->request)) {
--		DEBUG(0,("request_len_recv: Invalid request size received: %d\n",
--			 *(uint32 *)(&state->request)));
-+		DEBUG(0,("request_len_recv: Invalid request size received: %d (expected %d)\n",
-+			 *(uint32 *)(&state->request), sizeof(state->request)));
- 		state->finished = True;
- 		return;
- 	}
diff --git a/samba-3.0.27-CVE-2007-4572-regression.patch b/samba-3.0.27-CVE-2007-4572-regression.patch
deleted file mode 100644
index 9ccc687..0000000
--- a/samba-3.0.27-CVE-2007-4572-regression.patch
+++ /dev/null
@@ -1,261 +0,0 @@
-diff -ur samba-3.0.27.orig/source/smbd/negprot.c samba-3.0.27/source/smbd/negprot.c
---- samba-3.0.27.orig/source/smbd/negprot.c	2007-11-14 22:15:04.000000000 -0500
-+++ samba-3.0.27/source/smbd/negprot.c	2007-11-19 15:43:27.000000000 -0500
-@@ -346,7 +346,7 @@
- 			SCVAL(outbuf,smb_vwv16+1,8);
- 			p += 8;
- 		}
--		p += srvstr_push(outbuf, p, lp_workgroup(), -1, 
-+		p += srvstr_push(outbuf, p, lp_workgroup(), BUFFER_SIZE - (p-outbuf), 
- 				 STR_UNICODE|STR_TERMINATE|STR_NOALIGN);
- 		DEBUG(3,("not using SPNEGO\n"));
- 	} else {
-diff -ur samba-3.0.27.orig/source/smbd/reply.c samba-3.0.27/source/smbd/reply.c
---- samba-3.0.27.orig/source/smbd/reply.c	2007-11-14 22:15:04.000000000 -0500
-+++ samba-3.0.27/source/smbd/reply.c	2007-11-19 15:43:27.000000000 -0500
-@@ -524,7 +524,7 @@
- 	if (Protocol < PROTOCOL_NT1) {
- 		set_message(outbuf,2,0,True);
- 		p = smb_buf(outbuf);
--		p += srvstr_push(outbuf, p, server_devicetype, -1, 
-+		p += srvstr_push(outbuf, p, server_devicetype, BUFFER_SIZE - (p - outbuf),
- 				 STR_TERMINATE|STR_ASCII);
- 		set_message_end(outbuf,p);
- 	} else {
-@@ -554,9 +554,9 @@
- 		}
- 
- 		p = smb_buf(outbuf);
--		p += srvstr_push(outbuf, p, server_devicetype, -1, 
-+		p += srvstr_push(outbuf, p, server_devicetype, BUFFER_SIZE - (p - outbuf),
- 				 STR_TERMINATE|STR_ASCII);
--		p += srvstr_push(outbuf, p, fstype, -1, 
-+		p += srvstr_push(outbuf, p, fstype, BUFFER_SIZE - (p - outbuf),
- 				 STR_TERMINATE);
- 		
- 		set_message_end(outbuf,p);
-@@ -1766,7 +1766,7 @@
- 	   thing in the byte section. JRA */
- 	SSVALS(p, 0, -1); /* what is this? not in spec */
- #endif
--	namelen = srvstr_push(outbuf, p, s, -1, STR_ASCII|STR_TERMINATE);
-+	namelen = srvstr_push(outbuf, p, s, BUFFER_SIZE - (p - outbuf), STR_ASCII|STR_TERMINATE);
- 	p += namelen;
- 	outsize = set_message_end(outbuf, p);
- 
-diff -ur samba-3.0.27.orig/source/smbd/sesssetup.c samba-3.0.27/source/smbd/sesssetup.c
---- samba-3.0.27.orig/source/smbd/sesssetup.c	2007-11-14 22:15:04.000000000 -0500
-+++ samba-3.0.27/source/smbd/sesssetup.c	2007-11-19 15:45:34.000000000 -0500
-@@ -68,9 +68,9 @@
- 
- 	fstr_sprintf( lanman, "Samba %s", SAMBA_VERSION_STRING);
- 
--	p += srvstr_push(outbuf, p, "Unix", -1, STR_TERMINATE);
--	p += srvstr_push(outbuf, p, lanman, -1, STR_TERMINATE);
--	p += srvstr_push(outbuf, p, lp_workgroup(), -1, STR_TERMINATE);
-+	p += srvstr_push(outbuf, p, "Unix", BUFFER_SIZE - (p - outbuf), STR_TERMINATE);
-+	p += srvstr_push(outbuf, p, lanman, BUFFER_SIZE - (p - outbuf), STR_TERMINATE);
-+	p += srvstr_push(outbuf, p, lp_workgroup(), BUFFER_SIZE - (p - outbuf), STR_TERMINATE);
- 
- 	return PTR_DIFF(p, start);
- }
-diff -ur samba-3.0.27.orig/source/smbd/srvstr.c samba-3.0.27/source/smbd/srvstr.c
---- samba-3.0.27.orig/source/smbd/srvstr.c	2007-11-14 22:15:04.000000000 -0500
-+++ samba-3.0.27/source/smbd/srvstr.c	2007-11-19 15:43:27.000000000 -0500
-@@ -28,17 +28,10 @@
- 		      const char *base_ptr, void *dest, 
- 		      const char *src, int dest_len, int flags)
- {
--	size_t buf_used = PTR_DIFF(dest, base_ptr);
--	if (dest_len == -1) {
--		if (((ptrdiff_t)dest < (ptrdiff_t)base_ptr) || (buf_used > (size_t)max_send)) {
--#if 0
--			DEBUG(0, ("Pushing string of 'unlimited' length into non-SMB buffer!\n"));
--#endif
--			return push_string_fn(function, line, base_ptr, dest, src, -1, flags);
--		}
--		return push_string_fn(function, line, base_ptr, dest, src, max_send - buf_used, flags);
-+	if (dest_len < 0) {
-+		return 0;
- 	}
--	
-+
- 	/* 'normal' push into size-specified buffer */
- 	return push_string_fn(function, line, base_ptr, dest, src, dest_len, flags);
- }
-diff -ur samba-3.0.27.orig/source/smbd/trans2.c samba-3.0.27/source/smbd/trans2.c
---- samba-3.0.27.orig/source/smbd/trans2.c	2007-11-14 22:15:04.000000000 -0500
-+++ samba-3.0.27/source/smbd/trans2.c	2007-11-19 15:43:27.000000000 -0500
-@@ -1283,7 +1283,7 @@
- 			p += 23;
- 			nameptr = p;
- 			p += align_string(outbuf, p, 0);
--			len = srvstr_push(outbuf, p, fname, -1, STR_TERMINATE);
-+			len = srvstr_push(outbuf, p, fname, space_remaining - (p - pdata), STR_TERMINATE);
- 			if (SVAL(outbuf, smb_flg2) & FLAGS2_UNICODE_STRINGS) {
- 				if (len > 2) {
- 					SCVAL(nameptr, -1, len - 2);
-@@ -1318,7 +1318,7 @@
- 			}
- 			p += 27;
- 			nameptr = p - 1;
--			len = srvstr_push(outbuf, p, fname, -1, STR_TERMINATE | STR_NOALIGN);
-+			len = srvstr_push(outbuf, p, fname, space_remaining - (p - pdata), STR_TERMINATE | STR_NOALIGN);
- 			if (SVAL(outbuf, smb_flg2) & FLAGS2_UNICODE_STRINGS) {
- 				if (len > 2) {
- 					len -= 2;
-@@ -1372,9 +1372,9 @@
- 			}
- 
- 			/* Push the ea_data followed by the name. */
--			p += fill_ea_buffer(ea_ctx, p, space_remaining, conn, name_list);
-+			p += fill_ea_buffer(ea_ctx, p, space_remaining - (p - pdata), conn, name_list);
- 			nameptr = p;
--			len = srvstr_push(outbuf, p + 1, fname, -1, STR_TERMINATE | STR_NOALIGN);
-+			len = srvstr_push(outbuf, p + 1, fname, space_remaining - (p - pdata), STR_TERMINATE | STR_NOALIGN);
- 			if (SVAL(outbuf, smb_flg2) & FLAGS2_UNICODE_STRINGS) {
- 				if (len > 2) {
- 					len -= 2;
-@@ -1431,7 +1431,7 @@
- 				memset(p,'\0',26);
- 			}
- 			p += 2 + 24;
--			len = srvstr_push(outbuf, p, fname, -1, STR_TERMINATE_ASCII);
-+			len = srvstr_push(outbuf, p, fname, space_remaining - (p - pdata), STR_TERMINATE_ASCII);
- 			SIVAL(q,0,len);
- 			p += len;
- 			SIVAL(p,0,0); /* Ensure any padding is null. */
-@@ -1452,7 +1452,7 @@
- 			SOFF_T(p,0,file_size); p += 8;
- 			SOFF_T(p,0,allocation_size); p += 8;
- 			SIVAL(p,0,nt_extmode); p += 4;
--			len = srvstr_push(outbuf, p + 4, fname, -1, STR_TERMINATE_ASCII);
-+			len = srvstr_push(outbuf, p + 4, fname, space_remaining - (p - pdata), STR_TERMINATE_ASCII);
- 			SIVAL(p,0,len);
- 			p += 4 + len;
- 			SIVAL(p,0,0); /* Ensure any padding is null. */
-@@ -1479,7 +1479,7 @@
- 				SIVAL(p,0,ea_size); /* Extended attributes */
- 				p +=4;
- 			}
--			len = srvstr_push(outbuf, p, fname, -1, STR_TERMINATE_ASCII);
-+			len = srvstr_push(outbuf, p, fname, space_remaining - (p - pdata), STR_TERMINATE_ASCII);
- 			SIVAL(q, 0, len);
- 			p += len;
- 
-@@ -1497,7 +1497,7 @@
- 			p += 4;
- 			/* this must *not* be null terminated or w2k gets in a loop trying to set an
- 			   acl on a dir (tridge) */
--			len = srvstr_push(outbuf, p, fname, -1, STR_TERMINATE_ASCII);
-+			len = srvstr_push(outbuf, p, fname, space_remaining - (p - pdata), STR_TERMINATE_ASCII);
- 			SIVAL(p, -4, len);
- 			p += len;
- 			SIVAL(p,0,0); /* Ensure any padding is null. */
-@@ -1527,7 +1527,7 @@
- 			SIVAL(p,0,0); p += 4; /* Unknown - reserved ? */
- 			SIVAL(p,0,sbuf.st_ino); p += 4; /* FileIndexLow */
- 			SIVAL(p,0,sbuf.st_dev); p += 4; /* FileIndexHigh */
--			len = srvstr_push(outbuf, p, fname, -1, STR_TERMINATE_ASCII);
-+			len = srvstr_push(outbuf, p, fname, space_remaining - (p - pdata), STR_TERMINATE_ASCII);
- 			SIVAL(q, 0, len);
- 			p += len; 
- 			SIVAL(p,0,0); /* Ensure any padding is null. */
-@@ -1578,7 +1578,7 @@
- 			SSVAL(p,0,0); p += 2; /* Reserved ? */
- 			SIVAL(p,0,sbuf.st_ino); p += 4; /* FileIndexLow */
- 			SIVAL(p,0,sbuf.st_dev); p += 4; /* FileIndexHigh */
--			len = srvstr_push(outbuf, p, fname, -1, STR_TERMINATE_ASCII);
-+			len = srvstr_push(outbuf, p, fname, space_remaining - (p - pdata), STR_TERMINATE_ASCII);
- 			SIVAL(q,0,len);
- 			p += len;
- 			SIVAL(p,0,0); /* Ensure any padding is null. */
-@@ -1601,14 +1601,14 @@
- 				DEBUG(10,("get_lanman2_dir_entry: SMB_FIND_FILE_UNIX\n"));
- 				p = store_file_unix_basic(conn, p,
- 							NULL, &sbuf);
--				len = srvstr_push(outbuf, p, fname, -1, STR_TERMINATE);
-+				len = srvstr_push(outbuf, p, fname, space_remaining - (p - pdata), STR_TERMINATE);
- 			} else {
- 				DEBUG(10,("get_lanman2_dir_entry: SMB_FIND_FILE_UNIX_INFO2\n"));
- 				p = store_file_unix_basic_info2(conn, p,
- 							NULL, &sbuf);
- 				nameptr = p;
- 				p += 4;
--				len = srvstr_push(outbuf, p, fname, -1, 0);
-+				len = srvstr_push(outbuf, p, fname, space_remaining - (p - pdata), 0);
- 				SIVAL(nameptr, 0, len);
- 			}
- 
-@@ -2309,7 +2309,7 @@
- 			 * this call so try fixing this by adding a terminating null to
- 			 * the pushed string. The change here was adding the STR_TERMINATE. JRA.
- 			 */
--			len = srvstr_push(outbuf, pdata+l2_vol_szVolLabel, vname, -1, STR_NOALIGN|STR_TERMINATE);
-+			len = srvstr_push(outbuf, pdata+l2_vol_szVolLabel, vname, max_data_bytes - l2_vol_szVolLabel, STR_NOALIGN|STR_TERMINATE);
- 			SCVAL(pdata,l2_vol_cch,len);
- 			data_len = l2_vol_szVolLabel + len;
- 			DEBUG(5,("call_trans2qfsinfo : time = %x, namelen = %d, name = %s\n",
-@@ -2331,14 +2331,14 @@
- 			SIVAL(pdata,4,255); /* Max filename component length */
- 			/* NOTE! the fstype must *not* be null terminated or win98 won't recognise it
- 				and will think we can't do long filenames */
--			len = srvstr_push(outbuf, pdata+12, fstype, -1, STR_UNICODE);
-+			len = srvstr_push(outbuf, pdata+12, fstype, max_data_bytes - 12, STR_UNICODE);
- 			SIVAL(pdata,8,len);
- 			data_len = 12 + len;
- 			break;
- 
- 		case SMB_QUERY_FS_LABEL_INFO:
- 		case SMB_FS_LABEL_INFORMATION:
--			len = srvstr_push(outbuf, pdata+4, vname, -1, 0);
-+			len = srvstr_push(outbuf, pdata+4, vname, max_data_bytes - 4, 0);
- 			data_len = 4 + len;
- 			SIVAL(pdata,0,len);
- 			break;
-@@ -2354,7 +2354,7 @@
- 				(str_checksum(get_local_machine_name())<<16));
- 
- 			/* Max label len is 32 characters. */
--			len = srvstr_push(outbuf, pdata+18, vname, -1, STR_UNICODE);
-+			len = srvstr_push(outbuf, pdata+18, vname, max_data_bytes - 18, STR_UNICODE);
- 			SIVAL(pdata,12,len);
- 			data_len = 18+len;
- 
-@@ -3589,7 +3589,7 @@
- 			if(!mangle_is_8_3(short_name, True, conn->params)) {
- 				mangle_map(short_name,True,True,conn->params);
- 			}
--			len = srvstr_push(outbuf, pdata+4, short_name, -1, STR_UNICODE);
-+			len = srvstr_push(outbuf, pdata+4, short_name, max_data_bytes - 4, STR_UNICODE);
- 			data_size = 4 + len;
- 			SIVAL(pdata,0,len);
- 			break;
-@@ -3599,7 +3599,7 @@
- 			/*
- 			  this must be *exactly* right for ACLs on mapped drives to work
- 			 */
--			len = srvstr_push(outbuf, pdata+4, dos_fname, -1, STR_UNICODE);
-+			len = srvstr_push(outbuf, pdata+4, dos_fname, max_data_bytes - 4, STR_UNICODE);
- 			DEBUG(10,("call_trans2qfilepathinfo: SMB_QUERY_FILE_NAME_INFO\n"));
- 			data_size = 4 + len;
- 			SIVAL(pdata,0,len);
-@@ -3640,7 +3640,7 @@
- 			pdata += 24;
- 			SIVAL(pdata,0,ea_size);
- 			pdata += 4; /* EA info */
--			len = srvstr_push(outbuf, pdata+4, dos_fname, -1, STR_UNICODE);
-+			len = srvstr_push(outbuf, pdata+4, dos_fname, max_data_bytes - (pdata+4 - *ppdata), STR_UNICODE);
- 			SIVAL(pdata,0,len);
- 			pdata += 4 + len;
- 			data_size = PTR_DIFF(pdata,(*ppdata));
-@@ -3802,7 +3802,7 @@
- 				if (len == -1)
- 					return(UNIXERROR(ERRDOS,ERRnoaccess));
- 				buffer[len] = 0;
--				len = srvstr_push(outbuf, pdata, buffer, -1, STR_TERMINATE);
-+				len = srvstr_push(outbuf, pdata, buffer, max_data_bytes, STR_TERMINATE);
- 				pdata += len;
- 				data_size = PTR_DIFF(pdata,(*ppdata));
- 
-Only in samba-3.0.27/source/smbd: trans2.c.rej
diff --git a/samba.spec b/samba.spec
index 97fe483..8263e0e 100644
--- a/samba.spec
+++ b/samba.spec
@@ -1,8 +1,8 @@
 Summary: The Samba Suite of programs
 Name: samba
 Epoch: 0
-Version: 3.0.27
-Release: 1%{?dist}
+Version: 3.0.27a
+Release: 0%{?dist}
 License: GPLv2+ and LGPLv2+
 Group: System Environment/Daemons
 URL: http://www.samba.org/
@@ -41,9 +41,6 @@ Patch107: samba-3.0.23rc3-passwd.patch
 Patch110: samba-3.0.21pre1-smbspool.patch
 Patch111: samba-3.0.13-smbclient.patch
 Patch200: samba-3.0.25rc1-inotifiy.patch
-Patch201: samba3_idmap_default_domain.patch
-Patch202: samba-3.0.26a-winbindd-padding.patch
-Patch203: samba-3.0.27-CVE-2007-4572-regression.patch
 
 Requires(pre): samba-common = %{epoch}:%{version}-%{release}
 Requires: pam >= 0:0.64
@@ -160,9 +157,6 @@ cp %{SOURCE11} packaging/Fedora/
 %patch110 -p1 -b .smbspool
 %patch111 -p1 -b .smbclient
 %patch200 -p0 -b .inotify
-%patch201 -p0 -b .idmap_def_dom
-%patch202 -p1 -b .winbindd_padding
-%patch203 -p1 -b .CVE-2007-4572-regression
 
 mv source/VERSION source/VERSION.orig
 sed -e 's/SAMBA_VERSION_VENDOR_SUFFIX=$/&\"%{release}\"/' < source/VERSION.orig > source/VERSION
@@ -648,6 +642,10 @@ exit 0
 #%{_includedir}/libmsrpc.h
 
 %changelog
+* Wed Nov 21 2007 Simo Sorce <ssorce@redhat.com> 3.0.27a-0.fc7
+- Upstream official fix for regression in CVE-2007-4572
+- More fixes including 2 former patches we had in the package
+
 * Mon Nov 19 2007 Simo Sorce <ssorce@redhat.com> 3.0.27-1.fc7
 - Fix regression in CVE-2007-4572
 
diff --git a/samba3_idmap_default_domain.patch b/samba3_idmap_default_domain.patch
deleted file mode 100644
index 84f8f14..0000000
--- a/samba3_idmap_default_domain.patch
+++ /dev/null
@@ -1,75 +0,0 @@
-Index: source/nsswitch/idmap.c
-===================================================================
---- source/nsswitch/idmap.c	(revision 25609)
-+++ source/nsswitch/idmap.c	(working copy)
-@@ -252,12 +252,6 @@
- 	return NT_STATUS_OK;
- }
- 
--/**********************************************************************
-- Initialise idmap cache and a remote backend (if configured).
--**********************************************************************/
--
--static const char *idmap_default_domain[] = { "default domain", NULL };
--
- /****************************************************************************
-  ****************************************************************************/
- 
-@@ -292,6 +286,7 @@
- 	char *compat_backend = NULL;
- 	char *compat_params = NULL;
- 	const char **dom_list = NULL;
-+	const char *default_domain = NULL;
- 	char *alloc_backend = NULL;
- 	BOOL default_already_defined = False;
- 	BOOL pri_dom_is_in_list = False;
-@@ -356,7 +351,25 @@
- 	}
- 
- 	if ( ! dom_list) {
--		dom_list = idmap_default_domain;
-+		/* generate a list with our main domain */
-+		char ** dl;
-+
-+		dl = talloc_array(idmap_ctx, char *, 2);
-+		if (dl == NULL) {
-+			ret = NT_STATUS_NO_MEMORY;
-+			goto done;
-+		}
-+		dl[0] = talloc_strdup(dl, lp_workgroup());
-+		if (dl[0] == NULL) {
-+			ret = NT_STATUS_NO_MEMORY;
-+			goto done;
-+		}
-+
-+		/* terminate */
-+		dl[1] = NULL;
-+
-+		dom_list = dl;
-+		default_domain = dl[0];
- 	}
- 
- 	/***************************
-@@ -389,7 +389,8 @@
- 			continue;
- 		}
- 
--		if (strequal(dom_list[i], lp_workgroup())) {
-+		if ((dom_list[i] != default_domain) &&
-+		    strequal(dom_list[i], lp_workgroup())) {
- 			pri_dom_is_in_list = True;
- 		}
- 		/* init domain */
-@@ -398,10 +411,10 @@
- 						   "default", False);
- 
- 		if (dom->default_domain ||
--		    strequal(dom_list[i], idmap_default_domain[0])) {
-+		    (default_domain && strequal(dom_list[i], default_domain))) {
- 
- 			/* make sure this is set even when we match
--			 * idmap_default_domain[0] */
-+			 * default_domain */
- 			dom->default_domain = True;
- 
- 			if (default_already_defined) {
diff --git a/sources b/sources
index 4eb41c0..4beced1 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-cff7854ea5947882954f30d2657e1a9d  samba-3.0.27.tar.gz
+57aedd342cafddbb28e2936c15dde96b  samba-3.0.27a.tar.gz