summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat (limited to 'net-fs/samba/files')
-rw-r--r--net-fs/samba/files/3.0.24-heap_overflow_v2.patch785
-rw-r--r--net-fs/samba/files/3.0.24-sid2name_elevation_v2.patch168
-rw-r--r--net-fs/samba/files/digest-samba-3.0.24-r39
3 files changed, 962 insertions, 0 deletions
diff --git a/net-fs/samba/files/3.0.24-heap_overflow_v2.patch b/net-fs/samba/files/3.0.24-heap_overflow_v2.patch
new file mode 100644
index 000000000000..54b5cbbc2dae
--- /dev/null
+++ b/net-fs/samba/files/3.0.24-heap_overflow_v2.patch
@@ -0,0 +1,785 @@
+Index: samba-3.0.24/source/include/smb_macros.h
+===================================================================
+--- samba-3.0.24.orig/source/include/smb_macros.h 2006-04-19 21:29:39.000000000 -0500
++++ samba-3.0.24/source/include/smb_macros.h 2007-05-25 12:40:05.000000000 -0500
+@@ -310,7 +310,6 @@
+ #if defined(PARANOID_MALLOC_CHECKER)
+
+ #define PRS_ALLOC_MEM(ps, type, count) (type *)prs_alloc_mem_((ps),sizeof(type),(count))
+-#define PRS_ALLOC_MEM_VOID(ps, size) prs_alloc_mem_((ps),(size),1)
+
+ /* Get medieval on our ass about malloc.... */
+
+@@ -354,7 +353,6 @@
+ #define __location__ __FILE__ ":" __LINESTR__
+
+ #define PRS_ALLOC_MEM(ps, type, count) (type *)prs_alloc_mem((ps),sizeof(type),(count))
+-#define PRS_ALLOC_MEM_VOID(ps, size) prs_alloc_mem((ps),(size),1)
+
+ /* Regular malloc code. */
+
+Index: samba-3.0.24/source/rpc_parse/parse_dfs.c
+===================================================================
+--- samba-3.0.24.orig/source/rpc_parse/parse_dfs.c 2007-02-04 12:59:22.000000000 -0600
++++ samba-3.0.24/source/rpc_parse/parse_dfs.c 2007-05-25 12:40:05.000000000 -0500
+@@ -325,7 +325,9 @@
+ return False;
+
+ if (UNMARSHALLING(ps)) {
+- v->stores = (void *)PRS_ALLOC_MEM_VOID(ps,sizeof(*v->stores)*v->num_stores);
++ v->stores = PRS_ALLOC_MEM(ps,NETDFS_DFS_STORAGEINFO,v->num_stores);
++ if (!v->stores)
++ return False;
+ }
+ for (i_stores_1=0; i_stores_1<v->num_stores;i_stores_1++) {
+ if (!netdfs_io_dfs_StorageInfo_p("stores", &v->stores[i_stores_1], ps, depth))
+@@ -447,7 +449,9 @@
+ return False;
+
+ if (UNMARSHALLING(ps)) {
+- v->stores = (void *)PRS_ALLOC_MEM_VOID(ps,sizeof(*v->stores)*v->num_stores);
++ v->stores = PRS_ALLOC_MEM(ps,NETDFS_DFS_STORAGEINFO,v->num_stores);
++ if (!v->stores)
++ return False;
+ }
+ for (i_stores_1=0; i_stores_1<v->num_stores;i_stores_1++) {
+ if (!netdfs_io_dfs_StorageInfo_p("stores", &v->stores[i_stores_1], ps, depth))
+@@ -920,7 +924,9 @@
+ return False;
+
+ if (UNMARSHALLING(ps)) {
+- v->s = (void *)PRS_ALLOC_MEM_VOID(ps,sizeof(*v->s)*v->count);
++ v->s = PRS_ALLOC_MEM(ps,NETDFS_DFS_INFO1,v->count);
++ if (!v->s)
++ return False;
+ }
+ for (i_s_1=0; i_s_1<v->count;i_s_1++) {
+ if (!netdfs_io_dfs_Info1_p("s", &v->s[i_s_1], ps, depth))
+@@ -986,7 +992,9 @@
+ return False;
+
+ if (UNMARSHALLING(ps)) {
+- v->s = (void *)PRS_ALLOC_MEM_VOID(ps,sizeof(*v->s)*v->count);
++ v->s = PRS_ALLOC_MEM(ps,NETDFS_DFS_INFO2,v->count);
++ if (!v->s)
++ return False;
+ }
+ for (i_s_1=0; i_s_1<v->count;i_s_1++) {
+ if (!netdfs_io_dfs_Info2_p("s", &v->s[i_s_1], ps, depth))
+@@ -1052,7 +1060,9 @@
+ return False;
+
+ if (UNMARSHALLING(ps)) {
+- v->s = (void *)PRS_ALLOC_MEM_VOID(ps,sizeof(*v->s)*v->count);
++ v->s = PRS_ALLOC_MEM(ps,NETDFS_DFS_INFO3,v->count);
++ if (!v->s)
++ return False;
+ }
+ for (i_s_1=0; i_s_1<v->count;i_s_1++) {
+ if (!netdfs_io_dfs_Info3_p("s", &v->s[i_s_1], ps, depth))
+@@ -1118,7 +1128,9 @@
+ return False;
+
+ if (UNMARSHALLING(ps)) {
+- v->s = (void *)PRS_ALLOC_MEM_VOID(ps,sizeof(*v->s)*v->count);
++ v->s = PRS_ALLOC_MEM(ps,NETDFS_DFS_INFO4,v->count);
++ if (!v->s)
++ return False;
+ }
+ for (i_s_1=0; i_s_1<v->count;i_s_1++) {
+ if (!netdfs_io_dfs_Info4_p("s", &v->s[i_s_1], ps, depth))
+@@ -1184,7 +1196,9 @@
+ return False;
+
+ if (UNMARSHALLING(ps)) {
+- v->s = (void *)PRS_ALLOC_MEM_VOID(ps,sizeof(*v->s)*v->count);
++ v->s = PRS_ALLOC_MEM(ps,NETDFS_DFS_INFO200,v->count);
++ if (!v->s)
++ return False;
+ }
+ for (i_s_1=0; i_s_1<v->count;i_s_1++) {
+ if (!netdfs_io_dfs_Info200_p("s", &v->s[i_s_1], ps, depth))
+@@ -1250,7 +1264,9 @@
+ return False;
+
+ if (UNMARSHALLING(ps)) {
+- v->s = (void *)PRS_ALLOC_MEM_VOID(ps,sizeof(*v->s)*v->count);
++ v->s = PRS_ALLOC_MEM(ps,NETDFS_DFS_INFO300,v->count);
++ if (!v->s)
++ return False;
+ }
+ for (i_s_1=0; i_s_1<v->count;i_s_1++) {
+ if (!netdfs_io_dfs_Info300_p("s", &v->s[i_s_1], ps, depth))
+Index: samba-3.0.24/source/rpc_parse/parse_lsa.c
+===================================================================
+--- samba-3.0.24.orig/source/rpc_parse/parse_lsa.c 2007-02-04 12:59:22.000000000 -0600
++++ samba-3.0.24/source/rpc_parse/parse_lsa.c 2007-05-25 12:41:06.000000000 -0500
+@@ -1171,7 +1171,7 @@
+
+ /* Mallocate memory if we're unpacking from the wire */
+
+- if (UNMARSHALLING(ps)) {
++ if (UNMARSHALLING(ps) && sen->num_entries) {
+ if ((sen->ptr_sid = PRS_ALLOC_MEM( ps, uint32, sen->num_entries)) == NULL) {
+ DEBUG(3, ("init_lsa_sid_enum(): out of memory for "
+ "ptr_sid\n"));
+@@ -1349,12 +1349,17 @@
+ &trn->num_entries2))
+ return False;
+
+- if (UNMARSHALLING(ps)) {
+- if ((trn->name = PRS_ALLOC_MEM(ps, LSA_TRANS_NAME, trn->num_entries)) == NULL) {
++ if (trn->num_entries2 != trn->num_entries) {
++ /* RPC fault */
++ return False;
++ }
++
++ if (UNMARSHALLING(ps) && trn->num_entries2) {
++ if ((trn->name = PRS_ALLOC_MEM(ps, LSA_TRANS_NAME, trn->num_entries2)) == NULL) {
+ return False;
+ }
+
+- if ((trn->uni_name = PRS_ALLOC_MEM(ps, UNISTR2, trn->num_entries)) == NULL) {
++ if ((trn->uni_name = PRS_ALLOC_MEM(ps, UNISTR2, trn->num_entries2)) == NULL) {
+ return False;
+ }
+ }
+@@ -1406,12 +1411,17 @@
+ &trn->num_entries2))
+ return False;
+
+- if (UNMARSHALLING(ps)) {
+- if ((trn->name = PRS_ALLOC_MEM(ps, LSA_TRANS_NAME2, trn->num_entries)) == NULL) {
++ if (trn->num_entries2 != trn->num_entries) {
++ /* RPC fault */
++ return False;
++ }
++
++ if (UNMARSHALLING(ps) && trn->num_entries2) {
++ if ((trn->name = PRS_ALLOC_MEM(ps, LSA_TRANS_NAME2, trn->num_entries2)) == NULL) {
+ return False;
+ }
+
+- if ((trn->uni_name = PRS_ALLOC_MEM(ps, UNISTR2, trn->num_entries)) == NULL) {
++ if ((trn->uni_name = PRS_ALLOC_MEM(ps, UNISTR2, trn->num_entries2)) == NULL) {
+ return False;
+ }
+ }
+@@ -1678,7 +1688,7 @@
+ return False;
+ }
+
+- if (UNMARSHALLING(ps)) {
++ if (UNMARSHALLING(ps) && out->num_entries2) {
+ if ((out->dom_rid = PRS_ALLOC_MEM(ps, DOM_RID, out->num_entries2))
+ == NULL) {
+ DEBUG(3, ("lsa_io_r_lookup_names(): out of memory\n"));
+@@ -1803,7 +1813,7 @@
+ return False;
+ }
+
+- if (UNMARSHALLING(ps)) {
++ if (UNMARSHALLING(ps) && out->num_entries2) {
+ if ((out->dom_rid = PRS_ALLOC_MEM(ps, DOM_RID2, out->num_entries2))
+ == NULL) {
+ DEBUG(3, ("lsa_io_r_lookup_names2(): out of memory\n"));
+@@ -1956,7 +1966,7 @@
+ return False;
+ }
+
+- if (UNMARSHALLING(ps)) {
++ if (UNMARSHALLING(ps) && out->num_entries2) {
+ if ((out->trans_sids = PRS_ALLOC_MEM(ps, LSA_TRANSLATED_SID3, out->num_entries2))
+ == NULL) {
+ DEBUG(3, ("lsa_io_r_lookup_names3(): out of memory\n"));
+@@ -2085,7 +2095,7 @@
+ return False;
+ }
+
+- if (UNMARSHALLING(ps)) {
++ if (UNMARSHALLING(ps) && out->num_entries2) {
+ if ((out->trans_sids = PRS_ALLOC_MEM(ps, LSA_TRANSLATED_SID3, out->num_entries2))
+ == NULL) {
+ DEBUG(3, ("lsa_io_r_lookup_names4(): out of memory\n"));
+@@ -2324,7 +2334,7 @@
+ if(!prs_uint32("count1", ps, depth, &out->count1))
+ return False;
+
+- if (UNMARSHALLING(ps))
++ if (UNMARSHALLING(ps) && out->count1)
+ if (!(out->privs = PRS_ALLOC_MEM(ps, LSA_PRIV_ENTRY, out->count1)))
+ return False;
+
+@@ -2759,7 +2769,7 @@
+
+ static BOOL lsa_io_privilege_set(const char *desc, PRIVILEGE_SET *out, prs_struct *ps, int depth)
+ {
+- uint32 i;
++ uint32 i, dummy;
+
+ prs_debug(ps, depth, desc, "lsa_io_privilege_set");
+ depth++;
+@@ -2767,7 +2777,7 @@
+ if(!prs_align(ps))
+ return False;
+
+- if(!prs_uint32("count", ps, depth, &out->count))
++ if(!prs_uint32("count", ps, depth, &dummy))
+ return False;
+ if(!prs_uint32("control", ps, depth, &out->control))
+ return False;
+@@ -3886,7 +3896,7 @@
+ prs_debug(ps, depth, desc, "smb_io_lsa_data_buf");
+ depth++;
+
+- if ( UNMARSHALLING(ps) ) {
++ if ( UNMARSHALLING(ps) && length ) {
+ if ( !(buf->data = PRS_ALLOC_MEM( ps, uint8, length )) )
+ return False;
+ }
+@@ -3900,7 +3910,7 @@
+ if (!prs_uint32("length", ps, depth, &buf->length))
+ return False;
+
+- if(!prs_uint8s(False, "data", ps, depth, buf->data, size))
++ if(!prs_uint8s(False, "data", ps, depth, buf->data, length))
+ return False;
+
+ return True;
+Index: samba-3.0.24/source/rpc_parse/parse_prs.c
+===================================================================
+--- samba-3.0.24.orig/source/rpc_parse/parse_prs.c 2007-02-04 12:59:22.000000000 -0600
++++ samba-3.0.24/source/rpc_parse/parse_prs.c 2007-05-25 12:41:06.000000000 -0500
+@@ -156,7 +156,7 @@
+ {
+ char *ret = NULL;
+
+- if (size) {
++ if (size && count) {
+ /* We can't call the type-safe version here. */
+ ret = _talloc_zero_array(ps->mem_ctx, size, count, "parse_prs");
+ }
+@@ -642,9 +642,13 @@
+ return True;
+
+ if (UNMARSHALLING(ps)) {
+- if ( !(*data = PRS_ALLOC_MEM_VOID(ps, data_size)) )
+- return False;
+- }
++ if (data_size) {
++ if ( !(*data = (void *)PRS_ALLOC_MEM(ps, char, data_size)) )
++ return False;
++ } else {
++ *data = NULL;
++ }
++ }
+
+ return prs_fn(name, ps, depth, *data);
+ }
+@@ -1014,16 +1018,16 @@
+ if (q == NULL)
+ return False;
+
++ /* If the string is empty, we don't have anything to stream */
++ if (str->buf_len==0)
++ return True;
++
+ if (UNMARSHALLING(ps)) {
+ str->buffer = PRS_ALLOC_MEM(ps,uint16,str->buf_len);
+ if (str->buffer == NULL)
+ return False;
+ }
+
+- /* If the string is empty, we don't have anything to stream */
+- if (str->buf_len==0)
+- return True;
+-
+ p = (char *)str->buffer;
+
+ dbg_rw_punival(charmode, name, depth, ps, q, p, str->buf_len);
+@@ -1053,6 +1057,8 @@
+ buf->buffer = PRS_ALLOC_MEM(ps, uint16, buf->buf_max_len);
+ if ( buf->buffer == NULL )
+ return False;
++ } else {
++ buf->buffer = NULL;
+ }
+ }
+
+@@ -1080,9 +1086,13 @@
+ if (str->str_str_len > str->str_max_len) {
+ return False;
+ }
+- str->buffer = PRS_ALLOC_MEM(ps,unsigned char, str->str_max_len);
+- if (str->buffer == NULL)
+- return False;
++ if (str->str_max_len) {
++ str->buffer = PRS_ALLOC_MEM(ps,unsigned char, str->str_max_len);
++ if (str->buffer == NULL)
++ return False;
++ } else {
++ str->buffer = NULL;
++ }
+ }
+
+ if (UNMARSHALLING(ps)) {
+@@ -1127,9 +1137,13 @@
+ if (str->uni_str_len > str->uni_max_len) {
+ return False;
+ }
+- str->buffer = PRS_ALLOC_MEM(ps,uint16,str->uni_max_len);
+- if (str->buffer == NULL)
+- return False;
++ if (str->uni_max_len) {
++ str->buffer = PRS_ALLOC_MEM(ps,uint16,str->uni_max_len);
++ if (str->buffer == NULL)
++ return False;
++ } else {
++ str->buffer = NULL;
++ }
+ }
+
+ p = (char *)str->buffer;
+@@ -1154,9 +1168,13 @@
+ return False;
+
+ if (UNMARSHALLING(ps)) {
+- str->str.buffer = PRS_ALLOC_MEM(ps,uint16,str->uni_str_len);
+- if (str->str.buffer == NULL)
+- return False;
++ if (str->uni_str_len) {
++ str->str.buffer = PRS_ALLOC_MEM(ps,uint16,str->uni_str_len);
++ if (str->str.buffer == NULL)
++ return False;
++ } else {
++ str->str.buffer = NULL;
++ }
+ }
+
+ p = (char *)str->str.buffer;
+Index: samba-3.0.24/source/rpc_parse/parse_sec.c
+===================================================================
+--- samba-3.0.24.orig/source/rpc_parse/parse_sec.c 2005-04-18 11:38:20.000000000 -0500
++++ samba-3.0.24/source/rpc_parse/parse_sec.c 2007-05-25 12:40:05.000000000 -0500
+@@ -122,7 +122,7 @@
+ for you as it reads them.
+ ********************************************************************/
+
+-BOOL sec_io_acl(const char *desc, SEC_ACL **ppsa, prs_struct *ps, int depth)
++static BOOL sec_io_acl(const char *desc, SEC_ACL **ppsa, prs_struct *ps, int depth)
+ {
+ unsigned int i;
+ uint32 old_offset;
+@@ -165,13 +165,10 @@
+ return False;
+
+ if (UNMARSHALLING(ps)) {
+- /*
+- * Even if the num_aces is zero, allocate memory as there's a difference
+- * between a non-present DACL (allow all access) and a DACL with no ACE's
+- * (allow no access).
+- */
+- if((psa->ace = PRS_ALLOC_MEM(ps, SEC_ACE, psa->num_aces+1)) == NULL)
+- return False;
++ if (psa->num_aces) {
++ if((psa->ace = PRS_ALLOC_MEM(ps, SEC_ACE, psa->num_aces)) == NULL)
++ return False;
++ }
+ }
+
+ for (i = 0; i < psa->num_aces; i++) {
+Index: samba-3.0.24/source/rpc_parse/parse_spoolss.c
+===================================================================
+--- samba-3.0.24.orig/source/rpc_parse/parse_spoolss.c 2007-02-04 12:59:22.000000000 -0600
++++ samba-3.0.24/source/rpc_parse/parse_spoolss.c 2007-05-25 12:41:06.000000000 -0500
+@@ -227,8 +227,13 @@
+ if(!prs_uint32("count2", ps, depth, &type->count2))
+ return False;
+
+- if (type->count2 != type->count)
++ if (type->count2 != type->count) {
+ DEBUG(4,("What a mess, count was %x now is %x !\n", type->count, type->count2));
++ return False;
++ }
++ if (type->count2 > MAX_NOTIFY_TYPE_FOR_NOW) {
++ return False;
++ }
+
+ /* parse the option type data */
+ for(i=0;i<type->count2;i++)
+@@ -252,7 +257,7 @@
+ return False;
+
+ /* reading */
+- if (UNMARSHALLING(ps))
++ if (UNMARSHALLING(ps) && ctr->count)
+ if((ctr->type=PRS_ALLOC_MEM(ps,SPOOL_NOTIFY_OPTION_TYPE,ctr->count)) == NULL)
+ return False;
+
+@@ -411,7 +416,7 @@
+ if(!prs_uint32("string length", ps, depth, &data->notify_data.data.length))
+ return False;
+
+- if (UNMARSHALLING(ps)) {
++ if (UNMARSHALLING(ps) && data->notify_data.data.length) {
+ data->notify_data.data.string = PRS_ALLOC_MEM(ps, uint16,
+ data->notify_data.data.length);
+
+@@ -430,7 +435,7 @@
+
+ case NOTIFY_POINTER:
+
+- if (UNMARSHALLING(ps)) {
++ if (UNMARSHALLING(ps) && data->notify_data.data.length) {
+ data->notify_data.data.string = PRS_ALLOC_MEM(ps, uint16,
+ data->notify_data.data.length);
+
+@@ -490,9 +495,13 @@
+
+ /* Tallocate memory for string */
+
+- data->notify_data.data.string = PRS_ALLOC_MEM(ps, uint16, x * 2);
+- if (!data->notify_data.data.string)
+- return False;
++ if (x) {
++ data->notify_data.data.string = PRS_ALLOC_MEM(ps, uint16, x * 2);
++ if (!data->notify_data.data.string)
++ return False;
++ } else {
++ data->notify_data.data.string = NULL;
++ }
+
+ if(!prs_uint16uni(True,"string",ps,depth,data->notify_data.data.string,x))
+ return False;
+@@ -5931,14 +5940,14 @@
+ case REG_BINARY:
+ case REG_DWORD:
+ case REG_MULTI_SZ:
+- if (q_u->max_len) {
+- if (UNMARSHALLING(ps))
+- q_u->data=PRS_ALLOC_MEM(ps, uint8, q_u->max_len);
+- if(q_u->data == NULL)
+- return False;
+- if(!prs_uint8s(False,"data", ps, depth, q_u->data, q_u->max_len))
+- return False;
+- }
++ if (q_u->max_len) {
++ if (UNMARSHALLING(ps))
++ q_u->data=PRS_ALLOC_MEM(ps, uint8, q_u->max_len);
++ if(q_u->data == NULL)
++ return False;
++ if(!prs_uint8s(False,"data", ps, depth, q_u->data, q_u->max_len))
++ return False;
++ }
+ if(!prs_align(ps))
+ return False;
+ break;
+@@ -6956,7 +6965,7 @@
+
+ /* first loop to write basic enum_value information */
+
+- if (UNMARSHALLING(ps)) {
++ if (UNMARSHALLING(ps) && ctr->size_of_array) {
+ ctr->values = PRS_ALLOC_MEM(ps, PRINTER_ENUM_VALUES, ctr->size_of_array);
+ if (!ctr->values)
+ return False;
+Index: samba-3.0.24/source/libads/authdata.c
+===================================================================
+--- samba-3.0.24.orig/source/libads/authdata.c 2006-02-23 10:29:34.000000000 -0600
++++ samba-3.0.24/source/libads/authdata.c 2007-05-25 12:41:06.000000000 -0500
+@@ -120,10 +120,14 @@
+ return False;
+
+ if (UNMARSHALLING(ps)) {
+- array->krb_sid_and_attrs = PRS_ALLOC_MEM(ps, KRB_SID_AND_ATTRS, num);
+- if (!array->krb_sid_and_attrs) {
+- DEBUG(3, ("No memory available\n"));
+- return False;
++ if (num) {
++ array->krb_sid_and_attrs = PRS_ALLOC_MEM(ps, KRB_SID_AND_ATTRS, num);
++ if (!array->krb_sid_and_attrs) {
++ DEBUG(3, ("No memory available\n"));
++ return False;
++ }
++ } else {
++ array->krb_sid_and_attrs = NULL;
+ }
+ }
+
+@@ -184,10 +188,14 @@
+ return False;
+
+ if (UNMARSHALLING(ps)) {
+- array->group_membership = PRS_ALLOC_MEM(ps, GROUP_MEMBERSHIP, num);
+- if (!array->group_membership) {
+- DEBUG(3, ("No memory available\n"));
+- return False;
++ if (num) {
++ array->group_membership = PRS_ALLOC_MEM(ps, GROUP_MEMBERSHIP, num);
++ if (!array->group_membership) {
++ DEBUG(3, ("No memory available\n"));
++ return False;
++ }
++ } else {
++ array->group_membership = NULL;
+ }
+ }
+
+@@ -456,10 +464,14 @@
+ return False;
+
+ if (UNMARSHALLING(ps) && length) {
+- data->signature.buffer = PRS_ALLOC_MEM(ps, uint8, siglen);
+- if (!data->signature.buffer) {
+- DEBUG(3, ("No memory available\n"));
+- return False;
++ if (siglen) {
++ data->signature.buffer = PRS_ALLOC_MEM(ps, uint8, siglen);
++ if (!data->signature.buffer) {
++ DEBUG(3, ("No memory available\n"));
++ return False;
++ }
++ } else {
++ data->signature.buffer = NULL;
+ }
+ }
+
+Index: samba-3.0.24/source/registry/regfio.c
+===================================================================
+--- samba-3.0.24.orig/source/registry/regfio.c 2007-02-04 12:59:26.000000000 -0600
++++ samba-3.0.24/source/registry/regfio.c 2007-05-25 12:41:06.000000000 -0500
+@@ -642,8 +642,12 @@
+ return False;
+
+ if ( UNMARSHALLING(&hbin->ps) ) {
+- if ( !(lf->hashes = PRS_ALLOC_MEM( &hbin->ps, REGF_HASH_REC, lf->num_keys )) )
+- return False;
++ if (lf->num_keys) {
++ if ( !(lf->hashes = PRS_ALLOC_MEM( &hbin->ps, REGF_HASH_REC, lf->num_keys )) )
++ return False;
++ } else {
++ lf->hashes = NULL;
++ }
+ }
+
+ for ( i=0; i<lf->num_keys; i++ ) {
+Index: samba-3.0.24/source/rpc_parse/parse_net.c
+===================================================================
+--- samba-3.0.24.orig/source/rpc_parse/parse_net.c 2007-02-04 12:59:22.000000000 -0600
++++ samba-3.0.24/source/rpc_parse/parse_net.c 2007-05-25 12:41:06.000000000 -0500
+@@ -1721,9 +1721,13 @@
+ }
+
+ if (UNMARSHALLING(ps)) {
+- usr->gids = PRS_ALLOC_MEM(ps, DOM_GID, usr->num_groups);
+- if (usr->gids == NULL)
+- return False;
++ if (usr->num_groups) {
++ usr->gids = PRS_ALLOC_MEM(ps, DOM_GID, usr->num_groups);
++ if (usr->gids == NULL)
++ return False;
++ } else {
++ usr->gids = NULL;
++ }
+ }
+
+ for (i = 0; i < usr->num_groups; i++) {
+@@ -1756,10 +1760,15 @@
+ return False;
+
+ if (UNMARSHALLING(ps)) {
+- usr->other_sids = PRS_ALLOC_MEM(ps, DOM_SID2, usr->num_other_sids);
+- usr->other_sids_attrib =
+- PRS_ALLOC_MEM(ps, uint32, usr->num_other_sids);
+-
++ if (usr->num_other_sids) {
++ usr->other_sids = PRS_ALLOC_MEM(ps, DOM_SID2, usr->num_other_sids);
++ usr->other_sids_attrib =
++ PRS_ALLOC_MEM(ps, uint32, usr->num_other_sids);
++ } else {
++ usr->other_sids = NULL;
++ usr->other_sids_attrib = NULL;
++ }
++
+ if ((num_other_sids != 0) &&
+ ((usr->other_sids == NULL) ||
+ (usr->other_sids_attrib == NULL)))
+Index: samba-3.0.24/source/rpc_parse/parse_samr.c
+===================================================================
+--- samba-3.0.24.orig/source/rpc_parse/parse_samr.c 2007-02-04 12:59:22.000000000 -0600
++++ samba-3.0.24/source/rpc_parse/parse_samr.c 2007-05-25 12:41:06.000000000 -0500
+@@ -3337,7 +3337,7 @@
+ if(!prs_uint32("num_entries3", ps, depth, &r_u->num_entries3))
+ return False;
+
+- if (UNMARSHALLING(ps)) {
++ if (UNMARSHALLING(ps) && r_u->num_entries2) {
+ r_u->sam = PRS_ALLOC_MEM(ps,SAM_ENTRY,r_u->num_entries2);
+ r_u->uni_dom_name = PRS_ALLOC_MEM(ps,UNISTR2,r_u->num_entries2);
+ }
+@@ -3476,7 +3476,7 @@
+ if(!prs_uint32("num_entries3", ps, depth, &r_u->num_entries3))
+ return False;
+
+- if (UNMARSHALLING(ps)) {
++ if (UNMARSHALLING(ps) && r_u->num_entries2) {
+ r_u->sam = PRS_ALLOC_MEM(ps,SAM_ENTRY,r_u->num_entries2);
+ r_u->uni_grp_name = PRS_ALLOC_MEM(ps,UNISTR2,r_u->num_entries2);
+ }
+@@ -4980,12 +4980,13 @@
+ return False;
+ }
+
+- if (UNMARSHALLING(ps))
++ if (UNMARSHALLING(ps) && r_u->num_rids2) {
+ r_u->rids = PRS_ALLOC_MEM(ps, uint32, r_u->num_rids2);
+
+- if (!r_u->rids) {
+- DEBUG(0, ("NULL rids in samr_io_r_lookup_names\n"));
+- return False;
++ if (!r_u->rids) {
++ DEBUG(0, ("NULL rids in samr_io_r_lookup_names\n"));
++ return False;
++ }
+ }
+
+ for (i = 0; i < r_u->num_rids2; i++) {
+@@ -5009,12 +5010,13 @@
+ return False;
+ }
+
+- if (UNMARSHALLING(ps))
++ if (UNMARSHALLING(ps) && r_u->num_types2) {
+ r_u->types = PRS_ALLOC_MEM(ps, uint32, r_u->num_types2);
+
+- if (!r_u->types) {
+- DEBUG(0, ("NULL types in samr_io_r_lookup_names\n"));
+- return False;
++ if (!r_u->types) {
++ DEBUG(0, ("NULL types in samr_io_r_lookup_names\n"));
++ return False;
++ }
+ }
+
+ for (i = 0; i < r_u->num_types2; i++) {
+Index: samba-3.0.24/source/rpc_parse/parse_srv.c
+===================================================================
+--- samba-3.0.24.orig/source/rpc_parse/parse_srv.c 2005-04-18 11:38:20.000000000 -0500
++++ samba-3.0.24/source/rpc_parse/parse_srv.c 2007-05-25 12:41:06.000000000 -0500
+@@ -782,7 +782,7 @@
+ int num_entries = ctr->num_entries;
+ int i;
+
+- if (UNMARSHALLING(ps)) {
++ if (UNMARSHALLING(ps) && num_entries) {
+ if (!(info0 = PRS_ALLOC_MEM(ps, SRV_SHARE_INFO_0, num_entries)))
+ return False;
+ ctr->share.info0 = info0;
+@@ -808,7 +808,7 @@
+ int num_entries = ctr->num_entries;
+ int i;
+
+- if (UNMARSHALLING(ps)) {
++ if (UNMARSHALLING(ps) && num_entries) {
+ if (!(info1 = PRS_ALLOC_MEM(ps, SRV_SHARE_INFO_1, num_entries)))
+ return False;
+ ctr->share.info1 = info1;
+@@ -834,7 +834,7 @@
+ int num_entries = ctr->num_entries;
+ int i;
+
+- if (UNMARSHALLING(ps)) {
++ if (UNMARSHALLING(ps) && num_entries) {
+ if (!(info2 = PRS_ALLOC_MEM(ps,SRV_SHARE_INFO_2,num_entries)))
+ return False;
+ ctr->share.info2 = info2;
+@@ -859,7 +859,7 @@
+ int num_entries = ctr->num_entries;
+ int i;
+
+- if (UNMARSHALLING(ps)) {
++ if (UNMARSHALLING(ps) && num_entries) {
+ if (!(info501 = PRS_ALLOC_MEM(ps, SRV_SHARE_INFO_501, num_entries)))
+ return False;
+ ctr->share.info501 = info501;
+@@ -884,7 +884,7 @@
+ int num_entries = ctr->num_entries;
+ int i;
+
+- if (UNMARSHALLING(ps)) {
++ if (UNMARSHALLING(ps) && num_entries) {
+ if (!(info502 = PRS_ALLOC_MEM(ps,SRV_SHARE_INFO_502,num_entries)))
+ return False;
+ ctr->share.info502 = info502;
+@@ -910,7 +910,7 @@
+ int num_entries = ctr->num_entries;
+ int i;
+
+- if (UNMARSHALLING(ps)) {
++ if (UNMARSHALLING(ps) && num_entries) {
+ if (!(info1004 = PRS_ALLOC_MEM(ps,SRV_SHARE_INFO_1004,num_entries)))
+ return False;
+ ctr->share.info1004 = info1004;
+@@ -936,7 +936,7 @@
+ int num_entries = ctr->num_entries;
+ int i;
+
+- if (UNMARSHALLING(ps)) {
++ if (UNMARSHALLING(ps) && num_entries) {
+ if (!(info1005 = PRS_ALLOC_MEM(ps,SRV_SHARE_INFO_1005,num_entries)))
+ return False;
+ ctr->share.info1005 = info1005;
+@@ -956,7 +956,7 @@
+ int num_entries = ctr->num_entries;
+ int i;
+
+- if (UNMARSHALLING(ps)) {
++ if (UNMARSHALLING(ps) && num_entries) {
+ if (!(info1006 = PRS_ALLOC_MEM(ps,SRV_SHARE_INFO_1006,num_entries)))
+ return False;
+ ctr->share.info1006 = info1006;
+@@ -976,7 +976,7 @@
+ int num_entries = ctr->num_entries;
+ int i;
+
+- if (UNMARSHALLING(ps)) {
++ if (UNMARSHALLING(ps) && num_entries) {
+ if (!(info1007 = PRS_ALLOC_MEM(ps,SRV_SHARE_INFO_1007,num_entries)))
+ return False;
+ ctr->share.info1007 = info1007;
+@@ -1002,7 +1002,7 @@
+ int num_entries = ctr->num_entries;
+ int i;
+
+- if (UNMARSHALLING(ps)) {
++ if (UNMARSHALLING(ps) && num_entries) {
+ if (!(info1501 = PRS_ALLOC_MEM(ps,SRV_SHARE_INFO_1501,num_entries)))
+ return False;
+ ctr->share.info1501 = info1501;
+@@ -2558,7 +2558,7 @@
+ int num_entries = ctr->num_entries;
+ int i;
+
+- if (UNMARSHALLING(ps)) {
++ if (UNMARSHALLING(ps) && num_entries) {
+ if (!(info3 = PRS_ALLOC_MEM(ps, SRV_FILE_INFO_3, num_entries)))
+ return False;
+ ctr->file.info3 = info3;
+@@ -3377,7 +3377,7 @@
+
+ r_n->disk_enum_ctr.entries_read = entries_read3;
+
+- if(UNMARSHALLING(ps)) {
++ if(UNMARSHALLING(ps) && entries_read3) {
+
+ DISK_INFO *dinfo;
+
+@@ -3386,7 +3386,7 @@
+ r_n->disk_enum_ctr.disk_info = dinfo;
+ }
+
+- for(i=0; i < r_n->disk_enum_ctr.entries_read; i++) {
++ for(i=0; i < entries_read3; i++) {
+
+ if(!prs_uint32("unknown", ps, depth, &r_n->disk_enum_ctr.disk_info[i].unknown))
+ return False;
diff --git a/net-fs/samba/files/3.0.24-sid2name_elevation_v2.patch b/net-fs/samba/files/3.0.24-sid2name_elevation_v2.patch
new file mode 100644
index 000000000000..7bf5a1a4ca04
--- /dev/null
+++ b/net-fs/samba/files/3.0.24-sid2name_elevation_v2.patch
@@ -0,0 +1,168 @@
+Index: samba-3.0.24/source/lib/util_sec.c
+===================================================================
+--- samba-3.0.24.orig/source/lib/util_sec.c 2007-05-25 12:36:10.000000000 -0500
++++ samba-3.0.24/source/lib/util_sec.c 2007-05-25 12:36:38.000000000 -0500
+@@ -286,28 +286,6 @@
+ }
+
+ /****************************************************************************
+- Lightweight become root - no group change.
+-****************************************************************************/
+-
+-void become_root_uid_only(void)
+-{
+- save_re_uid();
+- set_effective_uid(0);
+-}
+-
+-/****************************************************************************
+- Lightweight unbecome root - no group change. Expects we are root already,
+- saves errno across call boundary.
+-****************************************************************************/
+-
+-void unbecome_root_uid_only(void)
+-{
+- int saved_errno = errno;
+- restore_re_uid_fromroot();
+- errno = saved_errno;
+-}
+-
+-/****************************************************************************
+ save the real and effective gid for later restoration. Used by the
+ getgroups code
+ ****************************************************************************/
+Index: samba-3.0.24/source/passdb/lookup_sid.c
+===================================================================
+--- samba-3.0.24.orig/source/passdb/lookup_sid.c 2007-05-25 12:36:10.000000000 -0500
++++ samba-3.0.24/source/passdb/lookup_sid.c 2007-05-25 12:36:38.000000000 -0500
+@@ -421,10 +421,10 @@
+ return False;
+ }
+
+- become_root_uid_only();
++ become_root();
+ result = pdb_lookup_rids(domain_sid, num_rids, rids,
+ *names, *types);
+- unbecome_root_uid_only();
++ unbecome_root();
+
+ return (NT_STATUS_IS_OK(result) ||
+ NT_STATUS_EQUAL(result, NT_STATUS_NONE_MAPPED) ||
+@@ -1085,9 +1085,9 @@
+ goto done;
+ }
+
+- become_root_uid_only();
++ become_root();
+ ret = pdb_uid_to_rid(uid, &rid);
+- unbecome_root_uid_only();
++ unbecome_root();
+
+ if (ret) {
+ /* This is a mapped user */
+@@ -1131,9 +1131,9 @@
+ goto done;
+ }
+
+- become_root_uid_only();
++ become_root();
+ ret = pdb_gid_to_sid(gid, psid);
+- unbecome_root_uid_only();
++ unbecome_root();
+
+ if (ret) {
+ /* This is a mapped group */
+@@ -1179,9 +1179,9 @@
+ union unid_t id;
+ BOOL ret;
+
+- become_root_uid_only();
++ become_root();
+ ret = pdb_sid_to_id(psid, &id, &type);
+- unbecome_root_uid_only();
++ unbecome_root();
+
+ if (ret) {
+ if (type != SID_NAME_USER) {
+@@ -1259,9 +1259,9 @@
+ sid_check_is_in_wellknown_domain(psid))) {
+ BOOL ret;
+
+- become_root_uid_only();
++ become_root();
+ ret = pdb_getgrsid(&map, *psid);
+- unbecome_root_uid_only();
++ unbecome_root();
+
+ if (ret) {
+ *pgid = map.gid;
+@@ -1273,9 +1273,9 @@
+ if (sid_peek_check_rid(get_global_sam_sid(), psid, &rid)) {
+ BOOL ret;
+
+- become_root_uid_only();
++ become_root();
+ ret = pdb_sid_to_id(psid, &id, &type);
+- unbecome_root_uid_only();
++ unbecome_root();
+
+ if (ret) {
+ if ((type != SID_NAME_DOM_GRP) &&
+Index: samba-3.0.24/source/smbd/uid.c
+===================================================================
+--- samba-3.0.24.orig/source/smbd/uid.c 2007-05-25 12:36:28.000000000 -0500
++++ samba-3.0.24/source/smbd/uid.c 2007-05-25 12:36:46.000000000 -0500
+@@ -151,7 +151,9 @@
+ char group_c;
+ BOOL must_free_token = False;
+ NT_USER_TOKEN *token = NULL;
+-
++ int num_groups = 0;
++ gid_t *group_list = NULL;
++
+ if (!conn) {
+ DEBUG(2,("change_to_user: Connection not open\n"));
+ return(False);
+@@ -190,14 +192,14 @@
+ if (conn->force_user) /* security = share sets this too */ {
+ uid = conn->uid;
+ gid = conn->gid;
+- current_user.ut.groups = conn->groups;
+- current_user.ut.ngroups = conn->ngroups;
++ group_list = conn->groups;
++ num_groups = conn->ngroups;
+ token = conn->nt_user_token;
+ } else if (vuser) {
+ uid = conn->admin_user ? 0 : vuser->uid;
+ gid = vuser->gid;
+- current_user.ut.ngroups = vuser->n_groups;
+- current_user.ut.groups = vuser->groups;
++ num_groups = vuser->n_groups;
++ group_list = vuser->groups;
+ token = vuser->nt_user_token;
+ } else {
+ DEBUG(2,("change_to_user: Invalid vuid used %d in accessing "
+@@ -230,8 +232,8 @@
+ */
+
+ int i;
+- for (i = 0; i < current_user.ut.ngroups; i++) {
+- if (current_user.ut.groups[i] == conn->gid) {
++ for (i = 0; i < num_groups; i++) {
++ if (group_list[i] == conn->gid) {
+ gid = conn->gid;
+ gid_to_sid(&token->user_sids[1], gid);
+ break;
+@@ -243,6 +245,12 @@
+ }
+ }
+
++ /* Now set current_user since we will immediately also call
++ set_sec_ctx() */
++
++ current_user.ut.ngroups = num_groups;
++ current_user.ut.groups = group_list;
++
+ set_sec_ctx(uid, gid, current_user.ut.ngroups, current_user.ut.groups,
+ token);
+
diff --git a/net-fs/samba/files/digest-samba-3.0.24-r3 b/net-fs/samba/files/digest-samba-3.0.24-r3
new file mode 100644
index 000000000000..00360d37af2c
--- /dev/null
+++ b/net-fs/samba/files/digest-samba-3.0.24-r3
@@ -0,0 +1,9 @@
+MD5 ca3b7f83de0204ab79a9f0aea5a5051d samba-3-gentoo-0.3.16.tar.bz2 14291
+RMD160 c8388239352e981c03f7e99ff02dbaa13ad77e2a samba-3-gentoo-0.3.16.tar.bz2 14291
+SHA256 fe0ae6f8c2833cfdbab82a5ae2087045da4f27f6f07daba6fdc829a93b4e6508 samba-3-gentoo-0.3.16.tar.bz2 14291
+MD5 89273f67a6d8067cbbecefaa13747153 samba-3.0.24.tar.gz 17708128
+RMD160 f208dca645d07a195169e005a50fb4c4879254eb samba-3.0.24.tar.gz 17708128
+SHA256 c4e8de3426fbbcee7f338f5cf09052cbdf9a36ae638aeeeca10498ef8d5343e2 samba-3.0.24.tar.gz 17708128
+MD5 900502ba36b80620229b94e5129bc856 samba-vscan-0.3.6b.tar.bz2 164471
+RMD160 5cd81345b06f44b2febf3f24e62325322b1c6a3b samba-vscan-0.3.6b.tar.bz2 164471
+SHA256 14f78b624b047b90ddf4965998e7115d3b3ac97b3229154a302637d8e49adcd4 samba-vscan-0.3.6b.tar.bz2 164471