102631 2005-08-15 10:35 0000 games-simulation/openttd: format string vulnerabilities 2005-09-05 09:30:17 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED B1 [glsa] P2 major --- 1 adobriyan@gmail.com security@gentoo.org dholm@gentoo.org adobriyan@gmail.com 2005-08-15 10:35:12 0000 ttd.c: char * CDECL str_fmt(const char *str, ...) { ===> char buf[4096]; <=== va_list va; int len; char *p; va_start(va, str); ===> len = vsprintf(buf, str, va); <=== va_end(va); p = malloc(len + 1); if (p) memcpy(p, buf, len + 1); return p; } ------------------------------------------------------------------------------- str_fmt() is used everywhere, including the following snippet in unix.c: ===> const char *homedir = getenv("HOME"); <=== if (homedir == NULL) { const struct passwd *pw = getpwuid(getuid()); if (pw != NULL) homedir = pw->pw_dir; } _path.personal_dir = str_fmt("%s" PATHSEP "%s", homedir, PERSONAL_DIR); ^^^^^^^ ^^^ ^^^^^^^ ------------------------------------------------------------------------------- Notice the first chunk mentions "Network". diff -uprN openttd-0.4.0.1/network.c openttd-0.4.0.1-vsprintf/network.c --- openttd-0.4.0.1/network.c 2005-05-17 20:01:19.000000000 +0400 +++ openttd-0.4.0.1-vsprintf/network.c 2005-08-15 20:34:45.000000000 +0400 @@ -96,7 +96,7 @@ void CDECL NetworkTextMessage(NetworkAct StringID TempStr = STR_NULL; va_start(va, str); - vsprintf(buf, str, va); + vsnprintf(buf, sizeof(buf), str, va); va_end(va); switch (action) { diff -uprN openttd-0.4.0.1/os2.c openttd-0.4.0.1-vsprintf/os2.c --- openttd-0.4.0.1/os2.c 2005-05-15 18:01:35.000000000 +0400 +++ openttd-0.4.0.1-vsprintf/os2.c 2005-08-15 20:31:26.000000000 +0400 @@ -642,7 +642,7 @@ static long CDECL MidiSendCommand(const va_list va; char buf[512]; va_start(va, cmd); - vsprintf(buf, cmd, va); + vsnprintf(buf, sizeof(buf), cmd, va); va_end(va); return mciSendString(buf, NULL, 0, NULL, 0); } diff -uprN openttd-0.4.0.1/strgen/strgen.c openttd-0.4.0.1-vsprintf/strgen/strgen.c --- openttd-0.4.0.1/strgen/strgen.c 2005-04-24 19:41:01.000000000 +0400 +++ openttd-0.4.0.1-vsprintf/strgen/strgen.c 2005-08-15 20:37:12.000000000 +0400 @@ -84,7 +84,7 @@ void warning(const char *s, ...) { char buf[1024]; va_list va; va_start(va, s); - vsprintf(buf, s, va); + vsnprintf(buf, sizeof(buf), s, va); va_end(va); fprintf(stderr, "%d: ERROR: %s\n", _cur_line, buf); _warnings = true; @@ -94,7 +94,7 @@ void NORETURN error(const char *s, ...) char buf[1024]; va_list va; va_start(va, s); - vsprintf(buf, s, va); + vsnprintf(buf, sizeof(buf), s, va); va_end(va); fprintf(stderr, "%d: FATAL: %s\n", _cur_line, buf); exit(1); diff -uprN openttd-0.4.0.1/texteff.c openttd-0.4.0.1-vsprintf/texteff.c --- openttd-0.4.0.1/texteff.c 2005-03-28 16:38:02.000000000 +0400 +++ openttd-0.4.0.1-vsprintf/texteff.c 2005-08-15 20:36:22.000000000 +0400 @@ -57,7 +57,7 @@ void CDECL AddTextMessage(uint16 color, int length; va_start(va, message); - vsprintf(buf, message, va); + vsnprintf(buf, sizeof(buf), message, va); va_end(va); /* Special color magic */ diff -uprN openttd-0.4.0.1/ttd.c openttd-0.4.0.1-vsprintf/ttd.c --- openttd-0.4.0.1/ttd.c 2005-05-16 20:19:32.000000000 +0400 +++ openttd-0.4.0.1-vsprintf/ttd.c 2005-08-15 20:33:33.000000000 +0400 @@ -70,7 +70,7 @@ void CDECL error(const char *s, ...) { va_list va; char buf[512]; va_start(va, s); - vsprintf(buf, s, va); + vsnprintf(buf, sizeof(buf), s, va); va_end(va); ShowOSErrorBox(buf); @@ -86,7 +86,7 @@ void CDECL ShowInfoF(const char *str, .. va_list va; char buf[1024]; va_start(va, str); - vsprintf(buf, str, va); + vsnprintf(buf, sizeof(buf), str, va); va_end(va); ShowInfo(buf); } @@ -99,7 +99,7 @@ char * CDECL str_fmt(const char *str, .. char *p; va_start(va, str); - len = vsprintf(buf, str, va); + len = vsnprintf(buf, sizeof(buf), str, va); va_end(va); p = malloc(len + 1); if (p) diff -uprN openttd-0.4.0.1/win32.c openttd-0.4.0.1-vsprintf/win32.c --- openttd-0.4.0.1/win32.c 2005-05-16 20:19:32.000000000 +0400 +++ openttd-0.4.0.1-vsprintf/win32.c 2005-08-15 20:37:31.000000000 +0400 @@ -841,7 +841,7 @@ static long CDECL MidiSendCommand(const char buf[512]; va_start(va, cmd); - vsprintf(buf, cmd, va); + vsnprintf(buf, sizeof(buf), cmd, va); va_end(va); return mciSendStringA(buf, NULL, 0, 0); } jaervosz@gentoo.org 2005-08-16 00:09:41 0000 Auditors please advise. taviso@gentoo.org 2005-08-16 02:11:33 0000 openttd is not installed suid or sgid, therefore there is no security impact from the expansion of environment variables. The win32.c looks like it's conditionally compiled on windows systems only, and therefore is not an issue for Gentoo Linux users, however upstream might like to be informed so they can investigate. the NetworkTextMessage() does not look like it can be passed enough information to overflow that buffer, Reporter: have you have tested this issue? There might be a format string issue via player names, but I dont have any TTD files to verify this. The same for AddTextMessage() which is only called via NetworkTextMessage(), and does not appear to be an issue. os2.c does not appear to be compiled on non-os2 platforms, and therefore is not an issue for Gentoo Linux users. strgen.c appears to be a component of a tool used during build, and is not installed as part of the final package. Therefore there is no potential for security issues. I checked every call to error(), it's mostly called with literal arguments, except in a few places that include filenames and so on. As loading data files should be considered a trusted operation, this doesn not appear to be an issue, however upstream might be interested in your patch as a proactive step against future typos. The same for ShowInfoF(), the only attack vector seems to be via reading malformed ini files, which should be a trusted operation. str_fmt() also appears to only deal with opening language packs and so on. The 3.6-r1 version is the only version marked stable on a security supported architecture (ppc). Reporter: if you have any testcases that demonstrate these bugs, please include them in your bug report to help speed up the auditing process. taviso@gentoo.org 2005-08-16 06:54:47 0000 I found a copy of the game online and attempted to trigger these issues, however I could not, handing this over to the games team to see how they want to proceed. adobriyan@gmail.com 2005-08-16 10:39:48 0000 Note about format bugs was damn right. Let's cook a malicious client. network_client.c: 228 // Send an quit-packet over the network 229 DEF_CLIENT_SEND_COMMAND_PARAM(PACKET_CLIENT_QUIT)(const char *leavemsg) 230 { 231 // 232 // Packet: CLIENT_QUIT 233 // Function: The client is quiting the game 234 // Data: 235 // String: leave-message 236 // 237 Packet *p = NetworkSend_Init(PACKET_CLIENT_QUIT); 238 239 ===> NetworkSend_string(p, leavemsg); <=== 240 NetworkSend_Packet(p, MY_CLIENT); 241 } Usually leavemsg = "leave", but we'll make it "%n". On server side: network_server.c: 921 DEF_SERVER_RECEIVE_COMMAND(PACKET_CLIENT_QUIT) 922 { 923 // The client wants to leave. Display this and report it to the other 924 // clients. 925 NetworkClientState *new_cs; 926 char str[100]; 927 char client_name[NETWORK_CLIENT_NAME_LENGTH]; 928 929 // The client was never joined.. thank the client for the packet, but ignore it 930 if (cs->status < STATUS_DONE_MAP || cs->quited) { 931 cs->quited = true; 932 return; 933 } 934 935 ===> NetworkRecv_string(cs, p, str, 100); <=== 936 937 NetworkGetClientName(client_name, sizeof(client_name), cs); 938 939 ===> NetworkTextMessage(NETWORK_ACTION_LEAVE, 1, false, client_name, str); <=== Server usually gets "leave", but now it's "%n" which is passed straight to vsprintf() in NetworkTextMessage(). /me recompiles, starts server, starts "client", joins, quits. Yup, "Segmentation fault" on server side. For now, all places with NetworkRecv_string(,,str,); NetworkTextMessage(,,,,str); are invitations for DoS. Tavis? taviso@gentoo.org 2005-08-16 10:47:13 0000 Ah, okay, that does look like an issue. Reassigning back to security. taviso@gentoo.org 2005-08-16 10:51:48 0000 Should be an easy fix, - NetworkTextMessage(NETWORK_ACTION_LEAVE, 1, false, client_name, str); + NetworkTextMessage(NETWORK_ACTION_LEAVE, 1, false, client_name, "%s", str); adobriyan@gmail.com 2005-08-16 14:44:24 0000 How nice... start server, client, join. In client type: ` (backtick, quake console appears) name %n Bye-bye server. After an obvious fix to network_server.c::DEF_SERVER_RECEIVE_COMMAND(PACKET_CLIENT_SET_NAME), server survives, client dies. Investigating further... adobriyan@gmail.com 2005-08-16 14:57:14 0000 Fix for client not crashing goes to network_client.c, line 347. adobriyan@gmail.com 2005-08-16 15:40:39 0000 Created an attachment (id=66105) patch to fix possible buffer overflows + 3 + 1 fornat string bugs Chunk to console_cmds.c isn't tested. It's late here and I can't find codepath[s] in question. Other NetworkTextMessage()-related changes are tested. P.S.: silly half-sleeping question: does vsnprintf() exist on OS/2 at all? koon@gentoo.org 2005-08-18 10:04:26 0000 games team please advise. taviso@gentoo.org 2005-08-22 00:49:06 0000 adding ppc, as they're the only affected security supported arch. hansmi@gentoo.org 2005-08-22 13:28:53 0000 Stable on ppc. koon@gentoo.org 2005-08-23 01:02:09 0000 hansmi: in fact the version in Portage is not fixed, apparently you were called to give inputs rather than to mark stable. hansmi@gentoo.org 2005-08-23 11:15:20 0000 Sorry, I was half-sleeping yesterday. The patch looks good and doesn't contain any platform-specific things. Also, it compiled here. But I'm not games@. mr_bones_@gentoo.org 2005-08-23 11:24:42 0000 Security team, please remember to cc the maintainer. hansmi@gentoo.org 2005-08-23 11:27:11 0000 dholm is currently moving and might not return in the next days, see /devaway/ koon@gentoo.org 2005-08-25 11:41:14 0000 Can someone in games herd commit the fix while the dedicated maintainer is away ? Alexey: did you send your patch upstream ? adobriyan@gmail.com 2005-08-25 12:40:21 0000 Yes. mr_bones_@gentoo.org 2005-08-25 13:10:38 0000 masked until dholm can deal with it. koon@gentoo.org 2005-08-29 07:44:07 0000 Hm. Theorically if it stays that way we need to issue a masking GLSA for this one. I guess we should rather find someone to commit the patch, since hansmi tested it OK and it's rather straightforward. vapier: want to have a shot at it ? koon@gentoo.org 2005-08-31 08:53:20 0000 vapier should handle the patching tonight. adobriyan@gmail.com 2005-08-31 10:22:41 0000 Slightly different patch was commited to openttd SVN: http://svn.openttd.org/cgi-bin/viewcvs.cgi?rev=2899&view=rev M trunk/console_cmds.c M trunk/network.c M trunk/network_client.c M trunk/network_server.c M trunk/texteff.c vapier@gentoo.org 2005-08-31 15:24:53 0000 i merged your fixes with the upstream changes ... think you could convince them to merge the rest of your vsprintf -> vnsprintf changes please ? 0.4.0.1-r1 now in portage stable for arches jaervosz@gentoo.org 2005-08-31 22:04:14 0000 This one is ready for GLSA. Anyone wants to contact upstream? vapier@gentoo.org 2005-08-31 22:13:32 0000 upstream has already merged most of the fixes into their svn ... i'm hoping Alexey can convince them to merge the remaining vsprintf->vsnprintf changes koon@gentoo.org 2005-09-01 00:46:14 0000 I asked MITRE for CAN numbers. adobriyan@gmail.com 2005-09-01 08:29:53 0000 So far nobody said "I will" or "I won't" at #openttd. koon@gentoo.org 2005-09-01 13:35:52 0000 Use : CAN-2005-2763 for the format strings CAN-2005-2764 for the buffer overflows koon@gentoo.org 2005-09-02 03:06:22 0000 Alexey, please forward the CAN numbers to your OpenTTD contacts. We shall release a GLSA very soon, crediting you as the discoverer. Feel free to come up with your own announcement if you want. dercorny@gentoo.org 2005-09-05 09:30:17 0000 GLSA 200509-03 Thanks to everybody involved. 66105 2005-08-16 15:40 0000 patch to fix possible buffer overflows + format string bugs ttd_bugs.patch text/plain ZGlmZiAtdXByTiBvcGVudHRkLTAuNC4wLjEvY29uc29sZV9jbWRzLmMgb3BlbnR0ZC0wLjQuMC4x LXdob29wcy9jb25zb2xlX2NtZHMuYwotLS0gb3BlbnR0ZC0wLjQuMC4xL2NvbnNvbGVfY21kcy5j CTIwMDUtMDUtMjAgMjE6NTk6MjQuMDAwMDAwMDAwICswNDAwCisrKyBvcGVudHRkLTAuNC4wLjEt d2hvb3BzL2NvbnNvbGVfY21kcy5jCTIwMDUtMDgtMTcgMDI6MjU6MjguMDAwMDAwMDAwICswNDAw CkBAIC0xMTAxLDcgKzExMDEsNyBAQCBERUZfQ09OU09MRV9IT09LKENvblByb2NQbGF5ZXJOYW1l KQogCQkJU0VORF9DT01NQU5EKFBBQ0tFVF9DTElFTlRfU0VUX05BTUUpKF9uZXR3b3JrX3BsYXll cl9uYW1lKTsKIAkJfSBlbHNlIHsKIAkJCWlmIChOZXR3b3JrRmluZE5hbWUoX25ldHdvcmtfcGxh eWVyX25hbWUpKSB7Ci0JCQkJTmV0d29ya1RleHRNZXNzYWdlKE5FVFdPUktfQUNUSU9OX05BTUVf Q0hBTkdFLCAxLCBmYWxzZSwgY2ktPmNsaWVudF9uYW1lLCBfbmV0d29ya19wbGF5ZXJfbmFtZSk7 CisJCQkJTmV0d29ya1RleHRNZXNzYWdlKE5FVFdPUktfQUNUSU9OX05BTUVfQ0hBTkdFLCAxLCBm YWxzZSwgY2ktPmNsaWVudF9uYW1lLCAiJXMiLCBfbmV0d29ya19wbGF5ZXJfbmFtZSk7CiAJCQkJ dHRkX3N0cmxjcHkoY2ktPmNsaWVudF9uYW1lLCBfbmV0d29ya19wbGF5ZXJfbmFtZSwgc2l6ZW9m KGNpLT5jbGllbnRfbmFtZSkpOwogCQkJCU5ldHdvcmtVcGRhdGVDbGllbnRJbmZvKE5FVFdPUktf U0VSVkVSX0lOREVYKTsKIAkJCX0KZGlmZiAtdXByTiBvcGVudHRkLTAuNC4wLjEvbmV0d29yay5j IG9wZW50dGQtMC40LjAuMS13aG9vcHMvbmV0d29yay5jCi0tLSBvcGVudHRkLTAuNC4wLjEvbmV0 d29yay5jCTIwMDUtMDUtMTcgMjA6MDE6MTkuMDAwMDAwMDAwICswNDAwCisrKyBvcGVudHRkLTAu NC4wLjEtd2hvb3BzL25ldHdvcmsuYwkyMDA1LTA4LTE3IDAyOjI3OjQ5LjAwMDAwMDAwMCArMDQw MApAQCAtOTYsNyArOTYsNyBAQCB2b2lkIENERUNMIE5ldHdvcmtUZXh0TWVzc2FnZShOZXR3b3Jr QWN0CiAJU3RyaW5nSUQgVGVtcFN0ciA9IFNUUl9OVUxMOwogCiAJdmFfc3RhcnQodmEsIHN0cik7 Ci0JdnNwcmludGYoYnVmLCBzdHIsIHZhKTsKKwl2c25wcmludGYoYnVmLCBzaXplb2YoYnVmKSwg c3RyLCB2YSk7CiAJdmFfZW5kKHZhKTsKIAogCXN3aXRjaCAoYWN0aW9uKSB7CmRpZmYgLXVwck4g b3BlbnR0ZC0wLjQuMC4xL25ldHdvcmtfY2xpZW50LmMgb3BlbnR0ZC0wLjQuMC4xLXdob29wcy9u ZXR3b3JrX2NsaWVudC5jCi0tLSBvcGVudHRkLTAuNC4wLjEvbmV0d29ya19jbGllbnQuYwkyMDA1 LTA1LTE1IDIyOjUwOjU1LjAwMDAwMDAwMCArMDQwMAorKysgb3BlbnR0ZC0wLjQuMC4xLXdob29w cy9uZXR3b3JrX2NsaWVudC5jCTIwMDUtMDgtMTcgMDI6MTE6NTAuMDAwMDAwMDAwICswNDAwCkBA IC0zNDQsNyArMzQ0LDcgQEAgREVGX0NMSUVOVF9SRUNFSVZFX0NPTU1BTkQoUEFDS0VUX1NFUlZF UgogCWlmIChjaSAhPSBOVUxMKSB7CiAJCWlmIChwbGF5YXMgPT0gY2ktPmNsaWVudF9wbGF5YXMg JiYgc3RyY21wKG5hbWUsIGNpLT5jbGllbnRfbmFtZSkgIT0gMCkgewogCQkJLy8gQ2xpZW50IG5h bWUgY2hhbmdlZCwgZGlzcGxheSB0aGUgY2hhbmdlCi0JCQlOZXR3b3JrVGV4dE1lc3NhZ2UoTkVU V09SS19BQ1RJT05fTkFNRV9DSEFOR0UsIDEsIGZhbHNlLCBjaS0+Y2xpZW50X25hbWUsIG5hbWUp OworCQkJTmV0d29ya1RleHRNZXNzYWdlKE5FVFdPUktfQUNUSU9OX05BTUVfQ0hBTkdFLCAxLCBm YWxzZSwgY2ktPmNsaWVudF9uYW1lLCAiJXMiLCBuYW1lKTsKIAkJfSBlbHNlIGlmIChwbGF5YXMg IT0gY2ktPmNsaWVudF9wbGF5YXMpIHsKIAkJCS8vIFRoZSBwbGF5ZXIgY2hhbmdlZCBmcm9tIGNs aWVudC1wbGF5ZXIuLgogCQkJLy8gRG8gbm90IGRpc3BsYXkgdGhhdCBmb3Igbm93CkBAIC02ODcs NyArNjg3LDcgQEAgREVGX0NMSUVOVF9SRUNFSVZFX0NPTU1BTkQoUEFDS0VUX1NFUlZFUgogCiAJ Y2kgPSBOZXR3b3JrRmluZENsaWVudEluZm9Gcm9tSW5kZXgoaW5kZXgpOwogCWlmIChjaSAhPSBO VUxMKSB7Ci0JCU5ldHdvcmtUZXh0TWVzc2FnZShORVRXT1JLX0FDVElPTl9MRUFWRSwgMSwgZmFs c2UsIGNpLT5jbGllbnRfbmFtZSwgc3RyKTsKKwkJTmV0d29ya1RleHRNZXNzYWdlKE5FVFdPUktf QUNUSU9OX0xFQVZFLCAxLCBmYWxzZSwgY2ktPmNsaWVudF9uYW1lLCAiJXMiLCBzdHIpOwogCiAJ CS8vIFRoZSBjbGllbnQgaXMgZ29uZSwgZ2l2ZSB0aGUgTmV0d29ya0NsaWVudEluZm8gZnJlZQog CQljaS0+Y2xpZW50X2luZGV4ID0gTkVUV09SS19FTVBUWV9JTkRFWDsKZGlmZiAtdXByTiBvcGVu dHRkLTAuNC4wLjEvbmV0d29ya19zZXJ2ZXIuYyBvcGVudHRkLTAuNC4wLjEtd2hvb3BzL25ldHdv cmtfc2VydmVyLmMKLS0tIG9wZW50dGQtMC40LjAuMS9uZXR3b3JrX3NlcnZlci5jCTIwMDUtMDUt MTcgMjI6MjI6NTkuMDAwMDAwMDAwICswNDAwCisrKyBvcGVudHRkLTAuNC4wLjEtd2hvb3BzL25l dHdvcmtfc2VydmVyLmMJMjAwNS0wOC0xNyAwMjozMzoxMC4wMDAwMDAwMDAgKzA0MDAKQEAgLTkz Niw3ICs5MzYsNyBAQCBERUZfU0VSVkVSX1JFQ0VJVkVfQ09NTUFORChQQUNLRVRfQ0xJRU5UCiAK IAlOZXR3b3JrR2V0Q2xpZW50TmFtZShjbGllbnRfbmFtZSwgc2l6ZW9mKGNsaWVudF9uYW1lKSwg Y3MpOwogCi0JTmV0d29ya1RleHRNZXNzYWdlKE5FVFdPUktfQUNUSU9OX0xFQVZFLCAxLCBmYWxz ZSwgY2xpZW50X25hbWUsIHN0cik7CisJTmV0d29ya1RleHRNZXNzYWdlKE5FVFdPUktfQUNUSU9O X0xFQVZFLCAxLCBmYWxzZSwgY2xpZW50X25hbWUsICIlcyIsIHN0cik7CiAKIAlGT1JfQUxMX0NM SUVOVFMobmV3X2NzKSB7CiAJCWlmIChuZXdfY3MtPnN0YXR1cyA+IFNUQVRVU19BVVRIKSB7CkBA IC0xMTExLDcgKzExMTEsNyBAQCBERUZfU0VSVkVSX1JFQ0VJVkVfQ09NTUFORChQQUNLRVRfQ0xJ RU5UCiAJaWYgKGNpICE9IE5VTEwpIHsKIAkJLy8gRGlzcGxheSBjaGFuZ2UKIAkJaWYgKE5ldHdv cmtGaW5kTmFtZShjbGllbnRfbmFtZSkpIHsKLQkJCU5ldHdvcmtUZXh0TWVzc2FnZShORVRXT1JL X0FDVElPTl9OQU1FX0NIQU5HRSwgMSwgZmFsc2UsIGNpLT5jbGllbnRfbmFtZSwgY2xpZW50X25h bWUpOworCQkJTmV0d29ya1RleHRNZXNzYWdlKE5FVFdPUktfQUNUSU9OX05BTUVfQ0hBTkdFLCAx LCBmYWxzZSwgY2ktPmNsaWVudF9uYW1lLCAiJXMiLCBjbGllbnRfbmFtZSk7CiAJCQl0dGRfc3Ry bGNweShjaS0+Y2xpZW50X25hbWUsIGNsaWVudF9uYW1lLCBzaXplb2YoY2ktPmNsaWVudF9uYW1l KSk7CiAJCQlOZXR3b3JrVXBkYXRlQ2xpZW50SW5mbyhjaS0+Y2xpZW50X2luZGV4KTsKIAkJfQpk aWZmIC11cHJOIG9wZW50dGQtMC40LjAuMS9vczIuYyBvcGVudHRkLTAuNC4wLjEtd2hvb3BzL29z Mi5jCi0tLSBvcGVudHRkLTAuNC4wLjEvb3MyLmMJMjAwNS0wNS0xNSAxODowMTozNS4wMDAwMDAw MDAgKzA0MDAKKysrIG9wZW50dGQtMC40LjAuMS13aG9vcHMvb3MyLmMJMjAwNS0wOC0xNyAwMjoy NjoyOC4wMDAwMDAwMDAgKzA0MDAKQEAgLTY0Miw3ICs2NDIsNyBAQCBzdGF0aWMgbG9uZyBDREVD TCBNaWRpU2VuZENvbW1hbmQoY29uc3QgCiAJdmFfbGlzdCB2YTsKIAljaGFyIGJ1Zls1MTJdOwog CXZhX3N0YXJ0KHZhLCBjbWQpOwotCXZzcHJpbnRmKGJ1ZiwgY21kLCB2YSk7CisJdnNucHJpbnRm KGJ1Ziwgc2l6ZW9mKGJ1ZiksIGNtZCwgdmEpOwogCXZhX2VuZCh2YSk7CiAJcmV0dXJuIG1jaVNl bmRTdHJpbmcoYnVmLCBOVUxMLCAwLCBOVUxMLCAwKTsKIH0KZGlmZiAtdXByTiBvcGVudHRkLTAu NC4wLjEvc3RyZ2VuL3N0cmdlbi5jIG9wZW50dGQtMC40LjAuMS13aG9vcHMvc3RyZ2VuL3N0cmdl bi5jCi0tLSBvcGVudHRkLTAuNC4wLjEvc3RyZ2VuL3N0cmdlbi5jCTIwMDUtMDQtMjQgMTk6NDE6 MDEuMDAwMDAwMDAwICswNDAwCisrKyBvcGVudHRkLTAuNC4wLjEtd2hvb3BzL3N0cmdlbi9zdHJn ZW4uYwkyMDA1LTA4LTE3IDAyOjI4OjMxLjAwMDAwMDAwMCArMDQwMApAQCAtODQsNyArODQsNyBA QCB2b2lkIHdhcm5pbmcoY29uc3QgY2hhciAqcywgLi4uKSB7CiAJY2hhciBidWZbMTAyNF07CiAJ dmFfbGlzdCB2YTsKIAl2YV9zdGFydCh2YSwgcyk7Ci0JdnNwcmludGYoYnVmLCBzLCB2YSk7CisJ dnNucHJpbnRmKGJ1Ziwgc2l6ZW9mKGJ1ZiksIHMsIHZhKTsKIAl2YV9lbmQodmEpOwogCWZwcmlu dGYoc3RkZXJyLCAiJWQ6IEVSUk9SOiAlc1xuIiwgX2N1cl9saW5lLCBidWYpOwogCV93YXJuaW5n cyA9IHRydWU7CkBAIC05NCw3ICs5NCw3IEBAIHZvaWQgTk9SRVRVUk4gZXJyb3IoY29uc3QgY2hh ciAqcywgLi4uKSAKIAljaGFyIGJ1ZlsxMDI0XTsKIAl2YV9saXN0IHZhOwogCXZhX3N0YXJ0KHZh LCBzKTsKLQl2c3ByaW50ZihidWYsIHMsIHZhKTsKKwl2c25wcmludGYoYnVmLCBzaXplb2YoYnVm KSwgcywgdmEpOwogCXZhX2VuZCh2YSk7CiAJZnByaW50ZihzdGRlcnIsICIlZDogRkFUQUw6ICVz XG4iLCBfY3VyX2xpbmUsIGJ1Zik7CiAJZXhpdCgxKTsKZGlmZiAtdXByTiBvcGVudHRkLTAuNC4w LjEvdGV4dGVmZi5jIG9wZW50dGQtMC40LjAuMS13aG9vcHMvdGV4dGVmZi5jCi0tLSBvcGVudHRk LTAuNC4wLjEvdGV4dGVmZi5jCTIwMDUtMDMtMjggMTY6Mzg6MDIuMDAwMDAwMDAwICswNDAwCisr KyBvcGVudHRkLTAuNC4wLjEtd2hvb3BzL3RleHRlZmYuYwkyMDA1LTA4LTE3IDAyOjI4OjA0LjAw MDAwMDAwMCArMDQwMApAQCAtNTcsNyArNTcsNyBAQCB2b2lkIENERUNMIEFkZFRleHRNZXNzYWdl KHVpbnQxNiBjb2xvciwgCiAJaW50IGxlbmd0aDsKIAogCXZhX3N0YXJ0KHZhLCBtZXNzYWdlKTsK LQl2c3ByaW50ZihidWYsIG1lc3NhZ2UsIHZhKTsKKwl2c25wcmludGYoYnVmLCBzaXplb2YoYnVm KSwgbWVzc2FnZSwgdmEpOwogCXZhX2VuZCh2YSk7CiAKIAkvKiBTcGVjaWFsIGNvbG9yIG1hZ2lj ICovCmRpZmYgLXVwck4gb3BlbnR0ZC0wLjQuMC4xL3R0ZC5jIG9wZW50dGQtMC40LjAuMS13aG9v cHMvdHRkLmMKLS0tIG9wZW50dGQtMC40LjAuMS90dGQuYwkyMDA1LTA1LTE2IDIwOjE5OjMyLjAw MDAwMDAwMCArMDQwMAorKysgb3BlbnR0ZC0wLjQuMC4xLXdob29wcy90dGQuYwkyMDA1LTA4LTE3 IDAyOjI3OjIyLjAwMDAwMDAwMCArMDQwMApAQCAtNzAsNyArNzAsNyBAQCB2b2lkIENERUNMIGVy cm9yKGNvbnN0IGNoYXIgKnMsIC4uLikgewogCXZhX2xpc3QgdmE7CiAJY2hhciBidWZbNTEyXTsK IAl2YV9zdGFydCh2YSwgcyk7Ci0JdnNwcmludGYoYnVmLCBzLCB2YSk7CisJdnNucHJpbnRmKGJ1 Ziwgc2l6ZW9mKGJ1ZiksIHMsIHZhKTsKIAl2YV9lbmQodmEpOwogCiAJU2hvd09TRXJyb3JCb3go YnVmKTsKQEAgLTg2LDcgKzg2LDcgQEAgdm9pZCBDREVDTCBTaG93SW5mb0YoY29uc3QgY2hhciAq c3RyLCAuLgogCXZhX2xpc3QgdmE7CiAJY2hhciBidWZbMTAyNF07CiAJdmFfc3RhcnQodmEsIHN0 cik7Ci0JdnNwcmludGYoYnVmLCBzdHIsIHZhKTsKKwl2c25wcmludGYoYnVmLCBzaXplb2YoYnVm KSwgc3RyLCB2YSk7CiAJdmFfZW5kKHZhKTsKIAlTaG93SW5mbyhidWYpOwogfQpAQCAtOTksNyAr OTksNyBAQCBjaGFyICogQ0RFQ0wgc3RyX2ZtdChjb25zdCBjaGFyICpzdHIsIC4uCiAJY2hhciAq cDsKIAogCXZhX3N0YXJ0KHZhLCBzdHIpOwotCWxlbiA9IHZzcHJpbnRmKGJ1Ziwgc3RyLCB2YSk7 CisJbGVuID0gdnNucHJpbnRmKGJ1Ziwgc2l6ZW9mKGJ1ZiksIHN0ciwgdmEpOwogCXZhX2VuZCh2 YSk7CiAJcCA9IG1hbGxvYyhsZW4gKyAxKTsKIAlpZiAocCkKZGlmZiAtdXByTiBvcGVudHRkLTAu NC4wLjEvd2luMzIuYyBvcGVudHRkLTAuNC4wLjEtd2hvb3BzL3dpbjMyLmMKLS0tIG9wZW50dGQt MC40LjAuMS93aW4zMi5jCTIwMDUtMDUtMTYgMjA6MTk6MzIuMDAwMDAwMDAwICswNDAwCisrKyBv cGVudHRkLTAuNC4wLjEtd2hvb3BzL3dpbjMyLmMJMjAwNS0wOC0xNyAwMjoyODo0NC4wMDAwMDAw MDAgKzA0MDAKQEAgLTg0MSw3ICs4NDEsNyBAQCBzdGF0aWMgbG9uZyBDREVDTCBNaWRpU2VuZENv bW1hbmQoY29uc3QgCiAJY2hhciBidWZbNTEyXTsKIAogCXZhX3N0YXJ0KHZhLCBjbWQpOwotCXZz cHJpbnRmKGJ1ZiwgY21kLCB2YSk7CisJdnNucHJpbnRmKGJ1Ziwgc2l6ZW9mKGJ1ZiksIGNtZCwg dmEpOwogCXZhX2VuZCh2YSk7CiAJcmV0dXJuIG1jaVNlbmRTdHJpbmdBKGJ1ZiwgTlVMTCwgMCwg MCk7CiB9Cg==