[25061] in bugtraq
Vulnerabilities in the Melange Chat Server
daemon@ATHENA.MIT.EDU (Leon Harris)
Mon Apr 15 16:38:20 2002
Message-ID: <3CB9A484.8080002@quoll.com>
Date: Sun, 14 Apr 2002 23:47:16 +0800
From: Leon Harris <leon@quoll.com>
MIME-Version: 1.0
To: bugtraq@securityfocus.com
Content-Type: multipart/mixed;
boundary="------------030209030302080402020902"
--------------030209030302080402020902
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
There are a number of vulnerabilities in the Melange chat system. I sent
the following email over a month ago to its author, who is not actively
maintaining it. I include some fixes for the problems encountered, but
caution that I am no longer working on it, and that there are probably
others. I hope this is of some use to someone.
Hi Chris.
I have found another remotely exploitable buffer overflow on melange
that will cause the server to crash. Given that it doesn't come with an
init script that runs it as an unpriveliged user ( when I first ran it,
I ran it as root and I should know better) I would like to release this
to bugtraq.
Since you advertise your users on melange, I have taken the liberty to
bcc this email to as many of them as I can (those with melange on their
sites) prior to bugtraq, in order to give them time to respond.
I would like to state now that I think you have done a good job overall
with melange - it was easy to work with and nice and logically laid out.
I enjoyed working with it. I think that maybe when it was written, we
none of us knew so much about security.
Advisory: buffer overflow in melange server 2.02-beta
Melange is a chat system written in C and java which is freely available
under GPL (http://melange.terminal.at). It is quite a nice system, and
has been my pleasure to work with it. It was also coded nearly five
years ago, at a time when people were not quite so security conscious.
Its author has indicated that he is not currently maintaining it, due to
other commitments.
Due to the need for logging to access /var/log directory by default, the
temptation for the lazy admin is to run it as root. I recommend that if
you must run it, it needs to be chrooted as a low privileged user, and
the attatched patches applied. Note that this probably doesn't fix all
possible exploits, just the ones I was able to quickly locate. Note also
that I consider my C language skills to be crap, or university quality,
in that I probably could pass a course but try like hell to stay away
from that lang if I can in real life.
Partial lists of problems - (don't be mean, there are more, I am just
copying from my lousy notes from over a month ago).
There are numerous calls to unsafe c functions such as strcpy and sprintf,
some of which can result in core dumps.
.
1) A remote client can crash the chat server by issuing a /yell command
with an argument over 500 chars in length. Shellcode exploit has not
been written, but is possible.
eg:
telnet localhost 6666
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
MELANGE> user test test 0 0
/yell
mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm
server dies.
2) long lines in /etc/melange.conf causes a buffer overflow and dump core.
3) file names longer than 250 chars cause core dump (fix line 52 of main.c)
--------------030209030302080402020902
Content-Type: text/plain;
name="patches1.1"
Content-Transfer-Encoding: base64
Content-Disposition: inline;
filename="patches1.1"
ZGlmZiAtTmF1ciBzZXJ2ZXIvYXRvb2wuYyAuLi9tZWxhbmdlLTIuMDItYmV0YTIvc2VydmVy
L2F0b29sLmMKLS0tIHNlcnZlci9hdG9vbC5jCVNhdCBKYW4gMTIgMjM6MTE6MTkgMjAwMgor
KysgLi4vbWVsYW5nZS0yLjAyLWJldGEyL3NlcnZlci9hdG9vbC5jCVN1biBEZWMgIDUgMjI6
Mzk6NTEgMTk5OQpAQCAtOTQsNyArOTQsNyBAQAogICAgICAgICBzdHJjcHkocGFyYW1ldGVy
LGRhdGEpOwogCiAjaWZkZWYgREVCVUcKLSAgICBzbnByaW50ZihzZXJ2ZXIubG9nLnR4dCxz
aXplb2Yoc2VydmVyLmxvZy50eHQpLCJERUJVRyAoQVRPT0wpOiBjb206IDwlcz4gb3B0OiA8
JXM+IHBhcjogPCVzPiBhdCBzbG90ICVkLlxyXG4iLGNvbW1hbmQsb3B0aW9uLHBhcmFtZXRl
cixzZW5kZXIpOworICAgIHNwcmludGYoc2VydmVyLmxvZy50eHQsIkRFQlVHIChBVE9PTCk6
IGNvbTogPCVzPiBvcHQ6IDwlcz4gcGFyOiA8JXM+IGF0IHNsb3QgJWQuXHJcbiIsY29tbWFu
ZCxvcHRpb24scGFyYW1ldGVyLHNlbmRlcik7CiAgICAgdXRpbF9Xcml0ZUxvZyhMTF9ERUJV
Ryk7CiAjZW5kaWYKIApkaWZmIC1OYXVyIHNlcnZlci9hdXRoLmMgLi4vbWVsYW5nZS0yLjAy
LWJldGEyL3NlcnZlci9hdXRoLmMKLS0tIHNlcnZlci9hdXRoLmMJU2F0IEphbiAxMiAyMzox
MToxOSAyMDAyCisrKyAuLi9tZWxhbmdlLTIuMDItYmV0YTIvc2VydmVyL2F1dGguYwlTdW4g
RGVjICA1IDIyOjQwOjEwIDE5OTkKQEAgLTg0LDggKzg0LDYgQEAKICAgICBpZiAodXRpbF9p
c1NldChVTklRVUVOSUNLUyk9PVlFUykgewogCWlmICgodXRpbF9pc1NldChHVUVTVExPR0lO
KT09WUVTKSYmKHN0cmNhc2VjbXAoY2xpZW50LT5uYW1lLCJndWVzdCIpPT0wKSkgeyAKIAkg
ICAgc3ByaW50ZihzYWx0LCIlZCVjIixteVNsb3QsMCk7Ci0JICAgIGlmIChzdHJsZW4oc2Fs
dCkgKyBzdHJsZW4oY2xpZW50LT5uYW1lKSA+IHNpemVvZihjbGllbnQtPm5hbWUpKQotCQkg
ICAgcmV0dXJuKEVSUl9OQU1FKTsKIAkgICAgc3RyY2F0KGNsaWVudC0+bmFtZSxzYWx0KTsK
IAl9CiAJZWxzZSB7CmRpZmYgLU5hdXIgc2VydmVyL2NoYXR1dGlsLmMgLi4vbWVsYW5nZS0y
LjAyLWJldGEyL3NlcnZlci9jaGF0dXRpbC5jCi0tLSBzZXJ2ZXIvY2hhdHV0aWwuYwlTYXQg
SmFuIDEyIDIzOjExOjE5IDIwMDIKKysrIC4uL21lbGFuZ2UtMi4wMi1iZXRhMi9zZXJ2ZXIv
Y2hhdHV0aWwuYwlTdW4gRGVjICA1IDIyOjQwOjIyIDE5OTkKQEAgLTY0LDcgKzY0LDcgQEAK
IAlzcHJpbnRmKHR4dCxNU0dfTEVBVkUsc2xvdElELHNsb3Rbc2xvdElEXS51c2VyLT5uYW1l
KTsKIAljb21tX1NlbmRDaGFubmVsQnV0KFNZU01TRyxteUNoYW5uZWwsc2xvdElELHR4dCk7
CiAJdXRpbF9Xcml0ZU1zZ0xvZyh0eHQpOwotCXN0cm5jcHkoc2VydmVyLmxvZy50eHQsdHh0
LHNpemVvZihzZXJ2ZXIubG9nLnR4dCkpOworCXN0cmNweShzZXJ2ZXIubG9nLnR4dCx0eHQp
OwogCXV0aWxfV3JpdGVMb2coTExfTk9STUFMKTsKICAgICB9CiAgICAgCkBAIC0xMzQsNCAr
MTM0LDQgQEAKICAgICBpZiAoc2xvdFtteVNsb3RdLnVzZXIhPU5VTEwpCiAJZnJlZShzbG90
W215U2xvdF0udXNlcik7CiAgICAgc2xvdFtteVNsb3RdLnVzZXI9TlVMTDsKLX0KK30KXCBO
byBuZXdsaW5lIGF0IGVuZCBvZiBmaWxlCmRpZmYgLU5hdXIgc2VydmVyL2NsaWVudC5jIC4u
L21lbGFuZ2UtMi4wMi1iZXRhMi9zZXJ2ZXIvY2xpZW50LmMKLS0tIHNlcnZlci9jbGllbnQu
YwlTYXQgSmFuIDEyIDIzOjExOjE5IDIwMDIKKysrIC4uL21lbGFuZ2UtMi4wMi1iZXRhMi9z
ZXJ2ZXIvY2xpZW50LmMJU3VuIERlYyAgNSAyMjo0MDozNCAxOTk5CkBAIC0xNzUsOSArMTc1
LDkgQEAKICAgICAgICAgaWYgKHV0aWxfR2V0TmV4dFN1YlN0cmluZyhpbkJ1ZmZlcixjbWQs
TUJVRkZTSVpFKSE9T0spIAogCSAgICBpZiAoKHN0cmxlbihpbkJ1ZmZlcik+MCkmJihzdHJs
ZW4oaW5CdWZmZXIpPChNQlVGRlNJWkUtMikpKQogCQlzdHJjcHkoY21kLGluQnVmZmVyKTsK
LSAgICAgICAgdXRpbF9HZXROZXh0U3ViU3RyaW5nKGluQnVmZmVyLG5hbWUsc2l6ZW9mKGNs
aWVudC0+bmFtZSkpOwotICAgICAgICB1dGlsX0dldE5leHRTdWJTdHJpbmcoaW5CdWZmZXIs
cGFzc3dvcmQsc2l6ZW9mKGNsaWVudC0+cGFzc3dkKSk7Ci0gICAgICAgIHV0aWxfR2V0TmV4
dFN1YlN0cmluZyhpbkJ1ZmZlcixjaGFubmVsLHNpemVvZihjbGllbnQtPmNoYW5uZWwpKTsK
KyAgICAgICAgdXRpbF9HZXROZXh0U3ViU3RyaW5nKGluQnVmZmVyLG5hbWUsTUJVRkZTSVpF
KTsKKyAgICAgICAgdXRpbF9HZXROZXh0U3ViU3RyaW5nKGluQnVmZmVyLHBhc3N3b3JkLE1C
VUZGU0laRSk7CisgICAgICAgIHV0aWxfR2V0TmV4dFN1YlN0cmluZyhpbkJ1ZmZlcixjaGFu
bmVsLE1CVUZGU0laRSk7CiAJaWYgKChzdHJsZW4oaW5CdWZmZXIpPjApJiYoc3RybGVuKGlu
QnVmZmVyKTwoTUJVRkZTSVpFLTIpKSkKIAkgICAgc3RyY3B5KGdyb3VwLGluQnVmZmVyKTsK
ICAgICAgIApkaWZmIC1OYXVyIHNlcnZlci9jb21tYW5kcy5jIC4uL21lbGFuZ2UtMi4wMi1i
ZXRhMi9zZXJ2ZXIvY29tbWFuZHMuYwotLS0gc2VydmVyL2NvbW1hbmRzLmMJU2F0IEphbiAx
MiAyMzoxMToxOSAyMDAyCisrKyAuLi9tZWxhbmdlLTIuMDItYmV0YTIvc2VydmVyL2NvbW1h
bmRzLmMJU3VuIERlYyAgNSAyMjo0MTowNSAxOTk5CkBAIC0xMzUsNyArMTM1LDcgQEAKICAg
ICBpbnQgaTsKICAgICBjaGFyIG1lc3NhZ2VbNTAwXTsKICAgICAKLSAgICBzbnByaW50Ziht
ZXNzYWdlLHNpemVvZihtZXNzYWdlKSwiJXMgIixtZXNzYWdlMSk7CisgICAgc3ByaW50Ziht
ZXNzYWdlLCIlcyAiLG1lc3NhZ2UxKTsKICAgICBpZiAoc3RybGVuKG1lc3NhZ2UyKT4wKQog
CXN0cmNhdChtZXNzYWdlLG1lc3NhZ2UyKTsKICAgICBmb3IgKGk9MDtpPHN0cmxlbihtZXNz
YWdlKTtpKyspCkBAIC01MTMsNyArNTEzLDcgQEAKIAl9CiAgICAgfQogICAgIHNwcmludGYo
dHh0LE1TR19ORVdOQU1FLHVzZXIsc2xvdFt1c2VyXS51c2VyLT5uYW1lLG15TmV3Tmljayk7
Ci0gICAgc3RybmNweShzbG90W3VzZXJdLnVzZXItPm5hbWUsbXlOZXdOaWNrLHNpemVvZihz
bG90W3VzZXJdLnVzZXItPm5hbWUpKTsKKyAgICBzdHJjcHkoc2xvdFt1c2VyXS51c2VyLT5u
YW1lLG15TmV3Tmljayk7CiAgICAgY29tbV9TZW5kR3JvdXBCdXQoU1lTTVNHLHVzZXIsdHh0
KTsKICAgICBzcHJpbnRmKHR4dCxNU0dfWU9VUk5FV05BTUUsbXlOZXdOaWNrLHVzZXIpOwog
ICAgIGNvbW1fU2VuZFRvKFNZU01TRyx1c2VyLHR4dCk7CmRpZmYgLU5hdXIgc2VydmVyL2lu
dGVycHJldC5jIC4uL21lbGFuZ2UtMi4wMi1iZXRhMi9zZXJ2ZXIvaW50ZXJwcmV0LmMKLS0t
IHNlcnZlci9pbnRlcnByZXQuYwlTYXQgSmFuIDEyIDIzOjEyOjQwIDIwMDIKKysrIC4uL21l
bGFuZ2UtMi4wMi1iZXRhMi9zZXJ2ZXIvaW50ZXJwcmV0LmMJU3VuIERlYyAgNSAyMjo0MTo0
MSAxOTk5CkBAIC01NiwyMiArNTYsMjIgQEAKIAogICAgIHN0cmNweShkYXRhLHV0aWxfRml0
U3RyaW5nKGRhdGEpKTsKIAotICAgIGlmICggKHN0cmxlbihkYXRhKTwyKSB8fCAoc3RybGVu
KGRhdGEpID4gNTAwICkgKQkJCQkJLyogQ2FuJ3QgYmUgYSBjb21tYW5kICEgKi8KKyAgICBp
ZiAoc3RybGVuKGRhdGEpPDIpCQkJCQkvKiBDYW4ndCBiZSBhIGNvbW1hbmQgISAqLwogICAg
ICAgICByZXR1cm4oRVJSX0lMTEVHQUxDTUQpOwogCiAgICAgaWYgKHV0aWxfR2V0TmV4dFN1
YlN0cmluZyhkYXRhLGNvbW1hbmQsTUJVRkZTSVpFKSE9T0spIAkvKiBHZXQgY29tbWFuZCAq
LwogCWlmICgoc3RybGVuKGRhdGEpPjApJiYoc3RybGVuKGRhdGEpPChNQlVGRlNJWkUtMikp
KQotCSAgICBzdHJuY3B5KGNvbW1hbmQsZGF0YSxzaXplb2YoY29tbWFuZCkpOworCSAgICBz
dHJjcHkoY29tbWFuZCxkYXRhKTsKICAgICBpZiAodXRpbF9HZXROZXh0U3ViU3RyaW5nKGRh
dGEsb3B0aW9uLE1CVUZGU0laRSkhPU9LKSAJLyogR2V0IG9wdGlvbiAqLwogCWlmICgoc3Ry
bGVuKGRhdGEpPjApJiYoc3RybGVuKGRhdGEpPChNQlVGRlNJWkUtMikpKQotCSAgICBzdHJu
Y3B5KG9wdGlvbixkYXRhLHNpemVvZihvcHRpb24pKTsJCQkKKwkgICAgc3RyY3B5KG9wdGlv
bixkYXRhKTsJCQkKICAgICBpZiAoKHN0cmxlbihkYXRhKT4wKSYmKHN0cmxlbihkYXRhKTwo
TU1BWFRYVExFTi1NQlVGRlNJWkUpKSkJLyogR2V0IHBhcmFtZXRlciAqLwotICAgICAgICBz
dHJuY3B5KHBhcmFtZXRlcixkYXRhLHNpemVvZihwYXJhbWV0ZXIpKTsKKyAgICAgICAgc3Ry
Y3B5KHBhcmFtZXRlcixkYXRhKTsKICAgICBjb21tYW5kWzBdPScvJzsKIAogCiAjaWZkZWYg
REVCVUcKLSAgICBzbnByaW50ZihzZXJ2ZXIubG9nLnR4dCxzaXplb2Yoc2VydmVyLmxvZy50
eHQpLCJERUJVRyAoVXNlcik6IGNvbTogPCVzPiBvcHQ6IDwlcz4gcGFyOiA8JXM+IHNsb3Qg
JWQgIVxyXG4iLGNvbW1hbmQsb3B0aW9uLHBhcmFtZXRlcixzZW5kZXIpOworICAgIHNwcmlu
dGYoc2VydmVyLmxvZy50eHQsIkRFQlVHIChVc2VyKTogY29tOiA8JXM+IG9wdDogPCVzPiBw
YXI6IDwlcz4gc2xvdCAlZCAhXHJcbiIsY29tbWFuZCxvcHRpb24scGFyYW1ldGVyLHNlbmRl
cik7CiAgICAgdXRpbF9Xcml0ZUxvZyhMTF9ERUJVRyk7CiAjZW5kaWYKIApkaWZmIC1OYXVy
IHNlcnZlci9tYWluLmMgLi4vbWVsYW5nZS0yLjAyLWJldGEyL3NlcnZlci9tYWluLmMKLS0t
IHNlcnZlci9tYWluLmMJU2F0IEphbiAxMiAyMzoxMToxOSAyMDAyCisrKyAuLi9tZWxhbmdl
LTIuMDItYmV0YTIvc2VydmVyL21haW4uYwlTdW4gRGVjICA1IDIyOjQxOjUyIDE5OTkKQEAg
LTQ5LDEyICs0OSwxMiBAQAogICAgIAogICAgIHByaW50ZiAoIiVzKEMpIDE5OTgsMTk5OSBi
eSBDaHJpc3RpYW4gV2FsdGVyLCBBbGwgcmlnaHRzIHJlc2VydmVkXHJcbmh0dHA6Ly9tZWxh
bmdlLnRlcm1pbmFsLmF0ICAgICAgIEVtYWlsOiBjaHJpc0B0ZXJtaW5hbC5hdFxyXG5cbiIs
UFJHVkVSU0lPTik7CiAgICAgc2VydmVyLnBvcnQ9UE9SVDsgCi0gICAgc3RybmNweShzZXJ2
ZXIuY29uZmlnRmlsZU5hbWUsQ09ORklHRklMRSxzaXplb2Yoc2VydmVyLmNvbmZpZ0ZpbGVO
YW1lKSk7CisgICAgc3RyY3B5KHNlcnZlci5jb25maWdGaWxlTmFtZSxDT05GSUdGSUxFKTsK
ICAgICBmb3IgKGk9MTtpPGFyZ2M7aSsrKSB7CiAJaWYgKChzdHJjYXNlY21wKGFyZ3ZbaV0s
Ii1wIik9PTApJiYoKGkrMSk8YXJnYykpCiAgICAgCSAgICBzZXJ2ZXIucG9ydD1hdG9pKGFy
Z3ZbaSsxXSk7CiAJaWYgKChzdHJjYXNlY21wKGFyZ3ZbaV0sIi1jIik9PTApJiYoKGkrMSk8
YXJnYykpIAotICAgIAkgICAgc3RybmNweShzZXJ2ZXIuY29uZmlnRmlsZU5hbWUsYXJndltp
KzFdLHNpemVvZihzZXJ2ZXIuY29uZmlnRmlsZU5hbWUpKTsKKyAgICAJICAgIHN0cmNweShz
ZXJ2ZXIuY29uZmlnRmlsZU5hbWUsYXJndltpKzFdKTsKICAgICB9CiAgICAgdXRpbF9DaGF0
SW5pdCgpOwogICAgIGlmIChzdGFydHVwX3NlcnZlcigpIT1PSykKZGlmZiAtTmF1ciBzZXJ2
ZXIvc3lzdXRpbC5jIC4uL21lbGFuZ2UtMi4wMi1iZXRhMi9zZXJ2ZXIvc3lzdXRpbC5jCi0t
LSBzZXJ2ZXIvc3lzdXRpbC5jCVNhdCBKYW4gMTIgMjM6MTE6MTkgMjAwMgorKysgLi4vbWVs
YW5nZS0yLjAyLWJldGEyL3NlcnZlci9zeXN1dGlsLmMJU3VuIERlYyAgNSAyMjo0Mjo0OSAx
OTk5CkBAIC0xNTgsNyArMTU4LDcgQEAKIAogaW50IHN5c19TZW5kVXNlclVwZGF0ZShpbnQg
bXlDaGFubmVsLGludCB1c2VyKSB7CiAgICAgY2hhciBidWZmZXJbMjA0NV07Ci0gICAgY2hh
ciB1dHh0W01NQVhVU0VSTkFNRUxFTisxNV07CisgICAgY2hhciB1dHh0W01NQVhVU0VSTkFN
RUxFTisxMF07CiAgICAgaW50IGksZzsKIAogICAgIGF0b29sX3NlbmRVcGRhdGUoIkIiKTsK
QEAgLTIwMyw3ICsyMDMsNyBAQAogCiBpbnQgc3lzX1NlbmRHcm91cFVwZGF0ZShpbnQgdXNl
cikgewogICAgIGNoYXIgYnVmZmVyWzIwNDVdOwotICAgIGNoYXIgZ3R4dFtNTUFYR1JPVVBO
QU1FTEVOKzI1XTsKKyAgICBjaGFyIGd0eHRbTU1BWEdST1VQTkFNRUxFTisxNV07CiAgICAg
Z3JvdXBsaXN0ICpscDsKIAogICAgIGF0b29sX3NlbmRVcGRhdGUoIkciKTsKZGlmZiAtTmF1
ciBzZXJ2ZXIvdXRpbC5jIC4uL21lbGFuZ2UtMi4wMi1iZXRhMi9zZXJ2ZXIvdXRpbC5jCi0t
LSBzZXJ2ZXIvdXRpbC5jCVNhdCBKYW4gMTIgMjM6MTE6MTkgMjAwMgorKysgLi4vbWVsYW5n
ZS0yLjAyLWJldGEyL3NlcnZlci91dGlsLmMJU3VuIERlYyAgNSAyMjo0MzowMyAxOTk5CkBA
IC01MTAsMjAgKzUxMCwxNyBAQAogdm9pZCB1dGlsX1JlYWRDb25maWdGaWxlKGNoYXIgKmNv
bmZpZ0ZpbGVOYW1lKSB7CiAgICAgRklMRSAqY29uZmlnRmlsZUhhbmRsZTsKICAgICBjaGFy
IHRtcFN0cmluZ1s1MDBdLHRtcFN0cmluZzJbTUJVRkZTSVpFKzJdLHRtcFN0cmluZzNbTUJV
RkZTSVpFKzJdOwotICAgIGNoYXIgdG1wQ2hhcixmbXRbMTBdLGZtdDJbMTBdOworICAgIGNo
YXIgdG1wQ2hhcjsKICAgICB1bnNpZ25lZCBsb25nIGNvbmZpZ0ZpbGVMZW5ndGg7CiAgICAg
aW50IGkscixnLGI7CiAKLSAgICBzcHJpbnRmKGZtdCwiJSUlZHMiLCBzaXplb2YodG1wU3Ry
aW5nKSk7Ci0gICAgc3ByaW50ZihmbXQyLCIlJSVkcyIsTUJVRkZTSVpFKzIpOwotCiAgICAg
aWYgKChjb25maWdGaWxlSGFuZGxlPWZvcGVuKGNvbmZpZ0ZpbGVOYW1lLCJyYiIpKSE9TlVM
TCkgewogCWZzZWVrKGNvbmZpZ0ZpbGVIYW5kbGUsMCxTRUVLX0VORCk7CiAgICAgICAgIGNv
bmZpZ0ZpbGVMZW5ndGg9ZnRlbGwoY29uZmlnRmlsZUhhbmRsZSk7CiAgICAgICAgIHJld2lu
ZChjb25maWdGaWxlSGFuZGxlKTsKIAkgICAgCiAgICAgICAgIHdoaWxlIChmdGVsbChjb25m
aWdGaWxlSGFuZGxlKTxjb25maWdGaWxlTGVuZ3RoKSB7Ci0gICAgICAgICAgIGZzY2FuZiAo
Y29uZmlnRmlsZUhhbmRsZSxmbXQsdG1wU3RyaW5nKTsKKyAgICAgICAgICAgZnNjYW5mIChj
b25maWdGaWxlSGFuZGxlLCIlcyIsdG1wU3RyaW5nKTsKIAkgICBpZiAoKHRtcFN0cmluZ1sw
XT09JyMnKXx8KHRtcFN0cmluZ1swXT09J1snKSkgewogCSAgICAgICBkbyB7CiAJCSAgICBm
c2NhbmYoY29uZmlnRmlsZUhhbmRsZSwiJWMiLCZ0bXBDaGFyKTsKQEAgLTUzMiwxMyArNTI5
LDEzIEBACiAJICAgfQogCSAgIGlmICggKChzdHJjYXNlY21wKHRtcFN0cmluZywiQUxMT1ci
KT09MCkmJih1dGlsX2lzU2V0KFNFQ1VSSVRZVFlQKT09WUVTKSkgfHwKIAkgICAgICAgICgo
c3RyY2FzZWNtcCh0bXBTdHJpbmcsIkRFTlkiKT09MCkmJih1dGlsX2lzU2V0KFNFQ1VSSVRZ
VFlQKSE9WUVTKSkgKSB7Ci0JCSAgICAgICBmc2NhbmYoY29uZmlnRmlsZUhhbmRsZSxmbXQs
dG1wU3RyaW5nKTsKKwkJICAgICAgIGZzY2FuZihjb25maWdGaWxlSGFuZGxlLCIlcyIsdG1w
U3RyaW5nKTsKIAkJICAgICAgIGlmIChzdHJsZW4odG1wU3RyaW5nKTxNTUFYSE9TVE5BTUVM
RU4pCiAJCSAgICAgICAgICAgdXRpbF9pbnNlcnRIb3N0KHRtcFN0cmluZywgMCk7CiAJICAg
ICAgIGNvbnRpbnVlOwogCSAgIH0KIAkgICBpZiAoc3RyY2FzZWNtcCh0bXBTdHJpbmcsIlBS
T0ZJTEUiKT09MCkgewotCSAgICAgICBmc2NhbmYoY29uZmlnRmlsZUhhbmRsZSxmbXQsdG1w
U3RyaW5nKTsKKwkgICAgICAgZnNjYW5mKGNvbmZpZ0ZpbGVIYW5kbGUsIiVzIix0bXBTdHJp
bmcpOwogCSAgICAgICBpZiAoc3RyY2FzZWNtcCh0bXBTdHJpbmcsImRlbnkiKT09MCkKIAkJ
ICAgIHV0aWxfU2V0KFNFQ1VSSVRZVFlQLFlFUyk7ICAgICAgIAogCSAgICAgICBjb250aW51
ZTsKQEAgLTU0OCwxOSArNTQ1LDE5IEBACiAJICAgaWYgKHN0cmNhc2VjbXAodG1wU3RyaW5n
LCJLSUNLT1VUVElNRSIpPT0wKQogCSAgICAgICBmc2NhbmYoY29uZmlnRmlsZUhhbmRsZSwi
JWQiLCZhZG1pbi5kZWZhdWx0QmFublRpbWUpOwogCSAgIGlmIChzdHJjYXNlY21wKHRtcFN0
cmluZywiUEFTU1dEIik9PTApIHsKLQkgICAgICAgZnNjYW5mKGNvbmZpZ0ZpbGVIYW5kbGUs
Zm10LHRtcFN0cmluZyk7CisJICAgICAgIGZzY2FuZihjb25maWdGaWxlSGFuZGxlLCIlcyIs
dG1wU3RyaW5nKTsKIAkgICAgICAgaWYgKHN0cmxlbih0bXBTdHJpbmcpPE1CVUZGU0laRSkK
IAkgICAgICAgICAgIHN0cmNweShhZG1pbi5wYXNzd2QsdG1wU3RyaW5nKTsKIAkgICAgICAg
Y29udGludWU7CiAJICAgfQogCSAgIGlmIChzdHJjYXNlY21wKHRtcFN0cmluZywiTE9HRklM
RSIpPT0wKSB7Ci0JICAgICAgICBmc2NhbmYoY29uZmlnRmlsZUhhbmRsZSxmbXQsdG1wU3Ry
aW5nKTsKKwkgICAgICAgIGZzY2FuZihjb25maWdGaWxlSGFuZGxlLCIlcyIsdG1wU3RyaW5n
KTsKIAkgICAgICAgIGlmIChzdHJsZW4odG1wU3RyaW5nKTxNTUFYRklMRU5BTUVMRU4pCiAJ
CSAgICBzdHJjcHkoc2VydmVyLmxvZy5sb2dmaWxlbmFtZSx0bXBTdHJpbmcpOwogCSAgICAg
ICBjb250aW51ZTsKIAkgICB9CiAJICAgaWYgKHN0cmNhc2VjbXAodG1wU3RyaW5nLCJNU0dM
T0dGSUxFIik9PTApIHsKLQkgICAgICAgZnNjYW5mKGNvbmZpZ0ZpbGVIYW5kbGUsZm10LHRt
cFN0cmluZyk7CisJICAgICAgIGZzY2FuZihjb25maWdGaWxlSGFuZGxlLCIlcyIsdG1wU3Ry
aW5nKTsKIAkgICAgICAgc2VydmVyLmxvZy5sb2dNZXNzYWdlcz1ZRVM7CiAJICAgICAgIGlm
ICgoc3RyY2FzZWNtcCh0bXBTdHJpbmcsIm9uIikhPTApJiYoc3RybGVuKHRtcFN0cmluZyk8
TU1BWEZJTEVOQU1FTEVOKSkgCiAJICAgICAgICAgICBzdHJjcHkoc2VydmVyLmxvZy5tc2dm
aWxlbmFtZSx0bXBTdHJpbmcpOwpAQCAtNTczLDcgKzU3MCw3IEBACiAJICAgICAgIGNvbnRp
bnVlOwogCSAgIH0KIAkgICBpZiAoc3RyY2FzZWNtcCh0bXBTdHJpbmcsIkFMTE9XQ0hBTk5F
TFMiKT09MCkgewotCSAgICAgICBmc2NhbmYoY29uZmlnRmlsZUhhbmRsZSxmbXQsdG1wU3Ry
aW5nKTsKKwkgICAgICAgZnNjYW5mKGNvbmZpZ0ZpbGVIYW5kbGUsIiVzIix0bXBTdHJpbmcp
OwogCSAgICAgICBpZiAoc3RyY2FzZWNtcCh0bXBTdHJpbmcsIm5vIik9PTApIHsKIAkJICAg
dXRpbF9TZXQoQUxMT1dVU0VSQ0hBTk5FTFMsTk8pOyAgICAgICAKIAkJICAgZm9yKGk9Mjtp
PG1heENoYW5uZWxzO2krKykgewpAQCAtNTg0LDcgKzU4MSw3IEBACiAJICAgICAgIGNvbnRp
bnVlOwogCSAgIH0KIAkgICBpZiAoc3RyY2FzZWNtcCh0bXBTdHJpbmcsIkFOT05ZTU9VUyIp
PT0wKSB7Ci0JICAgICAgIGZzY2FuZihjb25maWdGaWxlSGFuZGxlLGZtdCx0bXBTdHJpbmcp
OworCSAgICAgICBmc2NhbmYoY29uZmlnRmlsZUhhbmRsZSwiJXMiLHRtcFN0cmluZyk7CiAJ
ICAgICAgIAkgICBpZiAoc3RyY2FzZWNtcCh0bXBTdHJpbmcsIm5vIik9PTApIHsKIAkJICAg
ICAgIHV0aWxfU2V0KEFMTE9XQU5PTllNT1VTQ0hBTk5FTCxOTyk7CiAJCSAgICAgICBjaGFu
bmVsW0FOT05ZTU9VU10ubG9ja2VkPVBFUk1BTkVOVDsKQEAgLTU5Miw0NCArNTg5LDQ0IEBA
CiAJICAgICAgIGNvbnRpbnVlOwogCSAgIH0KIAkgICBpZiAoc3RyY2FzZWNtcCh0bXBTdHJp
bmcsIlVOSVFVRSIpPT0wKSB7Ci0JICAgICAgIGZzY2FuZihjb25maWdGaWxlSGFuZGxlLGZt
dCx0bXBTdHJpbmcpOworCSAgICAgICBmc2NhbmYoY29uZmlnRmlsZUhhbmRsZSwiJXMiLHRt
cFN0cmluZyk7CiAJICAgICAgIAkgICBpZiAoc3RyY2FzZWNtcCh0bXBTdHJpbmcsInllcyIp
PT0wKSAKIAkJCXV0aWxfU2V0KFVOSVFVRU5JQ0tTLFlFUyk7ICAgICAgIAogCSAgICAgICBj
b250aW51ZTsKIAkgICB9CiAJICAgaWYgKHN0cmNhc2VjbXAodG1wU3RyaW5nLCJDSEFOR0VO
SUNLUyIpPT0wKSB7Ci0JICAgICAgIGZzY2FuZihjb25maWdGaWxlSGFuZGxlLGZtdCx0bXBT
dHJpbmcpOworCSAgICAgICBmc2NhbmYoY29uZmlnRmlsZUhhbmRsZSwiJXMiLHRtcFN0cmlu
Zyk7CiAJICAgICAgIAkgICBpZiAoc3RyY2FzZWNtcCh0bXBTdHJpbmcsIm5vIik9PTApIAog
CQkJdXRpbF9TZXQoQUxMT1dDSEFOR0VOSUNLUyxOTyk7CiAJICAgICAgIGNvbnRpbnVlOwog
CSAgIH0KIAkgICBpZiAoc3RyY2FzZWNtcCh0bXBTdHJpbmcsIkdVRVNUTE9HSU4iKT09MCkg
ewotCSAgICAgICBmc2NhbmYoY29uZmlnRmlsZUhhbmRsZSxmbXQsdG1wU3RyaW5nKTsKKwkg
ICAgICAgZnNjYW5mKGNvbmZpZ0ZpbGVIYW5kbGUsIiVzIix0bXBTdHJpbmcpOwogCSAgICAg
ICAJICAgaWYgKHN0cmNhc2VjbXAodG1wU3RyaW5nLCJubyIpPT0wKQogCQkJdXRpbF9TZXQo
R1VFU1RMT0dJTixOTyk7ICAgICAgIAogCSAgICAgICBjb250aW51ZTsKIAkgICB9CiAJICAg
aWYgKHN0cmNhc2VjbXAodG1wU3RyaW5nLCJEQkFVVEgiKT09MCkgewotCSAgICAgICBmc2Nh
bmYoY29uZmlnRmlsZUhhbmRsZSxmbXQsdG1wU3RyaW5nKTsKKwkgICAgICAgZnNjYW5mKGNv
bmZpZ0ZpbGVIYW5kbGUsIiVzIix0bXBTdHJpbmcpOwogCSAgICAgICAJICAgaWYgKHN0cmNh
c2VjbXAodG1wU3RyaW5nLCJ5ZXMiKT09MCkKIAkJCXV0aWxfU2V0KERCQVVUSCxZRVMpOyAg
ICAgICAKIAkgICAgICAgY29udGludWU7CiAJICAgfQogCSAgIGlmIChzdHJjYXNlY21wKHRt
cFN0cmluZywiREJJTklUIik9PTApIHsKLQkgICAgICAgZnNjYW5mKGNvbmZpZ0ZpbGVIYW5k
bGUsZm10LHRtcFN0cmluZyk7CisJICAgICAgIGZzY2FuZihjb25maWdGaWxlSGFuZGxlLCIl
cyIsdG1wU3RyaW5nKTsKIAkgICAgICAgCSAgIGlmIChzdHJjYXNlY21wKHRtcFN0cmluZywi
eWVzIik9PTApCiAJCQl1dGlsX1NldChEQklOSVQsWUVTKTsgICAgICAgCiAJICAgICAgIGNv
bnRpbnVlOwogCSAgIH0KIAkgICBpZiAoc3RyY2FzZWNtcCh0bXBTdHJpbmcsIlNIT1dIT1NU
UyIpPT0wKSB7Ci0JICAgICAgIGZzY2FuZihjb25maWdGaWxlSGFuZGxlLGZtdCx0bXBTdHJp
bmcpOworCSAgICAgICBmc2NhbmYoY29uZmlnRmlsZUhhbmRsZSwiJXMiLHRtcFN0cmluZyk7
CiAJICAgICAgIAkgICBpZiAoc3RyY2FzZWNtcCh0bXBTdHJpbmcsIm5vIik9PTApCiAJCQl1
dGlsX1NldChTSE9XSE9TVFMsTk8pOyAgICAgICAKIAkgICAgICAgY29udGludWU7CiAJICAg
fQogCSAgIGlmIChzdHJjYXNlY21wKHRtcFN0cmluZywiU1lTQ0hBTk5FTCIpPT0wKSB7CiAJ
ICAgICAgIGZzY2FuZihjb25maWdGaWxlSGFuZGxlLCIlZCIsJmkpOwotCSAgICAgICBmc2Nh
bmYoY29uZmlnRmlsZUhhbmRsZSxmbXQsdG1wU3RyaW5nKTsKKwkgICAgICAgZnNjYW5mKGNv
bmZpZ0ZpbGVIYW5kbGUsIiVzIix0bXBTdHJpbmcpOwogCSAgICAgICBpZiAoKHN0cmxlbih0
bXBTdHJpbmcpPjIpJiYoc3RybGVuKHRtcFN0cmluZyk8TU1BWENIQU5ORUxOQU1FTEVOKSYm
KHRtcFN0cmluZyE9TlVMTCkpCiAJICAgICAgICAgICBpZiAoKGk+MSkmJihpPG1heENoYW5u
ZWxzKSkKIAkJICAgICAgIGlmIChjaGFubmVsW2ldLm93bmVyPT1OT0JPRFkpIHsKQEAgLTY0
Miw5ICs2MzksOSBAQAogCSAgIH0KIAkgICBpZiAoc3RyY2FzZWNtcCh0bXBTdHJpbmcsIkdS
T1VQIik9PTApIHsKIAkgICAgICAgZnNjYW5mKGNvbmZpZ0ZpbGVIYW5kbGUsIiVkIiwmaSk7
Ci0JICAgICAgIGZzY2FuZihjb25maWdGaWxlSGFuZGxlLGZtdCx0bXBTdHJpbmcpOwotCSAg
ICAgICBmc2NhbmYoY29uZmlnRmlsZUhhbmRsZSxmbXQyLHRtcFN0cmluZzIpOwotCSAgICAg
ICBmc2NhbmYoY29uZmlnRmlsZUhhbmRsZSxmbXQyLHRtcFN0cmluZzMpOworCSAgICAgICBm
c2NhbmYoY29uZmlnRmlsZUhhbmRsZSwiJXMiLHRtcFN0cmluZyk7CisJICAgICAgIGZzY2Fu
Zihjb25maWdGaWxlSGFuZGxlLCIlcyIsdG1wU3RyaW5nMik7CisJICAgICAgIGZzY2FuZihj
b25maWdGaWxlSGFuZGxlLCIlcyIsdG1wU3RyaW5nMyk7CiAJICAgICAgIGlmICgodG1wU3Ry
aW5nIT1OVUxMKSYmKHRtcFN0cmluZzIhPU5VTEwpJiYoaT4wKSkKIAkgICAgICAgICAgIHV0
aWxfaW5zZXJ0R3JvdXAoaSx0bXBTdHJpbmcsdG1wU3RyaW5nMix0bXBTdHJpbmczKTsKIAkg
ICAgICAgY29udGludWU7CkBAIC02NTksOCArNjU2LDggQEAKIAkgICB9CiAJICAgaWYgKHN0
cmNhc2VjbXAodG1wU3RyaW5nLCJHUlBQRVJNUyIpPT0wKSB7CiAJICAgICAgIGZzY2FuZihj
b25maWdGaWxlSGFuZGxlLCIlZCIsJmkpOwotCSAgICAgICBmc2NhbmYoY29uZmlnRmlsZUhh
bmRsZSxmbXQsdG1wU3RyaW5nKTsKLQkgICAgICAgZnNjYW5mKGNvbmZpZ0ZpbGVIYW5kbGUs
Zm10Mix0bXBTdHJpbmcyKTsKKwkgICAgICAgZnNjYW5mKGNvbmZpZ0ZpbGVIYW5kbGUsIiVz
Iix0bXBTdHJpbmcpOworCSAgICAgICBmc2NhbmYoY29uZmlnRmlsZUhhbmRsZSwiJXMiLHRt
cFN0cmluZzIpOwogCSAgICAgICBpZiAoKHRtcFN0cmluZyE9TlVMTCkmJih0bXBTdHJpbmcy
IT1OVUxMKSYmKGk+MCkpIHsKIAkgICAgICAgICAgIGlmIChzdHJjYXNlY21wKHRtcFN0cmlu
ZywiQUxMT1dFRF9UT19UQUxLIik9PTApIHsKIAkJICAgICAgIGlmIChzdHJjYXNlY21wKHRt
cFN0cmluZzIsIm5vIik9PTApIHV0aWxfc2V0R3JvdXBQZXJtcyhpLEdSUF9BTExPV0VEX1RP
X1RBTEssTk8pOwpAQCAtNzI2LDcgKzcyMyw3IEBACiAjZW5kaWYKIAogdm9pZCB1dGlsX1By
aW50Q29uZmlndXJhdGlvbigpIHsKLSAgICBjaGFyIGluZm9UZXh0WzMwMF07CisgICAgY2hh
ciBpbmZvVGV4dFsyNTBdOwogICAgIGhvc3RzbGlzdCAqbHA7CiAgICAgCiAgICAgc3ByaW50
ZihpbmZvVGV4dCwiLS0+IFVzaW5nIGNvbmZpZ2ZpbGU6ICVzICglZCwleClcclxuIixzZXJ2
ZXIuY29uZmlnRmlsZU5hbWUsYWRtaW4uY29uZmlnLGFkbWluLmNvbmZpZyk7Cg==
--------------030209030302080402020902--
