From 78cfdd7edbf06d39e12052305264885810b7f96b Mon Sep 17 00:00:00 2001
From: Nalin Dahyabhai <nalin@fedoraproject.org>
Date: Thu, 6 Sep 2007 20:20:55 +0000
Subject: [PATCH] - incorporate updated fix for CVE-2007-3999

---
 CVE-2007-3999-2.patch | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)
 create mode 100644 CVE-2007-3999-2.patch

diff --git a/CVE-2007-3999-2.patch b/CVE-2007-3999-2.patch
new file mode 100644
index 0000000..3ef2e7e
--- /dev/null
+++ b/CVE-2007-3999-2.patch
@@ -0,0 +1,30 @@
+*** src/lib/rpc/svc_auth_gss.c	(revision 20474)
+--- src/lib/rpc/svc_auth_gss.c	(local)
+***************
+*** 355,360 ****
+--- 355,369 ----
+  	memset(rpchdr, 0, sizeof(rpchdr));
+  
+  	/* XXX - Reconstruct RPC header for signing (from xdr_callmsg). */
++ 	oa = &msg->rm_call.cb_cred;
++ 	if (oa->oa_length > MAX_AUTH_BYTES)
++ 		return (FALSE);
++ 
++ 	/* 8 XDR units from the IXDR macro calls. */
++ 	if (sizeof(rpchdr) < (8 * BYTES_PER_XDR_UNIT +
++ 			      RNDUP(oa->oa_length)))
++ 		return (FALSE);
++ 
+  	buf = (int32_t *)(void *)rpchdr;
+  	IXDR_PUT_LONG(buf, msg->rm_xid);
+  	IXDR_PUT_ENUM(buf, msg->rm_direction);
+***************
+*** 362,368 ****
+  	IXDR_PUT_LONG(buf, msg->rm_call.cb_prog);
+  	IXDR_PUT_LONG(buf, msg->rm_call.cb_vers);
+  	IXDR_PUT_LONG(buf, msg->rm_call.cb_proc);
+- 	oa = &msg->rm_call.cb_cred;
+  	IXDR_PUT_ENUM(buf, oa->oa_flavor);
+  	IXDR_PUT_LONG(buf, oa->oa_length);
+  	if (oa->oa_length) {
+--- 371,376 ----