[PATCH 00/10][daisy] Patches for Daisy

[PATCH 00/10][daisy] Patches for Daisy

[Saul Wold]

Richard,

Here is a set of tested patches for Daisy, there is one other pending for the Yocto-BSP
on the Poky side.

We have one know issue for QEMU and SDL on Debian8 which is a new Host OS Distro
which is not guaranteed to work

Sau!

Bian Naimeng (2):
  cpio: fix bug CVE-2014-9112 for cpio-2.11
  cpio: fix bug CVE-2014-9112 for cpio-2.8

Chong Lu (1):
  file: CVE-2014-9620 and CVE-2014-9621

Jonathan Liu (1):
  systemd: backport patch to fix reading journal backwards

Martin Jansa (1):
  update-rc.d: Allow to use different initscripts provider

Saul Wold (3):
  resolvconf: add fixes for busybox and make it work
  openssh: move setting LD to allow for correct override
  btrfs: create an empty file to build the fs in

Sona Sarmadi (2):
  python: Disables SSLv3
  bind: fix for CVE-2014-8500

 meta/classes/image_types.bbclass                   |    4 +-
 meta/classes/update-rc.d.bbclass                   |    3 +-
 .../bind/bind/bind9_9_5-CVE-2014-8500.patch        |  990 ++++++++++++++
 meta/recipes-connectivity/bind/bind_9.9.5.bb       |    1 +
 meta/recipes-connectivity/openssh/openssh_6.5p1.bb |    2 +-
 .../resolvconf/resolvconf/99_resolvconf            |    4 +
 .../resolvconf/fix-path-for-busybox.patch          |   20 +
 .../resolvconf/resolvconf_1.74.bb                  |   19 +-
 ...-Fix-navigating-backwards-missing-entries.patch |   34 +
 meta/recipes-core/systemd/systemd_211.bb           |    1 +
 .../file-CVE-2014-9620-and-CVE-2014-9621.patch     | 1359 ++++++++++++++++++++
 meta/recipes-devtools/file/file_5.16.bb            |    1 +
 .../python/python/python2.7.3-nossl3.patch         |   37 +
 meta/recipes-devtools/python/python_2.7.3.bb       |    1 +
 .../cpio/cpio-2.11/fix-memory-overrun.patch        |  220 ++++
 .../cpio/cpio-2.8/fix-memory-overrun.patch         |  217 ++++
 meta/recipes-extended/cpio/cpio_2.11.bb            |    3 +-
 meta/recipes-extended/cpio/cpio_2.8.bb             |    7 +-
 18 files changed, 2911 insertions(+), 12 deletions(-)
 create mode 100644 meta/recipes-connectivity/bind/bind/bind9_9_5-CVE-2014-8500.patch
 create mode 100644 meta/recipes-connectivity/resolvconf/resolvconf/99_resolvconf
 create mode 100644 meta/recipes-connectivity/resolvconf/resolvconf/fix-path-for-busybox.patch
 create mode 100644 meta/recipes-core/systemd/systemd/0001-journal-Fix-navigating-backwards-missing-entries.patch
 create mode 100644 meta/recipes-devtools/file/file/file-CVE-2014-9620-and-CVE-2014-9621.patch
 create mode 100644 meta/recipes-devtools/python/python/python2.7.3-nossl3.patch
 create mode 100644 meta/recipes-extended/cpio/cpio-2.11/fix-memory-overrun.patch
 create mode 100644 meta/recipes-extended/cpio/cpio-2.8/fix-memory-overrun.patch

-- 
2.1.0

[PATCH 01/10] cpio: fix bug CVE-2014-9112 for cpio-2.11

[Saul Wold]

From: Bian Naimeng <biannm@cn.fujitsu.com>

Obtain detain from following URL.
  http://lists.gnu.org/archive/html/bug-cpio/2014-12/msg00000.html
  http://git.savannah.gnu.org/cgit/cpio.git/commit/?id=746f3ff670dcfcdd28fcc990e79cd6fccc7ae48d

(From OE-Core rev: 9a32da05f5a9bc62c592fd2d6057dc052e363261)

Signed-off-by: Bian Naimeng <biannm@cn.fujitsu.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
 .../cpio/cpio-2.11/fix-memory-overrun.patch        | 220 +++++++++++++++++++++
 meta/recipes-extended/cpio/cpio_2.11.bb            |   3 +-
 2 files changed, 222 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-extended/cpio/cpio-2.11/fix-memory-overrun.patch

diff --git a/meta/recipes-extended/cpio/cpio-2.11/fix-memory-overrun.patch b/meta/recipes-extended/cpio/cpio-2.11/fix-memory-overrun.patch
new file mode 100644
index 0000000..89cd3cf
--- /dev/null
+++ b/meta/recipes-extended/cpio/cpio-2.11/fix-memory-overrun.patch
@@ -0,0 +1,220 @@
+cpio: Fix memory overrun on reading improperly created link records
+
+Signed-off-by: Bian Naimeng <biannm@cn.fujitsu.com>
+
+http://git.savannah.gnu.org/cgit/cpio.git/commit/?id=746f3ff670dcfcdd28fcc990e79cd6fccc7ae48d
+
+  * src/copyin.c (get_link_name): New function.
+  (list_file, copyin_link): use get_link_name
+
+  * tests/symlink-bad-length.at: New file.
+  * tests/symlink-long.at: New file.
+  * tests/Makefile.am: Add new files.
+  * tests/testsuite.at: Likewise.
+
+  See http://lists.gnu.org/archive/html/bug-cpio/2014-11/msg00007.html
+
+Upstream-Status: Backport
+
+Signed-off-by: Sergey Poznyakoff <gray@gnu.org.ua>
+
+diff -Nurp cpio-2.11.orig/src/copyin.c cpio-2.11/src/copyin.c
+--- cpio-2.11.orig/src/copyin.c	2010-02-15 18:02:23.000000000 +0800
++++ cpio-2.11/src/copyin.c	2014-12-08 13:14:04.355547508 +0800
+@@ -126,6 +126,28 @@ tape_skip_padding (int in_file_des, off_
+ }
+ 
+ \f
++static char *
++get_link_name (struct cpio_file_stat *file_hdr, int in_file_des)
++{
++  off_t n = file_hdr->c_filesize + 1;
++  char *link_name;
++
++  if (n == 0 || n > SIZE_MAX)
++    {
++      error (0, 0, _("%s: stored filename length too big"), file_hdr->c_name);
++      link_name = NULL;
++    }
++  else
++    {
++      link_name = xmalloc (n);
++      tape_buffered_read (link_name, in_file_des, file_hdr->c_filesize);
++      link_name[file_hdr->c_filesize] = '\0';
++      tape_skip_padding (in_file_des, file_hdr->c_filesize);
++    }
++  return link_name;
++}
++
++\f
+ static void
+ list_file(struct cpio_file_stat* file_hdr, int in_file_des)
+ {
+@@ -136,21 +158,16 @@ list_file(struct cpio_file_stat* file_hd
+ 	{
+ 	  if (archive_format != arf_tar && archive_format != arf_ustar)
+ 	    {
+-	      char *link_name = NULL;	/* Name of hard and symbolic links.  */
+-
+-	      link_name = (char *) xmalloc ((unsigned int) file_hdr->c_filesize + 1);
+-	      link_name[file_hdr->c_filesize] = '\0';
+-	      tape_buffered_read (link_name, in_file_des, file_hdr->c_filesize);
+-	      long_format (file_hdr, link_name);
+-	      free (link_name);
+-	      tape_skip_padding (in_file_des, file_hdr->c_filesize);
+-	      return;
++	      char *link_name = get_link_name (file_hdr, in_file_des);
++	      if (link_name)
++		{
++		  long_format (file_hdr, link_name);
++		  free (link_name);
++		}
+ 	    }
+ 	  else
+-	    {
+ 	      long_format (file_hdr, file_hdr->c_tar_linkname);
+-	      return;
+-	    }
++	  return;
+ 	}
+       else
+ #endif
+@@ -650,10 +667,7 @@ copyin_link(struct cpio_file_stat *file_
+ 
+   if (archive_format != arf_tar && archive_format != arf_ustar)
+     {
+-      link_name = (char *) xmalloc ((unsigned int) file_hdr->c_filesize + 1);
+-      link_name[file_hdr->c_filesize] = '\0';
+-      tape_buffered_read (link_name, in_file_des, file_hdr->c_filesize);
+-      tape_skip_padding (in_file_des, file_hdr->c_filesize);
++      link_name = get_link_name (file_hdr, in_file_des);
+     }
+   else
+     {
+diff -Nurp cpio-2.11.orig/tests/Makefile.am cpio-2.11/tests/Makefile.am
+--- cpio-2.11.orig/tests/Makefile.am	2010-02-15 18:02:23.000000000 +0800
++++ cpio-2.11/tests/Makefile.am	2014-12-08 13:14:49.931545727 +0800
+@@ -52,6 +52,8 @@ TESTSUITE_AT = \
+  setstat04.at\
+  setstat05.at\
+  symlink.at\
++ symlink-bad-length.at\
++ symlink-long.at\
+  version.at
+ 
+ TESTSUITE = $(srcdir)/testsuite
+diff -Nurp cpio-2.11.orig/tests/symlink-bad-length.at cpio-2.11/tests/symlink-bad-length.at
+--- cpio-2.11.orig/tests/symlink-bad-length.at	1970-01-01 08:00:00.000000000 +0800
++++ cpio-2.11/tests/symlink-bad-length.at	2014-12-08 13:17:45.979538847 +0800
+@@ -0,0 +1,49 @@
++# Process this file with autom4te to create testsuite.  -*- Autotest -*-
++# Copyright (C) 2014 Free Software Foundation, Inc.
++
++# This program is free software; you can redistribute it and/or modify
++# it under the terms of the GNU General Public License as published by
++# the Free Software Foundation; either version 3, or (at your option)
++# any later version.
++
++# This program is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU General Public License for more details.
++
++# You should have received a copy of the GNU General Public License
++# along with this program; if not, write to the Free Software
++# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
++# 02110-1301 USA.
++
++# Cpio v2.11 did segfault with badly set symlink length.
++# References:
++# http://lists.gnu.org/archive/html/bug-cpio/2014-11/msg00007.html
++
++AT_SETUP([symlink-bad-length])
++AT_KEYWORDS([symlink-long copyout])
++
++AT_DATA([ARCHIVE.base64],
++[x3EjAIBAtIEtJy8nAQAAAHRUYW0FAAAADQBGSUxFAABzb21lIGNvbnRlbnQKAMdxIwBgQ/+hLScv
++JwEAAAB0VEhuBQD/////TElOSwAARklMRcdxAAAAAAAAAAAAAAEAAAAAAAAACwAAAAAAVFJBSUxF
++UiEhIQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
++AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
++AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
++AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
++AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
++AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
++AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
++])
++
++AT_CHECK([
++base64 -d ARCHIVE.base64 > ARCHIVE || AT_SKIP_TEST
++cpio -ntv < ARCHIVE
++test $? -eq 2
++],
++[0],
++[-rw-rw-r--   1 10029    10031          13 Nov 25 13:52 FILE
++],[cpio: LINK: stored filename length too big
++cpio: premature end of file
++])
++
++AT_CLEANUP
+diff -Nurp cpio-2.11.orig/tests/symlink-long.at cpio-2.11/tests/symlink-long.at
+--- cpio-2.11.orig/tests/symlink-long.at	1970-01-01 08:00:00.000000000 +0800
++++ cpio-2.11/tests/symlink-long.at	2014-12-08 13:17:57.219538408 +0800
+@@ -0,0 +1,46 @@
++# Process this file with autom4te to create testsuite.  -*- Autotest -*-
++# Copyright (C) 2014 Free Software Foundation, Inc.
++
++# This program is free software; you can redistribute it and/or modify
++# it under the terms of the GNU General Public License as published by
++# the Free Software Foundation; either version 3, or (at your option)
++# any later version.
++
++# This program is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU General Public License for more details.
++
++# You should have received a copy of the GNU General Public License
++# along with this program; if not, write to the Free Software
++# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
++# 02110-1301 USA.
++
++# Cpio v2.11.90 changed the way symlink name is read from archive.
++# References:
++# http://lists.gnu.org/archive/html/bug-cpio/2014-11/msg00007.html
++
++AT_SETUP([symlink-long])
++AT_KEYWORDS([symlink-long copyout])
++
++AT_CHECK([
++
++# len(dirname) > READBUFSIZE
++dirname=
++for i in {1..52}; do
++    dirname="xxxxxxxxx/$dirname"
++    mkdir "$dirname"
++done
++ln -s "$dirname" x || AT_SKIP_TEST
++
++echo x | cpio -o > ar
++list=`cpio -tv < ar | sed 's|.*-> ||'`
++test "$list" = "$dirname" && echo success || echo fail
++],
++[0],
++[success
++],[2 blocks
++2 blocks
++])
++
++AT_CLEANUP
+diff -Nurp cpio-2.11.orig/tests/testsuite.at cpio-2.11/tests/testsuite.at
+--- cpio-2.11.orig/tests/testsuite.at	2010-02-15 18:02:23.000000000 +0800
++++ cpio-2.11/tests/testsuite.at	2014-12-08 13:15:13.515544805 +0800
+@@ -31,6 +31,8 @@ m4_include([version.at])
+ 
+ m4_include([inout.at])
+ m4_include([symlink.at])
++m4_include([symlink-bad-length.at])
++m4_include([symlink-long.at])
+ m4_include([interdir.at])
+ 
+ m4_include([setstat01.at])
diff --git a/meta/recipes-extended/cpio/cpio_2.11.bb b/meta/recipes-extended/cpio/cpio_2.11.bb
index 5f88b30..c42db6f 100644
--- a/meta/recipes-extended/cpio/cpio_2.11.bb
+++ b/meta/recipes-extended/cpio/cpio_2.11.bb
@@ -3,9 +3,10 @@ include cpio_v2.inc
 LICENSE = "GPLv3"
 LIC_FILES_CHKSUM = "file://COPYING;md5=f27defe1e96c2e1ecd4e0c9be8967949"
 
-PR = "r4"
+PR = "r5"
 
 SRC_URI += "file://remove-gets.patch \
+	    file://fix-memory-overrun.patch \
            "
 
 SRC_URI[md5sum] = "1112bb6c45863468b5496ba128792f6c"
-- 
2.1.0

[PATCH 02/10] cpio: fix bug CVE-2014-9112 for cpio-2.8

[Saul Wold]

From: Bian Naimeng <biannm@cn.fujitsu.com>

Obtain detain from following URL.
http://lists.gnu.org/archive/html/bug-cpio/2014-12/msg00000.html
http://git.savannah.gnu.org/cgit/cpio.git/commit/?id=746f3ff670dcfcdd28fcc990e79cd6fccc7ae48d

(From OE-Core rev: 732fc8de55a9c7987608162879959c03423de907)

Signed-off-by: Bian Naimeng <biannm@cn.fujitsu.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
 .../cpio/cpio-2.8/fix-memory-overrun.patch         | 217 +++++++++++++++++++++
 meta/recipes-extended/cpio/cpio_2.8.bb             |   7 +-
 2 files changed, 221 insertions(+), 3 deletions(-)
 create mode 100644 meta/recipes-extended/cpio/cpio-2.8/fix-memory-overrun.patch

diff --git a/meta/recipes-extended/cpio/cpio-2.8/fix-memory-overrun.patch b/meta/recipes-extended/cpio/cpio-2.8/fix-memory-overrun.patch
new file mode 100644
index 0000000..0148e70
--- /dev/null
+++ b/meta/recipes-extended/cpio/cpio-2.8/fix-memory-overrun.patch
@@ -0,0 +1,217 @@
+cpio: Fix memory overrun on reading improperly created link records
+
+Signed-off-by: Bian Naimeng <biannm@cn.fujitsu.com>
+
+http://git.savannah.gnu.org/cgit/cpio.git/commit/?id=746f3ff670dcfcdd28fcc990e79cd6fccc7ae48d
+
+  * src/copyin.c (get_link_name): New function.
+  (list_file, copyin_link): use get_link_name
+
+  * tests/symlink-bad-length.at: New file.
+  * tests/symlink-long.at: New file.
+  * tests/Makefile.am: Add new files.
+  * tests/testsuite.at: Likewise.
+
+  See http://lists.gnu.org/archive/html/bug-cpio/2014-11/msg00007.html
+
+Upstream-Status: Backport
+
+Signed-off-by: Sergey Poznyakoff <gray@gnu.org.ua>
+
+diff -Nurp cpio-2.8.orig/src/copyin.c cpio-2.8/src/copyin.c
+--- cpio-2.8.orig/src/copyin.c	2007-06-07 19:58:03.000000000 +0800
++++ cpio-2.8/src/copyin.c	2014-12-08 11:30:01.159791484 +0800
+@@ -126,6 +126,28 @@ tape_skip_padding (int in_file_des, int
+ }
+ 
+ \f
++static char *
++get_link_name (struct cpio_file_stat *file_hdr, int in_file_des)
++{
++  off_t n = file_hdr->c_filesize + 1;
++  char *link_name;
++
++  if (n == 0 || n > SIZE_MAX)
++    {
++      error (0, 0, _("%s: stored filename length too big"), file_hdr->c_name);
++      link_name = NULL;
++    }
++  else
++    {
++      link_name = xmalloc (n);
++      tape_buffered_read (link_name, in_file_des, file_hdr->c_filesize);
++      link_name[file_hdr->c_filesize] = '\0';
++      tape_skip_padding (in_file_des, file_hdr->c_filesize);
++    }
++  return link_name;
++}
++
++\f
+ static void
+ list_file(struct cpio_file_stat* file_hdr, int in_file_des)
+ {
+@@ -136,21 +158,16 @@ list_file(struct cpio_file_stat* file_hd
+ 	{
+ 	  if (archive_format != arf_tar && archive_format != arf_ustar)
+ 	    {
+-	      char *link_name = NULL;	/* Name of hard and symbolic links.  */
+-
+-	      link_name = (char *) xmalloc ((unsigned int) file_hdr->c_filesize + 1);
+-	      link_name[file_hdr->c_filesize] = '\0';
+-	      tape_buffered_read (link_name, in_file_des, file_hdr->c_filesize);
+-	      long_format (file_hdr, link_name);
+-	      free (link_name);
+-	      tape_skip_padding (in_file_des, file_hdr->c_filesize);
+-	      return;
++	      char *link_name = get_link_name (file_hdr, in_file_des);
++	      if (link_name)
++		{
++		  long_format (file_hdr, link_name);
++		  free (link_name);
++		}
+ 	    }
+ 	  else
+-	    {
+ 	      long_format (file_hdr, file_hdr->c_tar_linkname);
+-	      return;
+-	    }
++	  return;
+ 	}
+       else
+ #endif
+@@ -732,10 +749,7 @@ copyin_link(struct cpio_file_stat *file_
+ 
+   if (archive_format != arf_tar && archive_format != arf_ustar)
+     {
+-      link_name = (char *) xmalloc ((unsigned int) file_hdr->c_filesize + 1);
+-      link_name[file_hdr->c_filesize] = '\0';
+-      tape_buffered_read (link_name, in_file_des, file_hdr->c_filesize);
+-      tape_skip_padding (in_file_des, file_hdr->c_filesize);
++      link_name = get_link_name (file_hdr, in_file_des);
+     }
+   else
+     {
+diff -Nurp cpio-2.8.orig/tests/Makefile.am cpio-2.8/tests/Makefile.am
+--- cpio-2.8.orig/tests/Makefile.am	2006-10-24 18:32:13.000000000 +0800
++++ cpio-2.8/tests/Makefile.am	2014-12-08 11:30:52.387789482 +0800
+@@ -45,6 +45,8 @@ TESTSUITE_AT = \
+  testsuite.at\
+  inout.at\
+  symlink.at\
++ symlink-bad-length.at\
++ symlink-long.at\
+  version.at
+ 
+ TESTSUITE = $(srcdir)/testsuite
+diff -Nurp cpio-2.8.orig/tests/symlink-bad-length.at cpio-2.8/tests/symlink-bad-length.at
+--- cpio-2.8.orig/tests/symlink-bad-length.at	1970-01-01 08:00:00.000000000 +0800
++++ cpio-2.8/tests/symlink-bad-length.at	2014-12-08 11:33:25.283783507 +0800
+@@ -0,0 +1,49 @@
++# Process this file with autom4te to create testsuite.  -*- Autotest -*-
++# Copyright (C) 2014 Free Software Foundation, Inc.
++
++# This program is free software; you can redistribute it and/or modify
++# it under the terms of the GNU General Public License as published by
++# the Free Software Foundation; either version 3, or (at your option)
++# any later version.
++
++# This program is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU General Public License for more details.
++
++# You should have received a copy of the GNU General Public License
++# along with this program; if not, write to the Free Software
++# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
++# 02110-1301 USA.
++
++# Cpio v2.11 did segfault with badly set symlink length.
++# References:
++# http://lists.gnu.org/archive/html/bug-cpio/2014-11/msg00007.html
++
++AT_SETUP([symlink-bad-length])
++AT_KEYWORDS([symlink-long copyout])
++
++AT_DATA([ARCHIVE.base64],
++[x3EjAIBAtIEtJy8nAQAAAHRUYW0FAAAADQBGSUxFAABzb21lIGNvbnRlbnQKAMdxIwBgQ/+hLScv
++JwEAAAB0VEhuBQD/////TElOSwAARklMRcdxAAAAAAAAAAAAAAEAAAAAAAAACwAAAAAAVFJBSUxF
++UiEhIQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
++AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
++AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
++AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
++AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
++AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
++AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
++])
++
++AT_CHECK([
++base64 -d ARCHIVE.base64 > ARCHIVE || AT_SKIP_TEST
++cpio -ntv < ARCHIVE
++test $? -eq 2
++],
++[0],
++[-rw-rw-r--   1 10029    10031          13 Nov 25 13:52 FILE
++],[cpio: LINK: stored filename length too big
++cpio: premature end of file
++])
++
++AT_CLEANUP
+diff -Nurp cpio-2.8.orig/tests/symlink-long.at cpio-2.8/tests/symlink-long.at
+--- cpio-2.8.orig/tests/symlink-long.at	1970-01-01 08:00:00.000000000 +0800
++++ cpio-2.8/tests/symlink-long.at	2014-12-08 11:34:28.807781024 +0800
+@@ -0,0 +1,46 @@
++# Process this file with autom4te to create testsuite.  -*- Autotest -*-
++# Copyright (C) 2014 Free Software Foundation, Inc.
++
++# This program is free software; you can redistribute it and/or modify
++# it under the terms of the GNU General Public License as published by
++# the Free Software Foundation; either version 3, or (at your option)
++# any later version.
++
++# This program is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU General Public License for more details.
++
++# You should have received a copy of the GNU General Public License
++# along with this program; if not, write to the Free Software
++# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
++# 02110-1301 USA.
++
++# Cpio v2.11.90 changed the way symlink name is read from archive.
++# References:
++# http://lists.gnu.org/archive/html/bug-cpio/2014-11/msg00007.html
++
++AT_SETUP([symlink-long])
++AT_KEYWORDS([symlink-long copyout])
++
++AT_CHECK([
++
++# len(dirname) > READBUFSIZE
++dirname=
++for i in {1..52}; do
++    dirname="xxxxxxxxx/$dirname"
++    mkdir "$dirname"
++done
++ln -s "$dirname" x || AT_SKIP_TEST
++
++echo x | cpio -o > ar
++list=`cpio -tv < ar | sed 's|.*-> ||'`
++test "$list" = "$dirname" && echo success || echo fail
++],
++[0],
++[success
++],[2 blocks
++2 blocks
++])
++
++AT_CLEANUP
+diff -Nurp cpio-2.8.orig/tests/testsuite.at cpio-2.8/tests/testsuite.at
+--- cpio-2.8.orig/tests/testsuite.at	2006-10-24 18:32:13.000000000 +0800
++++ cpio-2.8/tests/testsuite.at	2014-12-08 11:34:56.515779942 +0800
+@@ -31,3 +31,5 @@ m4_include([version.at])
+ 
+ m4_include([inout.at])
+ m4_include([symlink.at])
++m4_include([symlink-bad-length.at])
++m4_include([symlink-long.at])
diff --git a/meta/recipes-extended/cpio/cpio_2.8.bb b/meta/recipes-extended/cpio/cpio_2.8.bb
index b6da207..3f97dbe 100644
--- a/meta/recipes-extended/cpio/cpio_2.8.bb
+++ b/meta/recipes-extended/cpio/cpio_2.8.bb
@@ -3,11 +3,12 @@ require cpio_v2.inc
 LICENSE = "GPLv2"
 LIC_FILES_CHKSUM = "file://COPYING;md5=b7f772ea3a2489231cb4872656cac34b"
 
-PR = "r3"
+PR = "r4"
 
 SRC_URI += "file://m4extensions.patch \
-    file://avoid_heap_overflow.patch \
-    "
+	    file://avoid_heap_overflow.patch \
+	    file://fix-memory-overrun.patch \
+	   "
 
 SRC_URI[md5sum] = "0caa356e69e149fb49b76bacc64615a1"
 SRC_URI[sha256sum] = "1b203248874c3b5a728b351f06513e5282f73e0170b7f207fbf8c39f28f6b4ad"
-- 
2.1.0

[PATCH 03/10] resolvconf: add fixes for busybox and make it work

[Saul Wold]

resolvconf was missing a script and needed readlink which was in
/usr/bin.  Also the /etc/resolv.conf was not being correctly linked
to /etc/resolvconf/run/resolv.conf, which is fixed by the volaties
change which is now a file as opposed to created in do_install.

Ensure that the correct scripts for ifup/ifdown get installed and that
resolvconf is correctly enabled at startup

[YOCTO #5361]

(From OE-Core rev: 853e8d2c7aff6dddc1d555af22f54c4ecef13df1)

Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

Conflicts:
	meta/recipes-connectivity/resolvconf/resolvconf_1.74.bb
---
 .../resolvconf/resolvconf/99_resolvconf              |  4 ++++
 .../resolvconf/resolvconf/fix-path-for-busybox.patch | 20 ++++++++++++++++++++
 .../resolvconf/resolvconf_1.74.bb                    | 19 +++++++++++++++----
 3 files changed, 39 insertions(+), 4 deletions(-)
 create mode 100644 meta/recipes-connectivity/resolvconf/resolvconf/99_resolvconf
 create mode 100644 meta/recipes-connectivity/resolvconf/resolvconf/fix-path-for-busybox.patch

diff --git a/meta/recipes-connectivity/resolvconf/resolvconf/99_resolvconf b/meta/recipes-connectivity/resolvconf/resolvconf/99_resolvconf
new file mode 100644
index 0000000..3790d77
--- /dev/null
+++ b/meta/recipes-connectivity/resolvconf/resolvconf/99_resolvconf
@@ -0,0 +1,4 @@
+d root root 0755 /var/run/resolvconf/interface none
+f root root 0644 /etc/resolvconf/run/resolv.conf none
+f root root 0644 /etc/resolvconf/run/enable-updates none
+l root root 0644 /etc/resolv.conf /etc/resolvconf/run/resolv.conf
diff --git a/meta/recipes-connectivity/resolvconf/resolvconf/fix-path-for-busybox.patch b/meta/recipes-connectivity/resolvconf/resolvconf/fix-path-for-busybox.patch
new file mode 100644
index 0000000..1aead07
--- /dev/null
+++ b/meta/recipes-connectivity/resolvconf/resolvconf/fix-path-for-busybox.patch
@@ -0,0 +1,20 @@
+
+busybox installs readlink into /usr/bin, so ensure /usr/bin
+is in the path.
+
+Upstream-Status: Submitted
+Signed-off-by: Saul Wold <sgw@linux.intel.com>
+
+Index: resolvconf-1.76/etc/resolvconf/update.d/libc
+===================================================================
+--- resolvconf-1.76.orig/etc/resolvconf/update.d/libc
++++ resolvconf-1.76/etc/resolvconf/update.d/libc
+@@ -16,7 +16,7 @@
+ #
+ 
+ set -e
+-PATH=/sbin:/bin
++PATH=/sbin:/bin:/usr/bin
+ 
+ [ -x /lib/resolvconf/list-records ] || exit 1
+ 
diff --git a/meta/recipes-connectivity/resolvconf/resolvconf_1.74.bb b/meta/recipes-connectivity/resolvconf/resolvconf_1.74.bb
index 5897e40..3ae624d 100644
--- a/meta/recipes-connectivity/resolvconf/resolvconf_1.74.bb
+++ b/meta/recipes-connectivity/resolvconf/resolvconf_1.74.bb
@@ -11,7 +11,11 @@ AUTHOR = "Thomas Hood"
 HOMEPAGE = "http://packages.debian.org/resolvconf"
 RDEPENDS_${PN} = "bash"
 
-SRC_URI = "${DEBIAN_MIRROR}/main/r/resolvconf/resolvconf_${PV}.tar.gz"
+SRC_URI = "${DEBIAN_MIRROR}/main/r/resolvconf/resolvconf_${PV}.tar.gz \
+           file://fix-path-for-busybox.patch \
+           file://99_resolvconf \
+          "
+
 
 SRC_URI[md5sum] = "2f190d3bb8960b69157f63590c262e93"
 SRC_URI[sha256sum] = "2e72e6884e9105cbf57101ab0f11e768717b6f76b7f5100c6a2a0cc69bb3d4a0"
@@ -24,13 +28,13 @@ do_compile () {
 
 do_install () {
 	install -d ${D}${sysconfdir}/default/volatiles
-	echo "d root root 0755 ${localstatedir}/run/${BPN}/interface none" \
-	     > ${D}${sysconfdir}/default/volatiles/99_resolvconf
-	if ${@base_contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
+	install -m 0644 ${WORKDIR}/99_resolvconf ${D}${sysconfdir}/default/volatiles
+	if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
 		install -d ${D}${sysconfdir}/tmpfiles.d
 		echo "d /run/${BPN}/interface - - - -" \
 		     > ${D}${sysconfdir}/tmpfiles.d/resolvconf.conf
 	fi
+	install -d ${D}${base_libdir}/${BPN}
 	install -d ${D}${sysconfdir}/${BPN}
 	ln -snf ${localstatedir}/run/${BPN} ${D}${sysconfdir}/${BPN}/run
 	install -d ${D}${sysconfdir} ${D}${base_sbindir}
@@ -38,6 +42,11 @@ do_install () {
 	cp -pPR etc/* ${D}${sysconfdir}/
 	chown -R root:root ${D}${sysconfdir}/
 	install -m 0755 bin/resolvconf ${D}${base_sbindir}/
+	install -m 0755 bin/list-records ${D}${base_libdir}/${BPN}
+	install -d ${D}/${sysconfdir}/network/if-up.d
+	install -m 0755 debian/resolvconf.000resolvconf.if-up ${D}/${sysconfdir}/network/if-up.d/000resolvconf
+	install -d ${D}/${sysconfdir}/network/if-down.d
+	install -m 0755 debian/resolvconf.resolvconf.if-down ${D}/${sysconfdir}/network/if-down.d/resolvconf
 	install -m 0644 README ${D}${docdir}/${P}/
 	install -m 0644 man/resolvconf.8 ${D}${mandir}/man8/
 }
@@ -51,3 +60,5 @@ pkg_postinst_${PN} () {
 		fi
 	fi
 }
+
+FILES_${PN} += "${base_libdir}/${BPN}"
-- 
2.1.0

[PATCH 04/10] openssh: move setting LD to allow for correct override

[Saul Wold]

Using the export LD in the recipe does not allow for secodnary toolchain
overriding LD later, by setting it in the do_configure_append the export
is used by autotools setting LD based on the env, but would allow for
override later.

[YOCTO #6997]

(From OE-Core rev: 9b37e630f5f6e37e928f825c4f67481cf58c98a1)

Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

Conflicts:
	meta/recipes-connectivity/openssh/openssh_6.5p1.bb
---
 meta/recipes-connectivity/openssh/openssh_6.5p1.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-connectivity/openssh/openssh_6.5p1.bb b/meta/recipes-connectivity/openssh/openssh_6.5p1.bb
index cf83fb4..20c0407 100644
--- a/meta/recipes-connectivity/openssh/openssh_6.5p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_6.5p1.bb
@@ -54,7 +54,6 @@ inherit autotools-brokensep
 
 # LFS support:
 CFLAGS += "-D__FILE_OFFSET_BITS=64"
-export LD = "${CC}"
 
 # login path is hardcoded in sshd
 EXTRA_OECONF = "'LOGIN_PROGRAM=${base_bindir}/login' \
@@ -79,6 +78,7 @@ CACHED_CONFIGUREVARS += "ac_cv_path_PATH_PASSWD_PROG=${bindir}/passwd"
 EXTRA_OECONF_append_libc-uclibc=" --without-pam"
 
 do_configure_prepend () {
+	export LD="${CC}"
 	if [ ! -e acinclude.m4 -a -e aclocal.m4 ]; then
 		cp aclocal.m4 acinclude.m4
 	fi
-- 
2.1.0

[PATCH 05/10] systemd: backport patch to fix reading journal backwards

[Saul Wold]

From: Jonathan Liu <net147@gmail.com>

Signed-off-by: Jonathan Liu <net147@gmail.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
---
 ...-Fix-navigating-backwards-missing-entries.patch | 34 ++++++++++++++++++++++
 meta/recipes-core/systemd/systemd_211.bb           |  1 +
 2 files changed, 35 insertions(+)
 create mode 100644 meta/recipes-core/systemd/systemd/0001-journal-Fix-navigating-backwards-missing-entries.patch

diff --git a/meta/recipes-core/systemd/systemd/0001-journal-Fix-navigating-backwards-missing-entries.patch b/meta/recipes-core/systemd/systemd/0001-journal-Fix-navigating-backwards-missing-entries.patch
new file mode 100644
index 0000000..621a0da
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/0001-journal-Fix-navigating-backwards-missing-entries.patch
@@ -0,0 +1,34 @@
+From 2173cbf847fc53ca24950e77958c902edecfc207 Mon Sep 17 00:00:00 2001
+From: Olivier Brunel <jjk@jjacky.com>
+Date: Fri, 5 Dec 2014 16:06:45 +0100
+Subject: [PATCH] journal: Fix navigating backwards missing entries
+
+With DIRECTION_UP (i.e. navigating backwards) in generic_array_bisect() when the
+needle was found as the last item in the array, it wasn't actually processed as
+match, resulting in entries being missed.
+
+https://bugs.freedesktop.org/show_bug.cgi?id=86855
+
+Upstream-Status: Backport
+
+Signed-off-by: Jonathan Liu <net147@gmail.com>
+---
+ src/journal/journal-file.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/journal/journal-file.c b/src/journal/journal-file.c
+index 7858435..c5d2d19 100644
+--- a/src/journal/journal-file.c
++++ b/src/journal/journal-file.c
+@@ -1657,7 +1657,7 @@ static int generic_array_bisect(
+                         }
+                 }
+ 
+-                if (k > n) {
++                if (k >= n) {
+                         if (direction == DIRECTION_UP) {
+                                 i = n;
+                                 subtract_one = true;
+-- 
+2.1.3
+
diff --git a/meta/recipes-core/systemd/systemd_211.bb b/meta/recipes-core/systemd/systemd_211.bb
index 44b1965..567c323 100644
--- a/meta/recipes-core/systemd/systemd_211.bb
+++ b/meta/recipes-core/systemd/systemd_211.bb
@@ -32,6 +32,7 @@ SRC_URI = "git://anongit.freedesktop.org/systemd/systemd;branch=master;protocol=
            file://uclibc-sysinfo_h.patch \
            file://uclibc-get-physmem.patch \
            file://sd-bus-don-t-use-assert_return-to-check-for-disconne.patch \
+           file://0001-journal-Fix-navigating-backwards-missing-entries.patch \
            \
            file://touchscreen.rules \
            file://00-create-volatile.conf \
-- 
2.1.0

[PATCH 06/10] python: Disables SSLv3

[Saul Wold]

From: Sona Sarmadi <sona.sarmadi@enea.com>

This is related to "SSLv3 POODLE vulnerability" CVE-2014-3566

Building python without SSLv3 support when openssl is built without
any support for SSLv3 (e.g. by adding EXTRA_OECONF = " -no-ssl3" in
the openssl recipes).

Backport from:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=768611#22
[python2.7-nossl3.patch] only Modules/_ssl.c is backported.

References:
https://bugzilla.yoctoproject.org/show_bug.cgi?id=7015
https://bugzilla.yoctoproject.org/show_bug.cgi?id=6843
http://bugs.python.org/issue22638
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566

Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
---
 .../python/python/python2.7.3-nossl3.patch         | 37 ++++++++++++++++++++++
 meta/recipes-devtools/python/python_2.7.3.bb       |  1 +
 2 files changed, 38 insertions(+)
 create mode 100644 meta/recipes-devtools/python/python/python2.7.3-nossl3.patch

diff --git a/meta/recipes-devtools/python/python/python2.7.3-nossl3.patch b/meta/recipes-devtools/python/python/python2.7.3-nossl3.patch
new file mode 100644
index 0000000..2d35520
--- /dev/null
+++ b/meta/recipes-devtools/python/python/python2.7.3-nossl3.patch
@@ -0,0 +1,37 @@
+python: Building without SSLv3 support
+
+Building without SSLv3 support when openssl is built
+without any support for SSLv3
+
+Upstream-Status: Backport
+
+Reference:
+https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=76A8611#22
+
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+diff -ruN a/Modules/_ssl.c b/Modules/_ssl.c
+--- a/Modules/_ssl.c	2014-11-26 07:43:58.755679939 +0100
++++ b/Modules/_ssl.c	2014-11-26 07:49:10.454182400 +0100
+@@ -302,8 +302,10 @@
+     PySSL_BEGIN_ALLOW_THREADS
+     if (proto_version == PY_SSL_VERSION_TLS1)
+         self->ctx = SSL_CTX_new(TLSv1_method()); /* Set up context */
++#ifndef OPENSSL_NO_SSL3
+     else if (proto_version == PY_SSL_VERSION_SSL3)
+         self->ctx = SSL_CTX_new(SSLv3_method()); /* Set up context */
++#endif
+ #ifndef OPENSSL_NO_SSL2
+     else if (proto_version == PY_SSL_VERSION_SSL2)
+         self->ctx = SSL_CTX_new(SSLv2_method()); /* Set up context */
+@@ -1777,8 +1779,10 @@
+     PyModule_AddIntConstant(m, "PROTOCOL_SSLv2",
+                             PY_SSL_VERSION_SSL2);
+ #endif
++#ifndef OPENSSL_NO_SSL3
+     PyModule_AddIntConstant(m, "PROTOCOL_SSLv3",
+                             PY_SSL_VERSION_SSL3);
++#endif
+     PyModule_AddIntConstant(m, "PROTOCOL_SSLv23",
+                             PY_SSL_VERSION_SSL23);
+     PyModule_AddIntConstant(m, "PROTOCOL_TLSv1",
diff --git a/meta/recipes-devtools/python/python_2.7.3.bb b/meta/recipes-devtools/python/python_2.7.3.bb
index 5270df9..4d2594a 100644
--- a/meta/recipes-devtools/python/python_2.7.3.bb
+++ b/meta/recipes-devtools/python/python_2.7.3.bb
@@ -36,6 +36,7 @@ SRC_URI += "\
   file://python-2.7.3-CVE-2013-1752-smtplib-fix.patch \
   file://python-fix-build-error-with-Readline-6.3.patch \
   file://python-2.7.3-CVE-2014-1912.patch \
+  file://python2.7.3-nossl3.patch \
 "
 
 S = "${WORKDIR}/Python-${PV}"
-- 
2.1.0

[PATCH 07/10] update-rc.d: Allow to use different initscripts provider

[Saul Wold]

From: Martin Jansa <martin.jansa@gmail.com>

* until now all recipes were respecting VIRTUAL-RUNTIME_initscripts
  variable but commit bba835fed88c3bd5bb5bd58962034aef57c408d8
  hardcoded "initscripts" runtime dependency

Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
---
 meta/classes/update-rc.d.bbclass | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/meta/classes/update-rc.d.bbclass b/meta/classes/update-rc.d.bbclass
index e8debdf..2553afa 100644
--- a/meta/classes/update-rc.d.bbclass
+++ b/meta/classes/update-rc.d.bbclass
@@ -1,7 +1,8 @@
 UPDATERCPN ?= "${PN}"
 
 DEPENDS_append = " update-rc.d-native"
-DEPENDS_append_class-target = " initscripts"
+VIRTUAL-RUNTIME_initscripts ?= "initscripts"
+DEPENDS_append_class-target = " ${VIRTUAL-RUNTIME_initscripts}"
 UPDATERCD = "update-rc.d"
 UPDATERCD_class-cross = ""
 UPDATERCD_class-native = ""
-- 
2.1.0

[PATCH 08/10] file: CVE-2014-9620 and CVE-2014-9621

[Saul Wold]

From: Chong Lu <Chong.Lu@windriver.com>

CVE-2014-9620:
Limit the number of ELF notes processed - DoS
CVE-2014-9621:
Limit string printing to 100 chars - DoS

The patch comes from:
https://github.com/file/file/commit/6ce24f35cd4a43c4bdd249e8e0c4952c1f8eac67
https://github.com/file/file/commit/0056ec32255de1de973574b0300161a1568767d6
https://github.com/file/file/commit/09e41625c999a2e5b51e1092f0ef2432a99b5c33
https://github.com/file/file/commit/af444af0738468393f40f9d2261b1ea10fc4b2ba
https://github.com/file/file/commit/68bd8433c7e11a8dbe100deefdfac69138ee7cd9
https://github.com/file/file/commit/dddd3cdb95210a765dd90f7d722cb8b5534daee7
https://github.com/file/file/commit/445c8fb0ebff85195be94cd9f7e1df89cade5c7f
https://github.com/file/file/commit/ce90e05774dd77d86cfc8dfa6da57b32816841c4
https://github.com/file/file/commit/65437cee25199dbd385fb35901bc0011e164276c

[YOCTO #7178]

Signed-off-by: Chong Lu <Chong.Lu@windriver.com>
[sgw - Fixed magic.h.in to match magic.h]
Signed-off-by: Saul Wold <sgw@linux.intel.com>
---
 .../file-CVE-2014-9620-and-CVE-2014-9621.patch     | 1359 ++++++++++++++++++++
 meta/recipes-devtools/file/file_5.16.bb            |    1 +
 2 files changed, 1360 insertions(+)
 create mode 100644 meta/recipes-devtools/file/file/file-CVE-2014-9620-and-CVE-2014-9621.patch

diff --git a/meta/recipes-devtools/file/file/file-CVE-2014-9620-and-CVE-2014-9621.patch b/meta/recipes-devtools/file/file/file-CVE-2014-9620-and-CVE-2014-9621.patch
new file mode 100644
index 0000000..af02b99
--- /dev/null
+++ b/meta/recipes-devtools/file/file/file-CVE-2014-9620-and-CVE-2014-9621.patch
@@ -0,0 +1,1359 @@
+file: CVE-2014-9620 and CVE-2014-9621
+
+The patch comes from:
+https://github.com/file/file/commit/6ce24f35cd4a43c4bdd249e8e0c4952c1f8eac67
+https://github.com/file/file/commit/0056ec32255de1de973574b0300161a1568767d6
+https://github.com/file/file/commit/09e41625c999a2e5b51e1092f0ef2432a99b5c33
+https://github.com/file/file/commit/af444af0738468393f40f9d2261b1ea10fc4b2ba
+https://github.com/file/file/commit/68bd8433c7e11a8dbe100deefdfac69138ee7cd9
+https://github.com/file/file/commit/dddd3cdb95210a765dd90f7d722cb8b5534daee7
+https://github.com/file/file/commit/445c8fb0ebff85195be94cd9f7e1df89cade5c7f
+https://github.com/file/file/commit/ce90e05774dd77d86cfc8dfa6da57b32816841c4
+https://github.com/file/file/commit/65437cee25199dbd385fb35901bc0011e164276c
+
+Upstream-Status: Backport
+
+Signed-off-by: Chong Lu <Chong.Lu@windriver.com>
+---
+ src/apprentice.c |    5 +
+ src/ascmagic.c   |    3 +-
+ src/elfclass.h   |   34 ++--
+ src/file.c       |   58 ++++++-
+ src/file.h       |   20 ++-
+ src/file_opts.h  |    6 +
+ src/funcs.c      |   42 ++++-
+ src/magic.c      |   50 ++++++
+ src/magic.h      |    9 ++
+ src/magic.h.in   |    4 +
+ src/readelf.c    |  467 +++++++++++++++++++++++++++++++++---------------------
+ src/softmagic.c  |   70 ++++----
+ 12 files changed, 541 insertions(+), 227 deletions(-)
+
+Index: file-5.16/src/apprentice.c
+===================================================================
+--- file-5.16.orig/src/apprentice.c
++++ file-5.16/src/apprentice.c
+@@ -494,6 +494,11 @@ file_ms_alloc(int flags)
+ 		ms->mlist[i] = NULL;
+ 	ms->file = "unknown";
+ 	ms->line = 0;
++	ms->indir_max = FILE_INDIR_MAX;
++	ms->name_max = FILE_NAME_MAX;
++	ms->elf_shnum_max = FILE_ELF_SHNUM_MAX;
++	ms->elf_phnum_max = FILE_ELF_PHNUM_MAX;
++	ms->elf_notes_max = FILE_ELF_NOTES_MAX;
+ 	return ms;
+ free:
+ 	free(ms);
+Index: file-5.16/src/ascmagic.c
+===================================================================
+--- file-5.16.orig/src/ascmagic.c
++++ file-5.16/src/ascmagic.c
+@@ -147,7 +147,8 @@ file_ascmagic_with_encoding(struct magic
+ 		    == NULL)
+ 			goto done;
+ 		if ((rv = file_softmagic(ms, utf8_buf,
+-		    (size_t)(utf8_end - utf8_buf), TEXTTEST, text)) == 0)
++		    (size_t)(utf8_end - utf8_buf), 0, NULL,
++		    TEXTTEST, text)) == 0)
+ 			rv = -1;
+ 	}
+ 
+Index: file-5.16/src/elfclass.h
+===================================================================
+--- file-5.16.orig/src/elfclass.h
++++ file-5.16/src/elfclass.h
+@@ -32,39 +32,51 @@
+ 	swap = (u.c[sizeof(int32_t) - 1] + 1) != elfhdr.e_ident[EI_DATA];
+ 
+ 	type = elf_getu16(swap, elfhdr.e_type);
++	notecount = ms->elf_notes_max;
+ 	switch (type) {
+ #ifdef ELFCORE
+ 	case ET_CORE:
++		phnum = elf_getu16(swap, elfhdr.e_phnum);
++		if (phnum > ms->elf_phnum_max)
++			return toomany(ms, "program headers", phnum);
+ 		flags |= FLAGS_IS_CORE;
+ 		if (dophn_core(ms, clazz, swap, fd,
+-		    (off_t)elf_getu(swap, elfhdr.e_phoff),
+-		    elf_getu16(swap, elfhdr.e_phnum), 
++		    (off_t)elf_getu(swap, elfhdr.e_phoff), phnum,
+ 		    (size_t)elf_getu16(swap, elfhdr.e_phentsize),
+-		    fsize, &flags) == -1)
++		    fsize, &flags, &notecount) == -1)
+ 			return -1;
+ 		break;
+ #endif
+ 	case ET_EXEC:
+ 	case ET_DYN:
++		phnum = elf_getu16(swap, elfhdr.e_phnum);
++		if (phnum > ms->elf_phnum_max)
++			return toomany(ms, "program", phnum);
++		shnum = elf_getu16(swap, elfhdr.e_shnum);
++		if (shnum > ms->elf_shnum_max)
++			return toomany(ms, "section", shnum);
+ 		if (dophn_exec(ms, clazz, swap, fd,
+-		    (off_t)elf_getu(swap, elfhdr.e_phoff),
+-		    elf_getu16(swap, elfhdr.e_phnum), 
++		    (off_t)elf_getu(swap, elfhdr.e_phoff), phnum,
+ 		    (size_t)elf_getu16(swap, elfhdr.e_phentsize),
+-		    fsize, &flags, elf_getu16(swap, elfhdr.e_shnum))
+-		    == -1)
++		    fsize, shnum, &flags, &notecount) == -1)
+ 			return -1;
+ 		/*FALLTHROUGH*/
+ 	case ET_REL:
++		shnum = elf_getu16(swap, elfhdr.e_shnum);
++		if (shnum > ms->elf_shnum_max)
++			return toomany(ms, "section headers", shnum);
+ 		if (doshn(ms, clazz, swap, fd,
+-		    (off_t)elf_getu(swap, elfhdr.e_shoff),
+-		    elf_getu16(swap, elfhdr.e_shnum),
++		    (off_t)elf_getu(swap, elfhdr.e_shoff), shnum,
+ 		    (size_t)elf_getu16(swap, elfhdr.e_shentsize),
+-		    fsize, &flags, elf_getu16(swap, elfhdr.e_machine),
+-		    (int)elf_getu16(swap, elfhdr.e_shstrndx)) == -1)
++		    fsize, elf_getu16(swap, elfhdr.e_machine),
++		    (int)elf_getu16(swap, elfhdr.e_shstrndx),
++		    &flags, &notecount) == -1)
+ 			return -1;
+ 		break;
+ 
+ 	default:
+ 		break;
+ 	}
++	if (notecount == 0)
++		return toomany(ms, "notes", ms->elf_notes_max);
+ 	return 1;
+Index: file-5.16/src/file.c
+===================================================================
+--- file-5.16.orig/src/file.c
++++ file-5.16/src/file.c
+@@ -101,7 +101,7 @@ private const struct option long_options
+ #undef OPT_LONGONLY
+     {0, 0, NULL, 0}
+ };
+-#define OPTSTRING	"bcCde:f:F:hiklLm:nNprsvz0"
++#define OPTSTRING	"bcCde:f:F:hiklLm:nNpP:rsvz0"
+ 
+ private const struct {
+ 	const char *name;
+@@ -119,6 +119,18 @@ private const struct {
+ 	{ "tokens",	MAGIC_NO_CHECK_TOKENS }, /* OBSOLETE: ignored for backwards compatibility */
+ };
+ 
++private struct {
++	const char *name;
++	int tag;
++	size_t value;
++} pm[] = {
++	{ "indir",	MAGIC_PARAM_INDIR_MAX, 0 },
++	{ "name",	MAGIC_PARAM_NAME_MAX, 0 },
++	{ "elf_phnum",	MAGIC_PARAM_ELF_PHNUM_MAX, 0 },
++	{ "elf_shnum",	MAGIC_PARAM_ELF_SHNUM_MAX, 0 },
++	{ "elf_notes",	MAGIC_PARAM_ELF_NOTES_MAX, 0 },
++};
++
+ private char *progname;		/* used throughout 		*/
+ 
+ private void usage(void);
+@@ -128,6 +140,8 @@ private void help(void);
+ private int unwrap(struct magic_set *, const char *);
+ private int process(struct magic_set *ms, const char *, int);
+ private struct magic_set *load(const char *, int);
++private void setparam(const char *);
++private void applyparam(magic_t);
+ 
+ 
+ /*
+@@ -240,6 +254,9 @@ main(int argc, char *argv[])
+ 			flags |= MAGIC_PRESERVE_ATIME;
+ 			break;
+ #endif
++		case 'P':
++			setparam(optarg);
++			break;
+ 		case 'r':
+ 			flags |= MAGIC_RAW;
+ 			break;
+@@ -295,6 +312,8 @@ main(int argc, char *argv[])
+ 			    strerror(errno));
+ 			return 1;
+ 		}
++
++
+ 		switch(action) {
+ 		case FILE_CHECK:
+ 			c = magic_check(magic, magicfile);
+@@ -318,7 +337,7 @@ main(int argc, char *argv[])
+ 		if (magic == NULL)
+ 			if ((magic = load(magicfile, flags)) == NULL)
+ 				return 1;
+-		break;
++		applyparam(magic);
+ 	}
+ 
+ 	if (optind == argc) {
+@@ -348,6 +367,41 @@ main(int argc, char *argv[])
+ 	return e;
+ }
+ 
++private void
++applyparam(magic_t magic)
++{
++	size_t i;
++
++	for (i = 0; i < __arraycount(pm); i++) {
++		if (pm[i].value == 0)
++			continue;
++		if (magic_setparam(magic, pm[i].tag, &pm[i].value) == -1) {
++			(void)fprintf(stderr, "%s: Can't set %s %s\n", progname,
++				pm[i].name, strerror(errno));
++			exit(1);
++		}
++	}
++}
++
++private void
++setparam(const char *p)
++{
++	size_t i;
++	char *s;
++
++	if ((s = strchr(p, '=')) == NULL)
++		goto badparm;
++
++	for (i = 0; i < __arraycount(pm); i++) {
++		if (strncmp(p, pm[i].name, s - p) != 0)
++			continue;
++		pm[i].value = atoi(s + 1);
++		return;
++	}
++badparm:
++	(void)fprintf(stderr, "%s: Unknown param %s\n", progname, p);
++	exit(1);
++}
+ 
+ private struct magic_set *
+ /*ARGSUSED*/
+Index: file-5.16/src/file.h
+===================================================================
+--- file-5.16.orig/src/file.h
++++ file-5.16/src/file.h
+@@ -400,6 +400,16 @@ struct magic_set {
+ 	/* FIXME: Make the string dynamically allocated so that e.g.
+ 	   strings matched in files can be longer than MAXstring */
+ 	union VALUETYPE ms_value;	/* either number or string */
++	uint16_t indir_max;
++	uint16_t name_max;
++	uint16_t elf_shnum_max;
++	uint16_t elf_phnum_max;
++	uint16_t elf_notes_max;
++#define	FILE_INDIR_MAX			15
++#define	FILE_NAME_MAX			30
++#define	FILE_ELF_SHNUM_MAX		32768
++#define	FILE_ELF_PHNUM_MAX		128
++#define	FILE_ELF_NOTES_MAX		256
+ };
+ 
+ /* Type for Unicode characters */
+@@ -438,7 +448,7 @@ protected int file_encoding(struct magic
+     unichar **, size_t *, const char **, const char **, const char **);
+ protected int file_is_tar(struct magic_set *, const unsigned char *, size_t);
+ protected int file_softmagic(struct magic_set *, const unsigned char *, size_t,
+-    int, int);
++    uint16_t, uint16_t *, int, int);
+ protected int file_apprentice(struct magic_set *, const char *, int);
+ protected int file_magicfind(struct magic_set *, const char *, struct mlist *);
+ protected uint64_t file_signextend(struct magic_set *, struct magic *,
+@@ -468,6 +478,14 @@ protected int file_os2_apptype(struct ma
+ #endif /* __EMX__ */
+ 
+ 
++typedef struct {
++	char *buf;
++	uint32_t offset;
++} file_pushbuf_t;
++
++protected file_pushbuf_t *file_push_buffer(struct magic_set *);
++protected char  *file_pop_buffer(struct magic_set *, file_pushbuf_t *);
++
+ #ifndef COMPILE_ONLY
+ extern const char *file_names[];
+ extern const size_t file_nnames;
+Index: file-5.16/src/file_opts.h
+===================================================================
+--- file-5.16.orig/src/file_opts.h
++++ file-5.16/src/file_opts.h
+@@ -43,6 +43,12 @@ OPT('0', "print0", 0, "               te
+ #if defined(HAVE_UTIME) || defined(HAVE_UTIMES)
+ OPT('p', "preserve-date", 0, "        preserve access times on files\n")
+ #endif
++OPT('P', "parameter", 0, "            set file engine parameter limits\n"
++    "                               indir        15 recursion limit for indirection\n"
++    "                               name         30 use limit for name/use magic\n"
++    "                               elf_notes   256 max ELF notes processed\n"
++    "                               elf_phnum   128 max ELF prog sections processed\n"
++    "                               elf_shnum 32768 max ELF sections processed\n")
+ OPT('r', "raw", 0, "                  don't translate unprintable chars to \\ooo\n")
+ OPT('s', "special-files", 0, "        treat special (block/char devices) files as\n"
+     "                             ordinary ones\n")
+Index: file-5.16/src/funcs.c
+===================================================================
+--- file-5.16.orig/src/funcs.c
++++ file-5.16/src/funcs.c
+@@ -226,7 +226,7 @@ file_buffer(struct magic_set *ms, int fd
+ 
+ 	/* try soft magic tests */
+ 	if ((ms->flags & MAGIC_NO_CHECK_SOFT) == 0)
+-		if ((m = file_softmagic(ms, ubuf, nb, BINTEST,
++		if ((m = file_softmagic(ms, ubuf, nb, 0, NULL, BINTEST,
+ 		    looks_text)) != 0) {
+ 			if ((ms->flags & MAGIC_DEBUG) != 0)
+ 				(void)fprintf(stderr, "softmagic %d\n", m);
+@@ -459,3 +459,43 @@ file_replace(struct magic_set *ms, const
+ 		return nm;
+ 	}
+ }
++
++protected file_pushbuf_t *
++file_push_buffer(struct magic_set *ms)
++{
++	file_pushbuf_t *pb;
++
++	if (ms->event_flags & EVENT_HAD_ERR)
++		return NULL;
++
++	if ((pb = (CAST(file_pushbuf_t *, malloc(sizeof(*pb))))) == NULL)
++		return NULL;
++
++	pb->buf = ms->o.buf;
++	pb->offset = ms->offset;
++
++	ms->o.buf = NULL;
++	ms->offset = 0;
++
++	return pb;
++}
++
++protected char *
++file_pop_buffer(struct magic_set *ms, file_pushbuf_t *pb)
++{
++	char *rbuf;
++
++	if (ms->event_flags & EVENT_HAD_ERR) {
++		free(pb->buf);
++		free(pb);
++		return NULL;
++	}
++
++	rbuf = ms->o.buf;
++
++	ms->o.buf = pb->buf;
++	ms->offset = pb->offset;
++
++	free(pb);
++	return rbuf;
++}
+Index: file-5.16/src/magic.c
+===================================================================
+--- file-5.16.orig/src/magic.c
++++ file-5.16/src/magic.c
+@@ -490,3 +490,53 @@ magic_version(void)
+ {
+ 	return MAGIC_VERSION;
+ }
++
++public int
++magic_setparam(struct magic_set *ms, int param, const void *val)
++{
++	switch (param) {
++	case MAGIC_PARAM_INDIR_MAX:
++		ms->indir_max = *(const size_t *)val;
++		return 0;
++	case MAGIC_PARAM_NAME_MAX:
++		ms->name_max = *(const size_t *)val;
++		return 0;
++	case MAGIC_PARAM_ELF_PHNUM_MAX:
++		ms->elf_phnum_max = *(const size_t *)val;
++		return 0;
++	case MAGIC_PARAM_ELF_SHNUM_MAX:
++		ms->elf_shnum_max = *(const size_t *)val;
++		return 0;
++	case MAGIC_PARAM_ELF_NOTES_MAX:
++		ms->elf_notes_max = *(const size_t *)val;
++		return 0;
++	default:
++		errno = EINVAL;
++		return -1;
++	}
++}
++
++public int
++magic_getparam(struct magic_set *ms, int param, void *val)
++{
++	switch (param) {
++	case MAGIC_PARAM_INDIR_MAX:
++		*(size_t *)val = ms->indir_max;
++		return 0;
++	case MAGIC_PARAM_NAME_MAX:
++		*(size_t *)val = ms->name_max;
++		return 0;
++	case MAGIC_PARAM_ELF_PHNUM_MAX:
++		*(size_t *)val = ms->elf_phnum_max;
++		return 0;
++	case MAGIC_PARAM_ELF_SHNUM_MAX:
++		*(size_t *)val = ms->elf_shnum_max;
++		return 0;
++	case MAGIC_PARAM_ELF_NOTES_MAX:
++		*(size_t *)val = ms->elf_notes_max;
++		return 0;
++	default:
++		errno = EINVAL;
++		return -1;
++	}
++}
+Index: file-5.16/src/magic.h
+===================================================================
+--- file-5.16.orig/src/magic.h
++++ file-5.16/src/magic.h
+@@ -101,6 +101,15 @@ int magic_check(magic_t, const char *);
+ int magic_list(magic_t, const char *);
+ int magic_errno(magic_t);
+ 
++#define MAGIC_PARAM_INDIR_MAX		0
++#define MAGIC_PARAM_NAME_MAX		1
++#define MAGIC_PARAM_ELF_PHNUM_MAX	2
++#define MAGIC_PARAM_ELF_SHNUM_MAX	3
++#define MAGIC_PARAM_ELF_NOTES_MAX	4
++
++int magic_setparam(magic_t, int, const void *);
++int magic_getparam(magic_t, int, void *);
++
+ #ifdef __cplusplus
+ };
+ #endif
+Index: file-5.16/src/magic.h.in
+===================================================================
+--- file-5.16.orig/src/magic.h.in
++++ file-5.16/src/magic.h.in
+@@ -101,6 +101,15 @@ int magic_check(magic_t, const char *);
+ int magic_list(magic_t, const char *);
+ int magic_errno(magic_t);
+ 
++#define MAGIC_PARAM_INDIR_MAX         0
++#define MAGIC_PARAM_NAME_MAX          1
++#define MAGIC_PARAM_ELF_PHNUM_MAX     2
++#define MAGIC_PARAM_ELF_SHNUM_MAX     3
++#define MAGIC_PARAM_ELF_NOTES_MAX     4
++
++int magic_setparam(magic_t, int, const void *);
++int magic_getparam(magic_t, int, void *);
++
+ #ifdef __cplusplus
+ };
+ #endif
+Index: file-5.16/src/readelf.c
+===================================================================
+--- file-5.16.orig/src/readelf.c
++++ file-5.16/src/readelf.c
+@@ -43,14 +43,14 @@ FILE_RCSID("@(#)$File: readelf.c,v 1.99
+ 
+ #ifdef	ELFCORE
+ private int dophn_core(struct magic_set *, int, int, int, off_t, int, size_t,
+-    off_t, int *);
++    off_t, int *, uint16_t *);
+ #endif
+ private int dophn_exec(struct magic_set *, int, int, int, off_t, int, size_t,
+-    off_t, int *, int);
++    off_t, int, int *, uint16_t *);
+ private int doshn(struct magic_set *, int, int, int, off_t, int, size_t,
+-    off_t, int *, int, int);
++    off_t, int, int, int *, uint16_t *);
+ private size_t donote(struct magic_set *, void *, size_t, size_t, int,
+-    int, size_t, int *);
++    int, size_t, int *, uint16_t *);
+ 
+ #define	ELF_ALIGN(a)	((((a) + align - 1) / align) * align)
+ 
+@@ -60,6 +60,19 @@ private uint16_t getu16(int, uint16_t);
+ private uint32_t getu32(int, uint32_t);
+ private uint64_t getu64(int, uint64_t);
+ 
++#define MAX_PHNUM	128
++#define	MAX_SHNUM	32768
++#define SIZE_UNKNOWN	((off_t)-1)
++
++private int
++toomany(struct magic_set *ms, const char *name, uint16_t num)
++{
++	if (file_printf(ms, ", too many %s (%u)", name, num
++	    ) == -1)
++		return -1;
++	return 0;
++}
++
+ private uint16_t
+ getu16(int swap, uint16_t value)
+ {
+@@ -280,15 +293,19 @@ private const char os_style_names[][8] =
+ 	"NetBSD",
+ };
+ 
+-#define FLAGS_DID_CORE		0x01
+-#define FLAGS_DID_NOTE		0x02
+-#define FLAGS_DID_BUILD_ID	0x04
+-#define FLAGS_DID_CORE_STYLE	0x08
+-#define FLAGS_IS_CORE		0x10
++#define FLAGS_DID_CORE			0x001
++#define FLAGS_DID_OS_NOTE		0x002
++#define FLAGS_DID_BUILD_ID		0x004
++#define FLAGS_DID_CORE_STYLE		0x008
++#define FLAGS_DID_NETBSD_PAX		0x010
++#define FLAGS_DID_NETBSD_MARCH		0x020
++#define FLAGS_DID_NETBSD_CMODEL		0x040
++#define FLAGS_DID_NETBSD_UNKNOWN	0x080
++#define FLAGS_IS_CORE			0x100
+ 
+ private int
+ dophn_core(struct magic_set *ms, int clazz, int swap, int fd, off_t off,
+-    int num, size_t size, off_t fsize, int *flags)
++    int num, size_t size, off_t fsize, int *flags, uint16_t *notecount)
+ {
+ 	Elf32_Phdr ph32;
+ 	Elf64_Phdr ph64;
+@@ -306,13 +323,13 @@ dophn_core(struct magic_set *ms, int cla
+ 	 * Loop through all the program headers.
+ 	 */
+ 	for ( ; num; num--) {
+-		if (pread(fd, xph_addr, xph_sizeof, off) == -1) {
++		if (pread(fd, xph_addr, xph_sizeof, off) < (ssize_t)xph_sizeof) {
+ 			file_badread(ms);
+ 			return -1;
+ 		}
+ 		off += size;
+ 
+-		if (xph_offset > fsize) {
++		if (fsize != SIZE_UNKNOWN && xph_offset > fsize) {
+ 			/* Perhaps warn here */
+ 			continue;
+ 		}
+@@ -334,7 +351,7 @@ dophn_core(struct magic_set *ms, int cla
+ 			if (offset >= (size_t)bufsize)
+ 				break;
+ 			offset = donote(ms, nbuf, offset, (size_t)bufsize,
+-			    clazz, swap, 4, flags);
++			    clazz, swap, 4, flags, notecount);
+ 			if (offset == 0)
+ 				break;
+ 
+@@ -464,125 +481,127 @@ do_note_freebsd_version(struct magic_set
+ 	}
+ }
+ 
+-private size_t
+-donote(struct magic_set *ms, void *vbuf, size_t offset, size_t size,
+-    int clazz, int swap, size_t align, int *flags)
++private int
++do_bid_note(struct magic_set *ms, unsigned char *nbuf, uint32_t type,
++    int swap __attribute__((__unused__)), uint32_t namesz, uint32_t descsz,
++    size_t noff, size_t doff, int *flags)
+ {
+-	Elf32_Nhdr nh32;
+-	Elf64_Nhdr nh64;
+-	size_t noff, doff;
+-#ifdef ELFCORE
+-	int os_style = -1;
+-#endif
+-	uint32_t namesz, descsz;
+-	unsigned char *nbuf = CAST(unsigned char *, vbuf);
+-
+-	(void)memcpy(xnh_addr, &nbuf[offset], xnh_sizeof);
+-	offset += xnh_sizeof;
+-
+-	namesz = xnh_namesz;
+-	descsz = xnh_descsz;
+-	if ((namesz == 0) && (descsz == 0)) {
+-		/*
+-		 * We're out of note headers.
+-		 */
+-		return (offset >= size) ? offset : size;
+-	}
+-
+-	if (namesz & 0x80000000) {
+-	    (void)file_printf(ms, ", bad note name size 0x%lx",
+-		(unsigned long)namesz);
+-	    return offset;
+-	}
+-
+-	if (descsz & 0x80000000) {
+-	    (void)file_printf(ms, ", bad note description size 0x%lx",
+-		(unsigned long)descsz);
+-	    return offset;
+-	}
+-
+-
+-	noff = offset;
+-	doff = ELF_ALIGN(offset + namesz);
+-
+-	if (offset + namesz > size) {
+-		/*
+-		 * We're past the end of the buffer.
+-		 */
+-		return doff;
+-	}
+-
+-	offset = ELF_ALIGN(doff + descsz);
+-	if (doff + descsz > size) {
+-		/*
+-		 * We're past the end of the buffer.
+-		 */
+-		return (offset >= size) ? offset : size;
++	if (namesz == 4 && strcmp((char *)&nbuf[noff], "GNU") == 0 &&
++	    type == NT_GNU_BUILD_ID && (descsz == 16 || descsz == 20)) {
++		uint8_t desc[20];
++		uint32_t i;
++		*flags |= FLAGS_DID_BUILD_ID;
++		if (file_printf(ms, ", BuildID[%s]=", descsz == 16 ? "md5/uuid" :
++		    "sha1") == -1)
++			return 1;
++		(void)memcpy(desc, &nbuf[doff], descsz);
++		for (i = 0; i < descsz; i++)
++		    if (file_printf(ms, "%02x", desc[i]) == -1)
++			return 1;
++		return 1;
+ 	}
+-
+-	if ((*flags & (FLAGS_DID_NOTE|FLAGS_DID_BUILD_ID)) ==
+-	    (FLAGS_DID_NOTE|FLAGS_DID_BUILD_ID))
+-		goto core;
+-
++	return 0;
++}
++	
++private int
++do_os_note(struct magic_set *ms, unsigned char *nbuf, uint32_t type,
++    int swap, uint32_t namesz, uint32_t descsz,
++    size_t noff, size_t doff, int *flags)
++{
+ 	if (namesz == 5 && strcmp((char *)&nbuf[noff], "SuSE") == 0 &&
+-	    xnh_type == NT_GNU_VERSION && descsz == 2) {
++	    type == NT_GNU_VERSION && descsz == 2) {
++	    *flags |= FLAGS_DID_OS_NOTE;
+ 	    file_printf(ms, ", for SuSE %d.%d", nbuf[doff], nbuf[doff + 1]);
++	    return 1;
+ 	}
++
+ 	if (namesz == 4 && strcmp((char *)&nbuf[noff], "GNU") == 0 &&
+-	    xnh_type == NT_GNU_VERSION && descsz == 16) {
++	    type == NT_GNU_VERSION && descsz == 16) {
+ 		uint32_t desc[4];
+ 		(void)memcpy(desc, &nbuf[doff], sizeof(desc));
+ 
++		*flags |= FLAGS_DID_OS_NOTE;
+ 		if (file_printf(ms, ", for GNU/") == -1)
+-			return size;
++			return 1;
+ 		switch (elf_getu32(swap, desc[0])) {
+ 		case GNU_OS_LINUX:
+ 			if (file_printf(ms, "Linux") == -1)
+-				return size;
++				return 1;
+ 			break;
+ 		case GNU_OS_HURD:
+ 			if (file_printf(ms, "Hurd") == -1)
+-				return size;
++				return 1;
+ 			break;
+ 		case GNU_OS_SOLARIS:
+ 			if (file_printf(ms, "Solaris") == -1)
+-				return size;
++				return 1;
+ 			break;
+ 		case GNU_OS_KFREEBSD:
+ 			if (file_printf(ms, "kFreeBSD") == -1)
+-				return size;
++				return 1;
+ 			break;
+ 		case GNU_OS_KNETBSD:
+ 			if (file_printf(ms, "kNetBSD") == -1)
+-				return size;
++				return 1;
+ 			break;
+ 		default:
+ 			if (file_printf(ms, "<unknown>") == -1)
+-				return size; 
++				return 1;
+ 		}
+ 		if (file_printf(ms, " %d.%d.%d", elf_getu32(swap, desc[1]),
+ 		    elf_getu32(swap, desc[2]), elf_getu32(swap, desc[3])) == -1)
+-			return size;
+-		*flags |= FLAGS_DID_NOTE;
+-		return size;
++			return 1;
++		return 1;
+ 	}
+ 
+-	if (namesz == 4 && strcmp((char *)&nbuf[noff], "GNU") == 0 &&
+-	    xnh_type == NT_GNU_BUILD_ID && (descsz == 16 || descsz == 20)) {
+-	    uint8_t desc[20];
+-	    uint32_t i;
+-	    if (file_printf(ms, ", BuildID[%s]=", descsz == 16 ? "md5/uuid" :
+-		"sha1") == -1)
+-		    return size;
+-	    (void)memcpy(desc, &nbuf[doff], descsz);
+-	    for (i = 0; i < descsz; i++)
+-		if (file_printf(ms, "%02x", desc[i]) == -1)
+-		    return size;
+-	    *flags |= FLAGS_DID_BUILD_ID;
++	if (namesz == 7 && strcmp((char *)&nbuf[noff], "NetBSD") == 0) {
++	    	if (type == NT_NETBSD_VERSION && descsz == 4) {
++			*flags |= FLAGS_DID_OS_NOTE;
++			do_note_netbsd_version(ms, swap, &nbuf[doff]);
++			return 1;
++		}
++	}
++
++	if (namesz == 8 && strcmp((char *)&nbuf[noff], "FreeBSD") == 0) {
++	    	if (type == NT_FREEBSD_VERSION && descsz == 4) {
++			*flags |= FLAGS_DID_OS_NOTE;
++			do_note_freebsd_version(ms, swap, &nbuf[doff]);
++			return 1;
++		}
++	}
++
++	if (namesz == 8 && strcmp((char *)&nbuf[noff], "OpenBSD") == 0 &&
++	    type == NT_OPENBSD_VERSION && descsz == 4) {
++		*flags |= FLAGS_DID_OS_NOTE;
++		if (file_printf(ms, ", for OpenBSD") == -1)
++			return 1;
++		/* Content of note is always 0 */
++		return 1;
++	}
++
++	if (namesz == 10 && strcmp((char *)&nbuf[noff], "DragonFly") == 0 &&
++	    type == NT_DRAGONFLY_VERSION && descsz == 4) {
++		uint32_t desc;
++		*flags |= FLAGS_DID_OS_NOTE;
++		if (file_printf(ms, ", for DragonFly") == -1)
++			return 1;
++		(void)memcpy(&desc, &nbuf[doff], sizeof(desc));
++		desc = elf_getu32(swap, desc);
++		if (file_printf(ms, " %d.%d.%d", desc / 100000,
++		    desc / 10000 % 10, desc % 10000) == -1)
++			return 1;
++		return 1;
+ 	}
++	return 0;
++}
+ 
++private int
++do_pax_note(struct magic_set *ms, unsigned char *nbuf, uint32_t type,
++    int swap, uint32_t namesz, uint32_t descsz,
++    size_t noff, size_t doff, int *flags)
++{
+ 	if (namesz == 4 && strcmp((char *)&nbuf[noff], "PaX") == 0 &&
+-	    xnh_type == NT_NETBSD_PAX && descsz == 4) {
++	    type == NT_NETBSD_PAX && descsz == 4) {
+ 		static const char *pax[] = {
+ 		    "+mprotect",
+ 		    "-mprotect",
+@@ -595,80 +614,32 @@ donote(struct magic_set *ms, void *vbuf,
+ 		size_t i;
+ 		int did = 0;
+ 
++		*flags |= FLAGS_DID_NETBSD_PAX;
+ 		(void)memcpy(&desc, &nbuf[doff], sizeof(desc));
+ 		desc = elf_getu32(swap, desc);
+ 
+ 		if (desc && file_printf(ms, ", PaX: ") == -1)
+-			return size;
++			return 1;
+ 
+ 		for (i = 0; i < __arraycount(pax); i++) {
+ 			if (((1 << i) & desc) == 0)
+ 				continue;
+ 			if (file_printf(ms, "%s%s", did++ ? "," : "",
+ 			    pax[i]) == -1)
+-				return size;
+-		}
+-	}
+-
+-	if (namesz == 7 && strcmp((char *)&nbuf[noff], "NetBSD") == 0) {
+-		switch (xnh_type) {
+-		case NT_NETBSD_VERSION:
+-			if (descsz == 4) {
+-				do_note_netbsd_version(ms, swap, &nbuf[doff]);
+-				*flags |= FLAGS_DID_NOTE;
+-				return size;
+-			}
+-			break;
+-		case NT_NETBSD_MARCH:
+-			if (file_printf(ms, ", compiled for: %.*s", (int)descsz,
+-			    (const char *)&nbuf[doff]) == -1)
+-				return size;
+-			break;
+-		case NT_NETBSD_CMODEL:
+-			if (file_printf(ms, ", compiler model: %.*s",
+-			    (int)descsz, (const char *)&nbuf[doff]) == -1)
+-				return size;
+-			break;
+-		default:
+-			if (file_printf(ms, ", note=%u", xnh_type) == -1)
+-				return size;
+-			break;
+-		}
+-		return size;
+-	}
+-
+-	if (namesz == 8 && strcmp((char *)&nbuf[noff], "FreeBSD") == 0) {
+-	    	if (xnh_type == NT_FREEBSD_VERSION && descsz == 4) {
+-			do_note_freebsd_version(ms, swap, &nbuf[doff]);
+-			*flags |= FLAGS_DID_NOTE;
+-			return size;
++			return 1;
+ 		}
++		return 1;
+ 	}
++	return 0;
++}
+ 
+-	if (namesz == 8 && strcmp((char *)&nbuf[noff], "OpenBSD") == 0 &&
+-	    xnh_type == NT_OPENBSD_VERSION && descsz == 4) {
+-		if (file_printf(ms, ", for OpenBSD") == -1)
+-			return size;
+-		/* Content of note is always 0 */
+-		*flags |= FLAGS_DID_NOTE;
+-		return size;
+-	}
+-
+-	if (namesz == 10 && strcmp((char *)&nbuf[noff], "DragonFly") == 0 &&
+-	    xnh_type == NT_DRAGONFLY_VERSION && descsz == 4) {
+-		uint32_t desc;
+-		if (file_printf(ms, ", for DragonFly") == -1)
+-			return size;
+-		(void)memcpy(&desc, &nbuf[doff], sizeof(desc));
+-		desc = elf_getu32(swap, desc);
+-		if (file_printf(ms, " %d.%d.%d", desc / 100000,
+-		    desc / 10000 % 10, desc % 10000) == -1)
+-			return size;
+-		*flags |= FLAGS_DID_NOTE;
+-		return size;
+-	}
+-
+-core:
++private int
++do_core_note(struct magic_set *ms, unsigned char *nbuf, uint32_t type,
++    int swap, uint32_t namesz, uint32_t descsz,
++    size_t noff, size_t doff, int *flags, size_t size, int clazz)
++{
++#ifdef ELFCORE
++	int os_style = -1;
+ 	/*
+ 	 * Sigh.  The 2.0.36 kernel in Debian 2.1, at
+ 	 * least, doesn't correctly implement name
+@@ -697,20 +668,17 @@ core:
+ 		os_style = OS_STYLE_NETBSD;
+ 	}
+ 
+-#ifdef ELFCORE
+-	if ((*flags & FLAGS_DID_CORE) != 0)
+-		return size;
+-
+ 	if (os_style != -1 && (*flags & FLAGS_DID_CORE_STYLE) == 0) {
+ 		if (file_printf(ms, ", %s-style", os_style_names[os_style])
+ 		    == -1)
+-			return size;
++			return 1;
+ 		*flags |= FLAGS_DID_CORE_STYLE;
+ 	}
+ 
+ 	switch (os_style) {
+ 	case OS_STYLE_NETBSD:
+-		if (xnh_type == NT_NETBSD_CORE_PROCINFO) {
++		if (type == NT_NETBSD_CORE_PROCINFO) {
++			char sbuf[512];
+ 			uint32_t signo;
+ 			/*
+ 			 * Extract the program name.  It is at
+@@ -719,7 +687,7 @@ core:
+ 			 */
+ 			if (file_printf(ms, ", from '%.31s'",
+ 			    &nbuf[doff + 0x7c]) == -1)
+-				return size;
++				return 1;
+ 			
+ 			/*
+ 			 * Extract the signal number.  It is at
+@@ -736,8 +704,7 @@ core:
+ 		break;
+ 
+ 	default:
+-		if (xnh_type == NT_PRPSINFO && *flags & FLAGS_IS_CORE) {
+-/*###709 [cc] warning: declaration of 'i' shadows previous non-variable%%%*/
++		if (type == NT_PRPSINFO && *flags & FLAGS_IS_CORE) {
+ 			size_t i, j;
+ 			unsigned char c;
+ 			/*
+@@ -805,7 +772,7 @@ core:
+ 				 * Try next offsets, in case this match is
+ 				 * in the middle of a string.
+ 				 */
+-				for (k = i + 1 ; k < NOFFSETS ; k++) {
++				for (k = i + 1 ; k < NOFFSETS; k++) {
+ 					size_t no;
+ 					int adjust = 1;
+ 					if (prpsoffsets(k) >= prpsoffsets(i))
+@@ -830,9 +797,9 @@ core:
+ 					cp--;
+ 				if (file_printf(ms, ", from '%.*s'",
+ 				    (int)(cp - cname), cname) == -1)
+-					return size;
++					return 1;
+ 				*flags |= FLAGS_DID_CORE;
+-				return size;
++				return 1;
+ 
+ 			tryanother:
+ 				;
+@@ -841,6 +808,129 @@ core:
+ 		break;
+ 	}
+ #endif
++	return 0;
++}
++
++private size_t
++donote(struct magic_set *ms, void *vbuf, size_t offset, size_t size,
++    int clazz, int swap, size_t align, int *flags, uint16_t *notecount)
++{
++	Elf32_Nhdr nh32;
++	Elf64_Nhdr nh64;
++	size_t noff, doff;
++	uint32_t namesz, descsz;
++	unsigned char *nbuf = CAST(unsigned char *, vbuf);
++
++	if (*notecount == 0)
++		return 0;
++	--*notecount;
++
++	if (xnh_sizeof + offset > size) {
++		/*
++		 * We're out of note headers.
++		 */
++		return xnh_sizeof + offset;
++	}
++
++	(void)memcpy(xnh_addr, &nbuf[offset], xnh_sizeof);
++	offset += xnh_sizeof;
++
++	namesz = xnh_namesz;
++	descsz = xnh_descsz;
++	if ((namesz == 0) && (descsz == 0)) {
++		/*
++		 * We're out of note headers.
++		 */
++		return (offset >= size) ? offset : size;
++	}
++
++	if (namesz & 0x80000000) {
++	    (void)file_printf(ms, ", bad note name size 0x%lx",
++		(unsigned long)namesz);
++	    return 0;
++	}
++
++	if (descsz & 0x80000000) {
++	    (void)file_printf(ms, ", bad note description size 0x%lx",
++		(unsigned long)descsz);
++	    return 0;
++	}
++
++	noff = offset;
++	doff = ELF_ALIGN(offset + namesz);
++
++	if (offset + namesz > size) {
++		/*
++		 * We're past the end of the buffer.
++		 */
++		return doff;
++	}
++
++	offset = ELF_ALIGN(doff + descsz);
++	if (doff + descsz > size) {
++		/*
++		 * We're past the end of the buffer.
++		 */
++		return (offset >= size) ? offset : size;
++	}
++
++	if ((*flags & FLAGS_DID_OS_NOTE) == 0) {
++		if (do_os_note(ms, nbuf, xnh_type, swap,
++		    namesz, descsz, noff, doff, flags))
++			return size;
++	}
++
++	if ((*flags & FLAGS_DID_BUILD_ID) == 0) {
++		if (do_bid_note(ms, nbuf, xnh_type, swap,
++		    namesz, descsz, noff, doff, flags))
++			return size;
++	}
++		
++	if ((*flags & FLAGS_DID_NETBSD_PAX) == 0) {
++		if (do_pax_note(ms, nbuf, xnh_type, swap,
++		    namesz, descsz, noff, doff, flags))
++			return size;
++	}
++
++	if ((*flags & FLAGS_DID_CORE) == 0) {
++		if (do_core_note(ms, nbuf, xnh_type, swap,
++		    namesz, descsz, noff, doff, flags, size, clazz))
++			return size;
++	}
++
++	if (namesz == 7 && strcmp((char *)&nbuf[noff], "NetBSD") == 0) {
++		if (descsz > 100)
++			descsz = 100;
++		switch (xnh_type) {
++	    	case NT_NETBSD_VERSION:
++			return size;
++		case NT_NETBSD_MARCH:
++			if (*flags & FLAGS_DID_NETBSD_MARCH)
++				return size;
++			*flags |= FLAGS_DID_NETBSD_MARCH;
++			if (file_printf(ms, ", compiled for: %.*s",
++			    (int)descsz, (const char *)&nbuf[doff]) == -1)
++				return size;
++			break;
++		case NT_NETBSD_CMODEL:
++			if (*flags & FLAGS_DID_NETBSD_CMODEL)
++				return size;
++			*flags |= FLAGS_DID_NETBSD_CMODEL;
++			if (file_printf(ms, ", compiler model: %.*s",
++			    (int)descsz, (const char *)&nbuf[doff]) == -1)
++				return size;
++			break;
++		default:
++			if (*flags & FLAGS_DID_NETBSD_UNKNOWN)
++				return size;
++			*flags |= FLAGS_DID_NETBSD_UNKNOWN;
++			if (file_printf(ms, ", note=%u", xnh_type) == -1)
++				return size;
++			break;
++		}
++		return size;
++	}
++
+ 	return offset;
+ }
+ 
+@@ -896,16 +986,19 @@ static const cap_desc_t cap_desc_386[] =
+ 
+ private int
+ doshn(struct magic_set *ms, int clazz, int swap, int fd, off_t off, int num,
+-    size_t size, off_t fsize, int *flags, int mach, int strtab)
++    size_t size, off_t fsize, int mach, int strtab, int *flags,
++    uint16_t *notecount)
+ {
+ 	Elf32_Shdr sh32;
+ 	Elf64_Shdr sh64;
+ 	int stripped = 1;
++	size_t nbadcap = 0;
+ 	void *nbuf;
+ 	off_t noff, coff, name_off;
+ 	uint64_t cap_hw1 = 0;	/* SunOS 5.x hardware capabilites */
+ 	uint64_t cap_sf1 = 0;	/* SunOS 5.x software capabilites */
+ 	char name[50];
++	ssize_t namesize;
+ 
+ 	if (size != xsh_sizeof) {
+ 		if (file_printf(ms, ", corrupted section header size") == -1)
+@@ -914,7 +1007,7 @@ doshn(struct magic_set *ms, int clazz, i
+ 	}
+ 
+ 	/* Read offset of name section to be able to read section names later */
+-	if (pread(fd, xsh_addr, xsh_sizeof, off + size * strtab) == -1) {
++	if (pread(fd, xsh_addr, xsh_sizeof, off + size * strtab) < (ssize_t)xsh_sizeof) {
+ 		file_badread(ms);
+ 		return -1;
+ 	}
+@@ -922,15 +1015,15 @@ doshn(struct magic_set *ms, int clazz, i
+ 
+ 	for ( ; num; num--) {
+ 		/* Read the name of this section. */
+-		if (pread(fd, name, sizeof(name), name_off + xsh_name) == -1) {
++		if ((namesize = pread(fd, name, sizeof(name) - 1, name_off + xsh_name)) == -1) {
+ 			file_badread(ms);
+ 			return -1;
+ 		}
+-		name[sizeof(name) - 1] = '\0';
++		name[namesize] = '\0';
+ 		if (strcmp(name, ".debug_info") == 0)
+ 			stripped = 0;
+ 
+-		if (pread(fd, xsh_addr, xsh_sizeof, off) == -1) {
++		if (pread(fd, xsh_addr, xsh_sizeof, off) < (ssize_t)xsh_sizeof) {
+ 			file_badread(ms);
+ 			return -1;
+ 		}
+@@ -945,7 +1038,7 @@ doshn(struct magic_set *ms, int clazz, i
+ 			stripped = 0;
+ 			break;
+ 		default:
+-			if (xsh_offset > fsize) {
++			if (fsize != SIZE_UNKNOWN && xsh_offset > fsize) {
+ 				/* Perhaps warn here */
+ 				continue;
+ 			}
+@@ -960,7 +1053,7 @@ doshn(struct magic_set *ms, int clazz, i
+ 				    " for note");
+ 				return -1;
+ 			}
+-			if (pread(fd, nbuf, xsh_size, xsh_offset) == -1) {
++			if (pread(fd, nbuf, xsh_size, xsh_offset) < (ssize_t)xsh_size) {
+ 				file_badread(ms);
+ 				free(nbuf);
+ 				return -1;
+@@ -971,7 +1064,7 @@ doshn(struct magic_set *ms, int clazz, i
+ 				if (noff >= (off_t)xsh_size)
+ 					break;
+ 				noff = donote(ms, nbuf, (size_t)noff,
+-				    xsh_size, clazz, swap, 4, flags);
++				    xsh_size, clazz, swap, 4, flags, notecount);
+ 				if (noff == 0)
+ 					break;
+ 			}
+@@ -989,6 +1082,8 @@ doshn(struct magic_set *ms, int clazz, i
+ 				goto skip;
+ 			}
+ 
++			if (nbadcap > 5)
++				break;
+ 			if (lseek(fd, xsh_offset, SEEK_SET) == (off_t)-1) {
+ 				file_badseek(ms);
+ 				return -1;
+@@ -1024,6 +1119,8 @@ doshn(struct magic_set *ms, int clazz, i
+ 					    (unsigned long long)xcap_tag,
+ 					    (unsigned long long)xcap_val) == -1)
+ 						return -1;
++					if (nbadcap++ > 2)
++						coff = xsh_size;
+ 					break;
+ 				}
+ 			}
+@@ -1104,7 +1201,8 @@ doshn(struct magic_set *ms, int clazz, i
+  */
+ private int
+ dophn_exec(struct magic_set *ms, int clazz, int swap, int fd, off_t off,
+-    int num, size_t size, off_t fsize, int *flags, int sh_num)
++    int num, size_t size, off_t fsize, int sh_num, int *flags,
++    uint16_t *notecount)
+ {
+ 	Elf32_Phdr ph32;
+ 	Elf64_Phdr ph64;
+@@ -1121,7 +1219,7 @@ dophn_exec(struct magic_set *ms, int cla
+ 	}
+ 
+   	for ( ; num; num--) {
+-		if (pread(fd, xph_addr, xph_sizeof, off) == -1) {
++		if (pread(fd, xph_addr, xph_sizeof, off) < (ssize_t)xph_sizeof) {
+ 			file_badread(ms);
+ 			return -1;
+ 		}
+@@ -1137,7 +1235,7 @@ dophn_exec(struct magic_set *ms, int cla
+ 			shared_libraries = " (uses shared libs)";
+ 			break;
+ 		default:
+-			if (xph_offset > fsize) {
++			if (fsize != SIZE_UNKNOWN && xph_offset > fsize) {
+ 				/* Maybe warn here? */
+ 				continue;
+ 			}
+@@ -1173,7 +1271,7 @@ dophn_exec(struct magic_set *ms, int cla
+ 					break;
+ 				offset = donote(ms, nbuf, offset,
+ 				    (size_t)bufsize, clazz, swap, align,
+-				    flags);
++				    flags, notecount);
+ 				if (offset == 0)
+ 					break;
+ 			}
+@@ -1204,7 +1302,7 @@ file_tryelf(struct magic_set *ms, int fd
+ 	int flags = 0;
+ 	Elf32_Ehdr elf32hdr;
+ 	Elf64_Ehdr elf64hdr;
+-	uint16_t type;
++	uint16_t type, phnum, shnum, notecount;
+ 
+ 	if (ms->flags & (MAGIC_MIME|MAGIC_APPLE))
+ 		return 0;
+@@ -1230,7 +1328,10 @@ file_tryelf(struct magic_set *ms, int fd
+   		file_badread(ms);
+ 		return -1;
+ 	}
+-	fsize = st.st_size;
++	if (S_ISREG(st.st_mode))
++		fsize = st.st_size;
++	else
++		fsize = SIZE_UNKNOWN;
+ 
+ 	clazz = buf[EI_CLASS];
+ 
+Index: file-5.16/src/softmagic.c
+===================================================================
+--- file-5.16.orig/src/softmagic.c
++++ file-5.16/src/softmagic.c
+@@ -43,11 +43,11 @@ FILE_RCSID("@(#)$File: softmagic.c,v 1.1
+ 
+ 
+ private int match(struct magic_set *, struct magic *, uint32_t,
+-    const unsigned char *, size_t, size_t, int, int, int, int, int *, int *,
+-    int *);
++    const unsigned char *, size_t, size_t, int, int, int, uint16_t,
++    uint16_t *, int *, int *, int *);
+ private int mget(struct magic_set *, const unsigned char *,
+-    struct magic *, size_t, size_t, unsigned int, int, int, int, int, int *,
+-    int *, int *);
++    struct magic *, size_t, size_t, unsigned int, int, int, int, uint16_t,
++    uint16_t *, int *, int *, int *);
+ private int magiccheck(struct magic_set *, struct magic *);
+ private int32_t mprint(struct magic_set *, struct magic *);
+ private int32_t moffset(struct magic_set *, struct magic *);
+@@ -69,14 +69,20 @@ private void cvt_64(union VALUETYPE *, c
+ /*ARGSUSED1*/		/* nbytes passed for regularity, maybe need later */
+ protected int
+ file_softmagic(struct magic_set *ms, const unsigned char *buf, size_t nbytes,
+-    int mode, int text)
++    uint16_t indir_level, uint16_t *name_count, int mode, int text)
+ {
+ 	struct mlist *ml;
+ 	int rv, printed_something = 0, need_separator = 0;
++	uint16_t nc;
++
++	if (name_count == NULL) {
++		nc = 0;
++		name_count = &nc;
++	}
+ 	for (ml = ms->mlist[0]->next; ml != ms->mlist[0]; ml = ml->next)
+ 		if ((rv = match(ms, ml->magic, ml->nmagic, buf, nbytes, 0, mode,
+-		    text, 0, 0, &printed_something, &need_separator,
+-		    NULL)) != 0)
++		    text, 0, indir_level, name_count,
++		    &printed_something, &need_separator, NULL)) != 0)
+ 			return rv;
+ 
+ 	return 0;
+@@ -112,8 +118,8 @@ file_softmagic(struct magic_set *ms, con
+ private int
+ match(struct magic_set *ms, struct magic *magic, uint32_t nmagic,
+     const unsigned char *s, size_t nbytes, size_t offset, int mode, int text,
+-    int flip, int recursion_level, int *printed_something, int *need_separator,
+-    int *returnval)
++    int flip, uint16_t indir_level, uint16_t *name_count,
++    int *printed_something, int *need_separator, int *returnval)
+ {
+ 	uint32_t magindex = 0;
+ 	unsigned int cont_level = 0;
+@@ -150,8 +156,8 @@ match(struct magic_set *ms, struct magic
+ 
+ 		/* if main entry matches, print it... */
+ 		switch (mget(ms, s, m, nbytes, offset, cont_level, mode, text,
+-		    flip, recursion_level + 1, printed_something,
+-		    need_separator, returnval)) {
++		    flip, indir_level, name_count,
++		    printed_something, need_separator, returnval)) {
+ 		case -1:
+ 			return -1;
+ 		case 0:
+@@ -237,8 +243,8 @@ match(struct magic_set *ms, struct magic
+ 			}
+ #endif
+ 			switch (mget(ms, s, m, nbytes, offset, cont_level, mode,
+-			    text, flip, recursion_level + 1, printed_something,
+-			    need_separator, returnval)) {
++			    text, flip, indir_level, name_count,
++			    printed_something, need_separator, returnval)) {
+ 			case -1:
+ 				return -1;
+ 			case 0:
+@@ -1120,8 +1126,8 @@ mcopy(struct magic_set *ms, union VALUET
+ private int
+ mget(struct magic_set *ms, const unsigned char *s, struct magic *m,
+     size_t nbytes, size_t o, unsigned int cont_level, int mode, int text,
+-    int flip, int recursion_level, int *printed_something,
+-    int *need_separator, int *returnval)
++    int flip, uint16_t indir_level, uint16_t *name_count,
++    int *printed_something, int *need_separator, int *returnval)
+ {
+ 	uint32_t soffset, offset = ms->offset;
+ 	uint32_t count = m->str_range;
+@@ -1130,8 +1136,15 @@ mget(struct magic_set *ms, const unsigne
+ 	union VALUETYPE *p = &ms->ms_value;
+ 	struct mlist ml;
+ 
+-	if (recursion_level >= 20) {
+-		file_error(ms, 0, "recursion nesting exceeded");
++	if (indir_level >= ms->indir_max) {
++		file_error(ms, 0, "indirect recursion nesting (%hu) exceeded",
++		    indir_level);
++		return -1;
++	}
++
++	if (*name_count >= ms->name_max) {
++		file_error(ms, 0, "name use count (%hu) exceeded",
++		    *name_count);
+ 		return -1;
+ 	}
+ 
+@@ -1141,8 +1154,9 @@ mget(struct magic_set *ms, const unsigne
+ 
+ 	if ((ms->flags & MAGIC_DEBUG) != 0) {
+ 		fprintf(stderr, "mget(type=%d, flag=%x, offset=%u, o=%zu, "
+-		    "nbytes=%zu, count=%u)\n", m->type, m->flag, offset, o,
+-		    nbytes, count);
++		    "nbytes=%zu, il=%hu, nc=%hu)\n",
++		    m->type, m->flag, offset, o, nbytes,
++		    indir_level, *name_count);
+ 		mdebug(offset, (char *)(void *)p, sizeof(union VALUETYPE));
+ #ifndef COMPILE_ONLY
+ 		file_mdump(m);
+@@ -1711,7 +1725,7 @@ mget(struct magic_set *ms, const unsigne
+ 		ms->o.buf = NULL;
+ 		ms->offset = 0;
+ 		rv = file_softmagic(ms, s + offset, nbytes - offset,
+-		    BINTEST, text);
++		    indir_level + 1, name_count, BINTEST, text);
+ 		if ((ms->flags & MAGIC_DEBUG) != 0)
+ 			fprintf(stderr, "indirect @offs=%u[%d]\n", offset, rv);
+ 		rbuf = ms->o.buf;
+@@ -1730,22 +1744,22 @@ mget(struct magic_set *ms, const unsigne
+ 	case FILE_USE:
+ 		if (nbytes < offset)
+ 			return 0;
+-		sbuf = m->value.s;
+-		if (*sbuf == '^') {
+-			sbuf++;
++		rbuf = m->value.s;
++		if (*rbuf == '^') {
++			rbuf++;
+ 			flip = !flip;
+ 		}
+-		if (file_magicfind(ms, sbuf, &ml) == -1) {
+-			file_error(ms, 0, "cannot find entry `%s'", sbuf);
++		if (file_magicfind(ms, rbuf, &ml) == -1) {
++			file_error(ms, 0, "cannot find entry `%s'", rbuf);
+ 			return -1;
+ 		}
+-
++		(*name_count)++;
+ 		oneed_separator = *need_separator;
+ 		if (m->flag & NOSPACE)
+ 			*need_separator = 0;
+ 		rv = match(ms, ml.magic, ml.nmagic, s, nbytes, offset + o,
+-		    mode, text, flip, recursion_level, printed_something,
+-		    need_separator, returnval);
++		    mode, text, flip, indir_level, name_count,
++		    printed_something, need_separator, returnval);
+ 		if (rv != 1)
+ 		    *need_separator = oneed_separator;
+ 		return rv;
diff --git a/meta/recipes-devtools/file/file_5.16.bb b/meta/recipes-devtools/file/file_5.16.bb
index a15d952..f231a55 100644
--- a/meta/recipes-devtools/file/file_5.16.bb
+++ b/meta/recipes-devtools/file/file_5.16.bb
@@ -12,6 +12,7 @@ DEPENDS = "zlib file-native"
 DEPENDS_class-native = "zlib-native"
 
 SRC_URI = "ftp://ftp.astron.com/pub/file/file-${PV}.tar.gz \
+           file://file-CVE-2014-9620-and-CVE-2014-9621.patch \
            file://dump \
            file://filesystems"
 
-- 
2.1.0

[PATCH 09/10] bind: fix for CVE-2014-8500

[Saul Wold]

From: Sona Sarmadi <sona.sarmadi@enea.com>

[From upstream commit: 603a0e2637b35a2da820bc807f69bcf09c682dce]

[YOCTO #7098]

External References:
===================
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8500

(From OE-Core rev: 7225d6e0c82f264057de40c04b31655f2b0e0c96)

Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
 .../bind/bind/bind9_9_5-CVE-2014-8500.patch        | 990 +++++++++++++++++++++
 meta/recipes-connectivity/bind/bind_9.9.5.bb       |   1 +
 2 files changed, 991 insertions(+)
 create mode 100644 meta/recipes-connectivity/bind/bind/bind9_9_5-CVE-2014-8500.patch

diff --git a/meta/recipes-connectivity/bind/bind/bind9_9_5-CVE-2014-8500.patch b/meta/recipes-connectivity/bind/bind/bind9_9_5-CVE-2014-8500.patch
new file mode 100644
index 0000000..62142d2
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/bind9_9_5-CVE-2014-8500.patch
@@ -0,0 +1,990 @@
+From 603a0e2637b35a2da820bc807f69bcf09c682dce Mon Sep 17 00:00:00 2001
+From: Evan Hunt <each@isc.org>
+Date: Mon, 17 Nov 2014 23:49:07 -0800
+Subject: [PATCH] [v9_9] limit recursion depth and iterative queries
+
+4006.	[security]	A flaw in delegation handling could be exploited
+			to put named into an infinite loop.  This has
+			been addressed by placing limits on the number
+			of levels of recursion named will allow (default 7),
+			and the number of iterative queries that it will
+			send (default 50) before terminating a recursive
+			query (CVE-2014-8500).
+
+			The recursion depth limit is configured via the
+			"max-recursion-depth" option.  [RT #35780]
+
+Upstream-Status: Backport
+
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ bin/named/config.c                   |  3 +-
+ bin/named/include/named/query.h      |  2 -
+ bin/named/query.c                    |  7 ++-
+ bin/named/server.c                   |  5 ++
+ bin/tests/system/many/clean.sh       |  7 +++
+ bin/tests/system/many/ns1/named.conf | 33 +++++++++++++
+ bin/tests/system/many/ns2/named.conf | 30 ++++++++++++
+ bin/tests/system/many/ns3/named.conf | 32 +++++++++++++
+ bin/tests/system/many/ns4/named.conf | 30 ++++++++++++
+ bin/tests/system/many/ns5/hints.db   |  2 +
+ bin/tests/system/many/ns5/named.conf | 29 ++++++++++++
+ bin/tests/system/many/setup.sh       | 75 ++++++++++++++++++++++++++++++
+ bin/tests/system/many/tests.sh       | 48 +++++++++++++++++++
+ doc/arm/Bv9ARM-book.xml              | 12 +++++
+ lib/dns/adb.c                        | 58 ++++++++++++++++-------
+ lib/dns/include/dns/adb.h            |  8 ++++
+ lib/dns/include/dns/resolver.h       | 25 ++++++++++
+ lib/dns/resolver.c                   | 90 ++++++++++++++++++++++++++++++------
+ lib/isccfg/namedconf.c               |  1 +
+ 20 files changed, 471 insertions(+), 37 deletions(-)
+ create mode 100644 bin/tests/system/many/clean.sh
+ create mode 100644 bin/tests/system/many/ns1/named.conf
+ create mode 100644 bin/tests/system/many/ns2/named.conf
+ create mode 100644 bin/tests/system/many/ns3/named.conf
+ create mode 100644 bin/tests/system/many/ns4/named.conf
+ create mode 100644 bin/tests/system/many/ns5/hints.db
+ create mode 100644 bin/tests/system/many/ns5/named.conf
+ create mode 100644 bin/tests/system/many/setup.sh
+ create mode 100644 bin/tests/system/many/tests.sh
+
+diff --git a/bin/named/config.c b/bin/named/config.c
+index 2782720..5ee8c4e 100644
+--- a/bin/named/config.c
++++ b/bin/named/config.c
+@@ -15,8 +15,6 @@
+  * PERFORMANCE OF THIS SOFTWARE.
+  */
+
+-/* $Id: config.c,v 1.123 2012/01/06 23:46:41 tbox Exp $ */
+-
+ /*! \file */
+
+ #include <config.h>
+@@ -160,6 +158,7 @@ options {\n\
+ 	dnssec-accept-expired no;\n\
+ 	clients-per-query 10;\n\
+ 	max-clients-per-query 100;\n\
++	max-recursion-depth 7;\n\
+ 	zero-no-soa-ttl-cache no;\n\
+ 	nsec3-test-zone no;\n\
+ 	allow-new-zones no;\n\
+diff --git a/bin/named/include/named/query.h b/bin/named/include/named/query.h
+index 3beabb8..b5e3900 100644
+--- a/bin/named/include/named/query.h
++++ b/bin/named/include/named/query.h
+@@ -15,8 +15,6 @@
+  * PERFORMANCE OF THIS SOFTWARE.
+  */
+
+-/* $Id: query.h,v 1.45 2011/01/13 04:59:24 tbox Exp $ */
+-
+ #ifndef NAMED_QUERY_H
+ #define NAMED_QUERY_H 1
+
+diff --git a/bin/named/query.c b/bin/named/query.c
+index 982f76d..47bfc6a 100644
+--- a/bin/named/query.c
++++ b/bin/named/query.c
+@@ -3877,12 +3877,11 @@ query_recurse(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qname,
+ 		peeraddr = &client->peeraddr;
+ 	else
+ 		peeraddr = NULL;
+-	result = dns_resolver_createfetch2(client->view->resolver,
++	result = dns_resolver_createfetch3(client->view->resolver,
+ 					   qname, qtype, qdomain, nameservers,
+ 					   NULL, peeraddr, client->message->id,
+-					   client->query.fetchoptions,
+-					   client->task,
+-					   query_resume, client,
++					   client->query.fetchoptions, 0,
++					   client->task, query_resume, client,
+ 					   rdataset, sigrdataset,
+ 					   &client->query.fetch);
+ 
+diff --git a/bin/named/server.c b/bin/named/server.c
+index ac015a4..0559977 100644
+--- a/bin/named/server.c
++++ b/bin/named/server.c
+@@ -3161,6 +3161,11 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
+ 					cfg_obj_asuint32(obj),
+ 					max_clients_per_query);
+ 
++	obj = NULL;
++	result = ns_config_get(maps, "max-recursion-depth", &obj);
++	INSIST(result == ISC_R_SUCCESS);
++	dns_resolver_setmaxdepth(view->resolver, cfg_obj_asuint32(obj));
++
+ #ifdef ALLOW_FILTER_AAAA_ON_V4
+ 	obj = NULL;
+ 	result = ns_config_get(maps, "filter-aaaa-on-v4", &obj);
+diff --git a/bin/tests/system/many/clean.sh b/bin/tests/system/many/clean.sh
+new file mode 100644
+index 0000000..119b1f5
+--- /dev/null
++++ b/bin/tests/system/many/clean.sh
+@@ -0,0 +1,7 @@
++rm -f ns1/[1-9]*example.tld?.db
++rm -f ns2/[1-9]*example.tld?.db
++rm -f ns1/zones.conf
++rm -f ns2/zones.conf
++rm -f */root.db
++rm -f ns3/tld1.db
++rm -f ns4/tld2.db
+diff --git a/bin/tests/system/many/ns1/named.conf b/bin/tests/system/many/ns1/named.conf
+new file mode 100644
+index 0000000..abc9dca
+--- /dev/null
++++ b/bin/tests/system/many/ns1/named.conf
+@@ -0,0 +1,33 @@
++/*
++ * Copyright (C) 2014  Internet Systems Consortium, Inc. ("ISC")
++ *
++ * Permission to use, copy, modify, and/or distribute this software for any
++ * purpose with or without fee is hereby granted, provided that the above
++ * copyright notice and this permission notice appear in all copies.
++ *
++ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
++ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
++ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
++ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
++ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
++ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
++ * PERFORMANCE OF THIS SOFTWARE.
++ */
++
++controls { /* empty */ };
++
++options {
++	query-source address 10.53.0.1;
++	notify-source 10.53.0.1;
++	transfer-source 10.53.0.1;
++	port 5300;
++	pid-file "named.pid";
++	listen-on { 10.53.0.1; };
++	listen-on-v6 { none; };
++	recursion no;
++};
++
++include "zones.conf";
++
++// zone "tld1" { type master; file "tld1.db"; };
++// zone "tld2" { type master; file "tld2.db"; };
+diff --git a/bin/tests/system/many/ns2/named.conf b/bin/tests/system/many/ns2/named.conf
+new file mode 100644
+index 0000000..16266e2
+--- /dev/null
++++ b/bin/tests/system/many/ns2/named.conf
+@@ -0,0 +1,30 @@
++/*
++ * Copyright (C) 2014  Internet Systems Consortium, Inc. ("ISC")
++ *
++ * Permission to use, copy, modify, and/or distribute this software for any
++ * purpose with or without fee is hereby granted, provided that the above
++ * copyright notice and this permission notice appear in all copies.
++ *
++ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
++ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
++ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
++ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
++ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
++ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
++ * PERFORMANCE OF THIS SOFTWARE.
++ */
++
++controls { /* empty */ };
++
++options {
++	query-source address 10.53.0.2;
++	notify-source 10.53.0.2;
++	transfer-source 10.53.0.2;
++	port 5300;
++	pid-file "named.pid";
++	listen-on { 10.53.0.2; };
++	listen-on-v6 { none; };
++	recursion no;
++};
++
++include "zones.conf";
+diff --git a/bin/tests/system/many/ns3/named.conf b/bin/tests/system/many/ns3/named.conf
+new file mode 100644
+index 0000000..b950afe
+--- /dev/null
++++ b/bin/tests/system/many/ns3/named.conf
+@@ -0,0 +1,32 @@
++/*
++ * Copyright (C) 2014  Internet Systems Consortium, Inc. ("ISC")
++ *
++ * Permission to use, copy, modify, and/or distribute this software for any
++ * purpose with or without fee is hereby granted, provided that the above
++ * copyright notice and this permission notice appear in all copies.
++ *
++ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
++ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
++ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
++ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
++ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
++ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
++ * PERFORMANCE OF THIS SOFTWARE.
++ */
++
++controls { /* empty */ };
++
++options {
++	query-source address 10.53.0.3;
++	notify-source 10.53.0.3;
++	transfer-source 10.53.0.3;
++	port 5300;
++	pid-file "named.pid";
++	listen-on { 10.53.0.3; };
++	listen-on-v6 { none; };
++	recursion no;
++};
++
++zone "." { type master; file "root.db"; };
++
++zone "tld1" { type master; file "tld1.db"; };
+diff --git a/bin/tests/system/many/ns4/named.conf b/bin/tests/system/many/ns4/named.conf
+new file mode 100644
+index 0000000..ca9aa6a
+--- /dev/null
++++ b/bin/tests/system/many/ns4/named.conf
+@@ -0,0 +1,30 @@
++/*
++ * Copyright (C) 2014  Internet Systems Consortium, Inc. ("ISC")
++ *
++ * Permission to use, copy, modify, and/or distribute this software for any
++ * purpose with or without fee is hereby granted, provided that the above
++ * copyright notice and this permission notice appear in all copies.
++ *
++ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
++ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
++ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
++ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
++ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
++ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
++ * PERFORMANCE OF THIS SOFTWARE.
++ */
++
++controls { /* empty */ };
++
++options {
++	query-source address 10.53.0.4;
++	notify-source 10.53.0.4;
++	transfer-source 10.53.0.4;
++	port 5300;
++	pid-file "named.pid";
++	listen-on { 10.53.0.4; };
++	listen-on-v6 { none; };
++	recursion no;
++};
++
++zone "tld2" { type master; file "tld2.db"; };
+diff --git a/bin/tests/system/many/ns5/hints.db b/bin/tests/system/many/ns5/hints.db
+new file mode 100644
+index 0000000..c05809b
+--- /dev/null
++++ b/bin/tests/system/many/ns5/hints.db
+@@ -0,0 +1,2 @@
++. 60 in ns ns.nil.
++ns.nil. 60 in A 10.53.0.3
+diff --git a/bin/tests/system/many/ns5/named.conf b/bin/tests/system/many/ns5/named.conf
+new file mode 100644
+index 0000000..fce7d59
+--- /dev/null
++++ b/bin/tests/system/many/ns5/named.conf
+@@ -0,0 +1,29 @@
++/*
++ * Copyright (C) 2014  Internet Systems Consortium, Inc. ("ISC")
++ *
++ * Permission to use, copy, modify, and/or distribute this software for any
++ * purpose with or without fee is hereby granted, provided that the above
++ * copyright notice and this permission notice appear in all copies.
++ *
++ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
++ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
++ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
++ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
++ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
++ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
++ * PERFORMANCE OF THIS SOFTWARE.
++ */
++
++controls { /* empty */ };
++
++options {
++	query-source address 10.53.0.5;
++	notify-source 10.53.0.5;
++	transfer-source 10.53.0.5;
++	port 5300;
++	pid-file "named.pid";
++	listen-on { 10.53.0.5; };
++	listen-on-v6 { none; };
++};
++
++zone "." { type hint; file "hints.db"; };
+diff --git a/bin/tests/system/many/setup.sh b/bin/tests/system/many/setup.sh
+new file mode 100644
+index 0000000..80695b5
+--- /dev/null
++++ b/bin/tests/system/many/setup.sh
+@@ -0,0 +1,75 @@
++i=1
++
++cat > ns3/root.db << EOF
++. 60 in soa ns.nil. hostmaster.ns.nil. 1 0 0 0 0
++. 60 in ns ns.nil.
++ns.nil. 60 in a 10.53.0.3
++tld1. 60 in ns ns.tld1.
++ns.tld1. 60 in a 10.53.0.3
++tld2. 60 in ns ns.tld2.
++ns.tld2. 60 in a 10.53.0.4
++EOF
++
++cat > ns3/tld1.db << EOF
++tld1. 60 in soa ns.tld1. hostmaster.ns.tld1. 1 0 0 0 0
++tld1. 60 in ns ns.tld1.
++ns.tld1. 60 in a 10.53.0.1
++EOF
++
++cat > ns4/tld2.db << EOF
++tld2. 60 in soa ns.tld2. hostmaster.ns.tld4. 1 0 0 0 0
++tld2. 60 in ns ns.tld2.
++ns.tld2. 60 in a 10.53.0.1
++EOF
++
++: > ns1/zones.conf
++: > ns2/zones.conf
++
++while [ $i -lt 1000 ]
++do
++j=`expr $i + 1`
++s=`expr $j % 2 + 1`
++n=`expr $i % 2 + 1`
++t=`expr $s + 2`
++
++# i=1 j=2 s=1 n=2
++# i=2 j=3 s=1 n=2
++# i=3 j=4 s=1 n=2
++
++cat > ns1/${i}example.tld${s}.db << EOF
++${i}example.tld${s}. 60 in soa ns.${j}example.tld${n}. hostmaster 1 0 0 0 0
++${i}example.tld${s}. 60 in ns ns.${j}example.tld${n}.
++ns.${i}example.tld${s}. 60 in a 10.53.0.1
++EOF
++
++cat >> ns1/zones.conf << EOF
++zone "${i}example.tld${s}" { type master; file "${i}example.tld${s}.db"; };
++EOF
++
++cat >> ns${t}/tld${s}.db << EOF
++${i}example.tld${s}. 60 in ns ns.${j}example.tld${n}.
++EOF
++
++i=$j
++
++done
++
++j=`expr $i + 1`
++s=`expr $j % 2 + 1`
++n=`expr $s % 2 + 1`
++t=`expr $s + 2`
++
++cat > ns1/${i}example.tld${s}.db << EOF
++${i}example.tld${s}. 60 in soa ns.${i}example.tld${s}. hostmaster 1 0 0 0 0
++${i}example.tld${s}. 60 in ns ns.${i}example.tld${s}.
++ns.${i}example.tld${s}. 60 in a 10.53.0.1
++EOF
++
++cat >> ns1/zones.conf << EOF
++zone "${i}example.tld${s}" { type master; file "${i}example.tld${s}.db"; };
++EOF
++
++cat >> ns${t}/tld${s}.db << EOF
++${i}example.tld${s}. 60 in ns ns.${i}example.tld${s}.
++ns.${i}example.tld${s}. 60 in a 10.53.0.1
++EOF
+diff --git a/bin/tests/system/many/tests.sh b/bin/tests/system/many/tests.sh
+new file mode 100644
+index 0000000..37964e2
+--- /dev/null
++++ b/bin/tests/system/many/tests.sh
+@@ -0,0 +1,48 @@
++#!/bin/sh
++#
++# Copyright (C) 2014  Internet Systems Consortium, Inc. ("ISC")
++#
++# Permission to use, copy, modify, and/or distribute this software for any
++# purpose with or without fee is hereby granted, provided that the above
++# copyright notice and this permission notice appear in all copies.
++#
++# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
++# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
++# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
++# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
++# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
++# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
++# PERFORMANCE OF THIS SOFTWARE.
++
++SYSTEMTESTTOP=..
++. $SYSTEMTESTTOP/conf.sh
++
++status=0
++n=0
++
++n=`expr $n + 1`
++echo "I: attempt lookup 1example.tld2 soa ($n)"
++ret=0
++$DIG +tcp 1example.tld1 soa @10.53.0.5 -p 5300  > dig.out.test$n
++grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1
++if [ $ret != 0 ]; then echo "I:failed"; fi
++status=`expr $status + $ret`
++
++n=`expr $n + 1`
++echo "I: attempt lookup 992example.tld2 soa ($n)"
++ret=0
++$DIG +tcp 992example.tld2 soa @10.53.0.5 -p 5300 >  dig.out.test$n
++grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1
++if [ $ret != 0 ]; then echo "I:failed"; fi
++status=`expr $status + $ret`
++
++n=`expr $n + 1`
++echo "I: attempt lookup 993example.tld1 soa ($n)"
++ret=0
++$DIG +tcp 993example.tld1 soa @10.53.0.5 -p 5300 >  dig.out.test$n
++grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
++if [ $ret != 0 ]; then echo "I:failed"; fi
++status=`expr $status + $ret`
++
++echo "I:exit status: $status"
++exit $status
+diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
+index 9f7bd38..fff4249 100644
+--- a/doc/arm/Bv9ARM-book.xml
++++ b/doc/arm/Bv9ARM-book.xml
+@@ -4861,6 +4861,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
+     <optional> max-acache-size <replaceable>size_spec</replaceable> ; </optional>
+     <optional> clients-per-query <replaceable>number</replaceable> ; </optional>
+     <optional> max-clients-per-query <replaceable>number</replaceable> ; </optional>
++    <optional> max-recursion-depth <replaceable>number</replaceable> ; </optional>
+     <optional> masterfile-format (<constant>text</constant>|<constant>raw</constant>) ; </optional>
+     <optional> empty-server <replaceable>name</replaceable> ; </optional>
+     <optional> empty-contact <replaceable>name</replaceable> ; </optional>
+@@ -8680,6 +8681,17 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
+ 	      </listitem>
+ 	    </varlistentry>
+ 
++	    <varlistentry id="max-recursion-depth">
++	      <term><command>max-recursion-depth</command></term>
++	      <listitem>
++		<para>
++		  Sets the maximum number of levels of recursion
++		  permitted at any one time while resolving a name.
++		  The default is 7.
++		</para>
++	      </listitem>
++	    </varlistentry>
++
+ 	    <varlistentry>
+ 	      <term><command>notify-delay</command></term>
+ 	      <listitem>
+diff --git a/lib/dns/adb.c b/lib/dns/adb.c
+index 2ccb51e..fe9b3f7 100644
+--- a/lib/dns/adb.c
++++ b/lib/dns/adb.c
+@@ -199,6 +199,7 @@ struct dns_adbfetch {
+ 	unsigned int                    magic;
+ 	dns_fetch_t                    *fetch;
+ 	dns_rdataset_t                  rdataset;
++	unsigned int			depth;
+ };
+ 
+ /*%
+@@ -300,7 +301,7 @@ static inline void violate_locking_hierarchy(isc_mutex_t *, isc_mutex_t *);
+ static isc_boolean_t clean_namehooks(dns_adb_t *, dns_adbnamehooklist_t *);
+ static void clean_target(dns_adb_t *, dns_name_t *);
+ static void clean_finds_at_name(dns_adbname_t *, isc_eventtype_t,
+-				unsigned int);
++				isc_uint32_t, unsigned int);
+ static isc_boolean_t check_expire_namehooks(dns_adbname_t *, isc_stdtime_t);
+ static isc_boolean_t check_expire_entry(dns_adb_t *, dns_adbentry_t **,
+ 					isc_stdtime_t);
+@@ -308,7 +309,7 @@ static void cancel_fetches_at_name(dns_adbname_t *);
+ static isc_result_t dbfind_name(dns_adbname_t *, isc_stdtime_t,
+ 				dns_rdatatype_t);
+ static isc_result_t fetch_name(dns_adbname_t *, isc_boolean_t,
+-			       dns_rdatatype_t);
++			       unsigned int, dns_rdatatype_t);
+ static inline void check_exit(dns_adb_t *);
+ static void destroy(dns_adb_t *);
+ static isc_boolean_t shutdown_names(dns_adb_t *);
+@@ -984,7 +985,7 @@ kill_name(dns_adbname_t **n, isc_eventtype_t ev) {
+ 	 * Clean up the name's various lists.  These two are destructive
+ 	 * in that they will always empty the list.
+ 	 */
+-	clean_finds_at_name(name, ev, DNS_ADBFIND_ADDRESSMASK);
++	clean_finds_at_name(name, ev, 0, DNS_ADBFIND_ADDRESSMASK);
+ 	result4 = clean_namehooks(adb, &name->v4);
+ 	result6 = clean_namehooks(adb, &name->v6);
+ 	clean_target(adb, &name->target);
+@@ -1409,7 +1410,7 @@ event_free(isc_event_t *event) {
+  */
+ static void
+ clean_finds_at_name(dns_adbname_t *name, isc_eventtype_t evtype,
+-		    unsigned int addrs)
++		    isc_uint32_t qtotal, unsigned int addrs)
+ {
+ 	isc_event_t *ev;
+ 	isc_task_t *task;
+@@ -1469,6 +1470,7 @@ clean_finds_at_name(dns_adbname_t *name, isc_eventtype_t evtype,
+ 			ev->ev_sender = find;
+ 			find->result_v4 = find_err_map[name->fetch_err];
+ 			find->result_v6 = find_err_map[name->fetch6_err];
++			find->qtotal += qtotal;
+ 			ev->ev_type = evtype;
+ 			ev->ev_destroy = event_free;
+ 			ev->ev_destroy_arg = find;
+@@ -1827,6 +1829,7 @@ new_adbfind(dns_adb_t *adb) {
+ 	h->flags = 0;
+ 	h->result_v4 = ISC_R_UNEXPECTED;
+ 	h->result_v6 = ISC_R_UNEXPECTED;
++	h->qtotal = 0;
+ 	ISC_LINK_INIT(h, publink);
+ 	ISC_LINK_INIT(h, plink);
+ 	ISC_LIST_INIT(h->list);
+@@ -2799,6 +2802,19 @@ dns_adb_createfind(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action,
+ 		   isc_stdtime_t now, dns_name_t *target,
+ 		   in_port_t port, dns_adbfind_t **findp)
+ {
++	return (dns_adb_createfind2(adb, task, action, arg, name,
++				    qname, qtype, options, now,
++				    target, port, 0, findp));
++}
++
++isc_result_t
++dns_adb_createfind2(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action,
++		    void *arg, dns_name_t *name, dns_name_t *qname,
++		    dns_rdatatype_t qtype, unsigned int options,
++		    isc_stdtime_t now, dns_name_t *target,
++		    in_port_t port, unsigned int depth,
++		    dns_adbfind_t **findp)
++{
+ 	dns_adbfind_t *find;
+ 	dns_adbname_t *adbname;
+ 	int bucket;
+@@ -3029,7 +3045,7 @@ dns_adb_createfind(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action,
+ 		 * Start V4.
+ 		 */
+ 		if (WANT_INET(wanted_fetches) &&
+-		    fetch_name(adbname, start_at_zone,
++		    fetch_name(adbname, start_at_zone, depth,
+ 			       dns_rdatatype_a) == ISC_R_SUCCESS) {
+ 			DP(DEF_LEVEL,
+ 			   "dns_adb_createfind: started A fetch for name %p",
+@@ -3040,7 +3056,7 @@ dns_adb_createfind(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action,
+ 		 * Start V6.
+ 		 */
+ 		if (WANT_INET6(wanted_fetches) &&
+-		    fetch_name(adbname, start_at_zone,
++		    fetch_name(adbname, start_at_zone, depth,
+ 			       dns_rdatatype_aaaa) == ISC_R_SUCCESS) {
+ 			DP(DEF_LEVEL,
+ 			   "dns_adb_createfind: "
+@@ -3656,6 +3672,7 @@ fetch_callback(isc_task_t *task, isc_event_t *ev) {
+ 	isc_result_t result;
+ 	unsigned int address_type;
+ 	isc_boolean_t want_check_exit = ISC_FALSE;
++	isc_uint32_t qtotal = 0;
+ 
+ 	UNUSED(task);
+ 
+@@ -3666,6 +3683,8 @@ fetch_callback(isc_task_t *task, isc_event_t *ev) {
+ 	adb = name->adb;
+ 	INSIST(DNS_ADB_VALID(adb));
+ 
++	qtotal = dev->qtotal;
++
+ 	bucket = name->lock_bucket;
+ 	LOCK(&adb->namelocks[bucket]);
+ 
+@@ -3783,6 +3802,12 @@ fetch_callback(isc_task_t *task, isc_event_t *ev) {
+ 		DP(DEF_LEVEL, "adb: fetch of '%s' %s failed: %s",
+ 		   buf, address_type == DNS_ADBFIND_INET ? "A" : "AAAA",
+ 		   dns_result_totext(dev->result));
++		/*
++		 * Don't record a failure unless this is the initial
++		 * fetch of a chain.
++		 */
++		if (fetch->depth > 1)
++			goto out;
+ 		/* XXXMLG Don't pound on bad servers. */
+ 		if (address_type == DNS_ADBFIND_INET) {
+ 			name->expire_v4 = ISC_MIN(name->expire_v4, now + 300);
+@@ -3814,15 +3839,14 @@ fetch_callback(isc_task_t *task, isc_event_t *ev) {
+ 	free_adbfetch(adb, &fetch);
+ 	isc_event_free(&ev);
+ 
+-	clean_finds_at_name(name, ev_status, address_type);
++	clean_finds_at_name(name, ev_status, qtotal, address_type);
+ 
+ 	UNLOCK(&adb->namelocks[bucket]);
+ }
+ 
+ static isc_result_t
+-fetch_name(dns_adbname_t *adbname,
+-	   isc_boolean_t start_at_zone,
+-	   dns_rdatatype_t type)
++fetch_name(dns_adbname_t *adbname, isc_boolean_t start_at_zone,
++	   unsigned int depth, dns_rdatatype_t type)
+ {
+ 	isc_result_t result;
+ 	dns_adbfetch_t *fetch = NULL;
+@@ -3867,12 +3891,14 @@ fetch_name(dns_adbname_t *adbname,
+ 		result = ISC_R_NOMEMORY;
+ 		goto cleanup;
+ 	}
+-
+-	result = dns_resolver_createfetch(adb->view->resolver, &adbname->name,
+-					  type, name, nameservers, NULL,
+-					  options, adb->task, fetch_callback,
+-					  adbname, &fetch->rdataset, NULL,
+-					  &fetch->fetch);
++	fetch->depth = depth;
++
++	result = dns_resolver_createfetch3(adb->view->resolver, &adbname->name,
++					   type, name, nameservers, NULL,
++					   NULL, 0, options, depth, adb->task,
++					   fetch_callback, adbname,
++					   &fetch->rdataset, NULL,
++					   &fetch->fetch);
+ 	if (result != ISC_R_SUCCESS)
+ 		goto cleanup;
+ 
+diff --git a/lib/dns/include/dns/adb.h b/lib/dns/include/dns/adb.h
+index 35350ff..7501f01 100644
+--- a/lib/dns/include/dns/adb.h
++++ b/lib/dns/include/dns/adb.h
+@@ -118,6 +118,8 @@ struct dns_adbfind {
+ 	isc_result_t			result_v6;	/*%< RO: v6 result */
+ 	ISC_LINK(dns_adbfind_t)		publink;	/*%< RW: client use */
+ 
++	isc_uint32_t			qtotal;
++
+ 	/* Private */
+ 	isc_mutex_t			lock;		/* locks all below */
+ 	in_port_t			port;
+@@ -334,6 +336,12 @@ dns_adb_createfind(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action,
+ 		   dns_rdatatype_t qtype, unsigned int options,
+ 		   isc_stdtime_t now, dns_name_t *target,
+ 		   in_port_t port, dns_adbfind_t **find);
++isc_result_t
++dns_adb_createfind2(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action,
++		    void *arg, dns_name_t *name, dns_name_t *qname,
++		    dns_rdatatype_t qtype, unsigned int options,
++		    isc_stdtime_t now, dns_name_t *target, in_port_t port,
++		    unsigned int depth, dns_adbfind_t **find);
+ /*%<
+  * Main interface for clients. The adb will look up the name given in
+  * "name" and will build up a list of found addresses, and perhaps start
+diff --git a/lib/dns/include/dns/resolver.h b/lib/dns/include/dns/resolver.h
+index 4e20eb6..c256049 100644
+--- a/lib/dns/include/dns/resolver.h
++++ b/lib/dns/include/dns/resolver.h
+@@ -82,6 +82,7 @@ typedef struct dns_fetchevent {
+ 	isc_sockaddr_t *		client;
+ 	dns_messageid_t			id;
+ 	isc_result_t			vresult;
++	isc_uint32_t 			qtotal;
+ } dns_fetchevent_t;
+ 
+ /*
+@@ -275,6 +276,18 @@ dns_resolver_createfetch2(dns_resolver_t *res, dns_name_t *name,
+ 			  dns_rdataset_t *rdataset,
+ 			  dns_rdataset_t *sigrdataset,
+ 			  dns_fetch_t **fetchp);
++isc_result_t
++dns_resolver_createfetch3(dns_resolver_t *res, dns_name_t *name,
++			  dns_rdatatype_t type,
++			  dns_name_t *domain, dns_rdataset_t *nameservers,
++			  dns_forwarders_t *forwarders,
++			  isc_sockaddr_t *client, isc_uint16_t id,
++			  unsigned int options, unsigned int depth,
++			  isc_task_t *task,
++			  isc_taskaction_t action, void *arg,
++			  dns_rdataset_t *rdataset,
++			  dns_rdataset_t *sigrdataset,
++			  dns_fetch_t **fetchp);
+ /*%<
+  * Recurse to answer a question.
+  *
+@@ -576,6 +589,18 @@ dns_resolver_printbadcache(dns_resolver_t *resolver, FILE *fp);
+  * \li	resolver to be valid.
+  */
+ 
++void
++dns_resolver_setmaxdepth(dns_resolver_t *resolver, unsigned int maxdepth);
++unsigned int
++dns_resolver_getmaxdepth(dns_resolver_t *resolver);
++/*%
++ * Get and set how many NS indirections will be followed when looking for
++ * nameserver addresses.
++ *
++ * Requires:
++ * \li	resolver to be valid.
++ */
++
+ ISC_LANG_ENDDECLS
+ 
+ #endif /* DNS_RESOLVER_H */
+diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
+index e517dad..6a635b2 100644
+--- a/lib/dns/resolver.c
++++ b/lib/dns/resolver.c
+@@ -131,6 +131,16 @@
+ #define MAXIMUM_QUERY_TIMEOUT 30 /* The maximum time in seconds for the whole query to live. */
+ #endif
+ 
++/* The default maximum number of recursions to follow before giving up. */
++#ifndef DEFAULT_RECURSION_DEPTH
++#define DEFAULT_RECURSION_DEPTH 7
++#endif
++
++/* The default maximum number of iterative queries to allow before giving up. */
++#ifndef DEFAULT_MAX_QUERIES
++#define DEFAULT_MAX_QUERIES 50
++#endif
++
+ /*%
+  * Maximum EDNS0 input packet size.
+  */
+@@ -297,6 +307,7 @@ struct fetchctx {
+ 	isc_uint64_t			duration;
+ 	isc_boolean_t			logged;
+ 	unsigned int			querysent;
++	unsigned int			totalqueries;
+ 	unsigned int			referrals;
+ 	unsigned int			lamecount;
+ 	unsigned int			neterr;
+@@ -307,6 +318,7 @@ struct fetchctx {
+ 	isc_boolean_t			timeout;
+ 	dns_adbaddrinfo_t 		*addrinfo;
+ 	isc_sockaddr_t			*client;
++	unsigned int			depth;
+ };
+ 
+ #define FCTX_MAGIC			ISC_MAGIC('F', '!', '!', '!')
+@@ -419,6 +431,7 @@ struct dns_resolver {
+ 	isc_timer_t *			spillattimer;
+ 	isc_boolean_t			zero_no_soa_ttl;
+ 	unsigned int			query_timeout;
++	unsigned int			maxdepth;
+ 
+ 	/* Locked by lock. */
+ 	unsigned int			references;
+@@ -1097,6 +1110,7 @@ fctx_sendevents(fetchctx_t *fctx, isc_result_t result, int line) {
+ 			       event->result == DNS_R_NCACHENXRRSET);
+ 		}
+ 
++		event->qtotal = fctx->totalqueries;
+ 		isc_task_sendanddetach(&task, ISC_EVENT_PTR(&event));
+ 		count++;
+ 	}
+@@ -1537,7 +1551,9 @@ fctx_query(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
+ 		if (result != ISC_R_SUCCESS)
+ 			goto cleanup_dispatch;
+ 	}
++
+ 	fctx->querysent++;
++	fctx->totalqueries++;
+ 
+ 	ISC_LIST_APPEND(fctx->queries, query, link);
+ 	query->fctx->nqueries++;
+@@ -2194,9 +2210,10 @@ fctx_finddone(isc_task_t *task, isc_event_t *event) {
+ 		 */
+ 		INSIST(!SHUTTINGDOWN(fctx));
+ 		fctx->attributes &= ~FCTX_ATTR_ADDRWAIT;
+-		if (event->ev_type == DNS_EVENT_ADBMOREADDRESSES)
++		if (event->ev_type == DNS_EVENT_ADBMOREADDRESSES) {
+ 			want_try = ISC_TRUE;
+-		else {
++			fctx->totalqueries += find->qtotal;
++		} else {
+ 			fctx->findfail++;
+ 			if (fctx->pending == 0) {
+ 				/*
+@@ -2479,12 +2496,13 @@ findname(fetchctx_t *fctx, dns_name_t *name, in_port_t port,
+ 	 * See what we know about this address.
+ 	 */
+ 	find = NULL;
+-	result = dns_adb_createfind(fctx->adb,
+-				    res->buckets[fctx->bucketnum].task,
+-				    fctx_finddone, fctx, name,
+-				    &fctx->name, fctx->type,
+-				    options, now, NULL,
+-				    res->view->dstport, &find);
++	result = dns_adb_createfind2(fctx->adb,
++				     res->buckets[fctx->bucketnum].task,
++				     fctx_finddone, fctx, name,
++				     &fctx->name, fctx->type,
++				     options, now, NULL,
++				     res->view->dstport,
++				     fctx->depth + 1, &find);
+ 	if (result != ISC_R_SUCCESS) {
+ 		if (result == DNS_R_ALIAS) {
+ 			/*
+@@ -2592,6 +2610,11 @@ fctx_getaddresses(fetchctx_t *fctx, isc_boolean_t badcache) {
+ 
+ 	res = fctx->res;
+ 
++	if (fctx->depth > res->maxdepth) {
++		FCTXTRACE("too much NS indirection");
++		return (DNS_R_SERVFAIL);
++	}
++
+ 	/*
+ 	 * Forwarders.
+ 	 */
+@@ -3030,6 +3053,9 @@ fctx_try(fetchctx_t *fctx, isc_boolean_t retrying, isc_boolean_t badcache) {
+ 
+ 	REQUIRE(!ADDRWAIT(fctx));
+ 
++	if (fctx->totalqueries > DEFAULT_MAX_QUERIES)
++		fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
++
+ 	addrinfo = fctx_nextaddress(fctx);
+ 	if (addrinfo == NULL) {
+ 		/*
+@@ -3388,6 +3414,7 @@ fctx_start(isc_task_t *task, isc_event_t *event) {
+ 		 * Normal fctx startup.
+ 		 */
+ 		fctx->state = fetchstate_active;
++		fctx->totalqueries = 0;
+ 		/*
+ 		 * Reset the control event for later use in shutting down
+ 		 * the fctx.
+@@ -3457,6 +3484,7 @@ fctx_join(fetchctx_t *fctx, isc_task_t *task, isc_sockaddr_t *client,
+ 	event->fetch = fetch;
+ 	event->client = client;
+ 	event->id = id;
++	event->qtotal = 0;
+ 	dns_fixedname_init(&event->foundname);
+ 
+ 	/*
+@@ -3493,7 +3521,8 @@ log_ns_ttl(fetchctx_t *fctx, const char *where) {
+ static isc_result_t
+ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type,
+ 	    dns_name_t *domain, dns_rdataset_t *nameservers,
+-	    unsigned int options, unsigned int bucketnum, fetchctx_t **fctxp)
++	    unsigned int options, unsigned int bucketnum, unsigned int depth,
++	    fetchctx_t **fctxp)
+ {
+ 	fetchctx_t *fctx;
+ 	isc_result_t result;
+@@ -3545,6 +3574,7 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type,
+ 	fctx->state = fetchstate_init;
+ 	fctx->want_shutdown = ISC_FALSE;
+ 	fctx->cloned = ISC_FALSE;
++	fctx->depth = depth;
+ 	ISC_LIST_INIT(fctx->queries);
+ 	ISC_LIST_INIT(fctx->finds);
+ 	ISC_LIST_INIT(fctx->altfinds);
+@@ -3563,6 +3593,7 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type,
+ 	fctx->pending = 0;
+ 	fctx->restarts = 0;
+ 	fctx->querysent = 0;
++	fctx->totalqueries = 0;
+ 	fctx->referrals = 0;
+ 	TIME_NOW(&fctx->start);
+ 	fctx->timeouts = 0;
+@@ -7781,6 +7812,7 @@ dns_resolver_create(dns_view_t *view,
+ 	res->spillattimer = NULL;
+ 	res->zero_no_soa_ttl = ISC_FALSE;
+ 	res->query_timeout = DEFAULT_QUERY_TIMEOUT;
++	res->maxdepth = DEFAULT_RECURSION_DEPTH;
+ 	res->nbuckets = ntasks;
+ 	res->activebuckets = ntasks;
+ 	res->buckets = isc_mem_get(view->mctx,
+@@ -8219,9 +8251,9 @@ dns_resolver_createfetch(dns_resolver_t *res, dns_name_t *name,
+ 			 dns_rdataset_t *sigrdataset,
+ 			 dns_fetch_t **fetchp)
+ {
+-	return (dns_resolver_createfetch2(res, name, type, domain,
++	return (dns_resolver_createfetch3(res, name, type, domain,
+ 					  nameservers, forwarders, NULL, 0,
+-					  options, task, action, arg,
++					  options, 0, task, action, arg,
+ 					  rdataset, sigrdataset, fetchp));
+ }
+ 
+@@ -8237,6 +8269,25 @@ dns_resolver_createfetch2(dns_resolver_t *res, dns_name_t *name,
+ 			  dns_rdataset_t *sigrdataset,
+ 			  dns_fetch_t **fetchp)
+ {
++	return (dns_resolver_createfetch3(res, name, type, domain,
++					  nameservers, forwarders, client, id,
++					  options, 0, task, action, arg,
++					  rdataset, sigrdataset, fetchp));
++}
++
++isc_result_t
++dns_resolver_createfetch3(dns_resolver_t *res, dns_name_t *name,
++			  dns_rdatatype_t type,
++			  dns_name_t *domain, dns_rdataset_t *nameservers,
++			  dns_forwarders_t *forwarders,
++			  isc_sockaddr_t *client, dns_messageid_t id,
++			  unsigned int options, unsigned int depth,
++			  isc_task_t *task,
++			  isc_taskaction_t action, void *arg,
++			  dns_rdataset_t *rdataset,
++			  dns_rdataset_t *sigrdataset,
++			  dns_fetch_t **fetchp)
++{
+ 	dns_fetch_t *fetch;
+ 	fetchctx_t *fctx = NULL;
+ 	isc_result_t result = ISC_R_SUCCESS;
+@@ -8325,11 +8376,12 @@ dns_resolver_createfetch2(dns_resolver_t *res, dns_name_t *name,
+ 
+ 	if (fctx == NULL) {
+ 		result = fctx_create(res, name, type, domain, nameservers,
+-				     options, bucketnum, &fctx);
++				     options, bucketnum, depth, &fctx);
+ 		if (result != ISC_R_SUCCESS)
+ 			goto unlock;
+ 		new_fctx = ISC_TRUE;
+-	}
++	} else if (fctx->depth > depth)
++		fctx->depth = depth;
+ 
+ 	result = fctx_join(fctx, task, client, id, action, arg,
+ 			   rdataset, sigrdataset, fetch);
+@@ -9101,3 +9153,15 @@ dns_resolver_settimeout(dns_resolver_t *resolver, unsigned int seconds) {
+ 
+ 	resolver->query_timeout = seconds;
+ }
++
++void
++dns_resolver_setmaxdepth(dns_resolver_t *resolver, unsigned int maxdepth) {
++	REQUIRE(VALID_RESOLVER(resolver));
++	resolver->maxdepth = maxdepth;
++}
++
++unsigned int
++dns_resolver_getmaxdepth(dns_resolver_t *resolver) {
++	REQUIRE(VALID_RESOLVER(resolver));
++	return (resolver->maxdepth);
++}
+diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
+index bfd4bab..5f8b037 100644
+--- a/lib/isccfg/namedconf.c
++++ b/lib/isccfg/namedconf.c
+@@ -1393,6 +1393,7 @@ view_clauses[] = {
+ 	{ "max-cache-ttl", &cfg_type_uint32, 0 },
+ 	{ "max-clients-per-query", &cfg_type_uint32, 0 },
+ 	{ "max-ncache-ttl", &cfg_type_uint32, 0 },
++	{ "max-recursion-depth", &cfg_type_uint32, 0 },
+ 	{ "max-udp-size", &cfg_type_uint32, 0 },
+ 	{ "min-roots", &cfg_type_uint32, CFG_CLAUSEFLAG_NOTIMP },
+ 	{ "minimal-responses", &cfg_type_boolean, 0 },
+-- 
+1.9.1
+
diff --git a/meta/recipes-connectivity/bind/bind_9.9.5.bb b/meta/recipes-connectivity/bind/bind_9.9.5.bb
index a190956..8972723 100644
--- a/meta/recipes-connectivity/bind/bind_9.9.5.bb
+++ b/meta/recipes-connectivity/bind/bind_9.9.5.bb
@@ -14,6 +14,7 @@ SRC_URI = "ftp://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \
            file://mips1-not-support-opcode.diff \
            file://dont-test-on-host.patch \
            file://init.d-add-support-for-read-only-rootfs.patch \
+           file://bind9_9_5-CVE-2014-8500.patch \
 	   "
 
 SRC_URI[md5sum] = "e676c65cad5234617ee22f48e328c24e"
-- 
2.1.0

[PATCH 10/10] btrfs: create an empty file to build the fs in

[Saul Wold]

The newer btrfs-utils needs an empty file to build the filesystem in, so
create an empty file and use it for the mkfs to build the fs in.

[YOCTO #6804]

Signed-off-by: Saul Wold <sgw@linux.intel.com>
---
 meta/classes/image_types.bbclass | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/meta/classes/image_types.bbclass b/meta/classes/image_types.bbclass
index 99a07da..1ea2c8f 100644
--- a/meta/classes/image_types.bbclass
+++ b/meta/classes/image_types.bbclass
@@ -57,8 +57,8 @@ IMAGE_CMD_ext3 = "oe_mkext234fs ext3 ${EXTRA_IMAGECMD}"
 IMAGE_CMD_ext4 = "oe_mkext234fs ext4 ${EXTRA_IMAGECMD}"
 
 IMAGE_CMD_btrfs () {
-	touch ${DEPLOY_DIR_IMAGE}/${IMAGE_NAME}.rootfs.btrfs
-	mkfs.btrfs -b `expr ${ROOTFS_SIZE} \* 1024` ${EXTRA_IMAGECMD} -r ${IMAGE_ROOTFS} ${DEPLOY_DIR_IMAGE}/${IMAGE_NAME}.rootfs.btrfs
+	dd if=/dev/zero of=${DEPLOY_DIR_IMAGE}/${IMAGE_NAME}.rootfs.btrfs count=${ROOTFS_SIZE} bs=1024
+	mkfs.btrfs ${EXTRA_IMAGECMD} -r ${IMAGE_ROOTFS} ${DEPLOY_DIR_IMAGE}/${IMAGE_NAME}.rootfs.btrfs
 }
 
 IMAGE_CMD_squashfs = "mksquashfs ${IMAGE_ROOTFS} ${DEPLOY_DIR_IMAGE}/${IMAGE_NAME}.rootfs.squashfs ${EXTRA_IMAGECMD} -noappend"
-- 
2.1.0