Security fix for CVE-2009-2957,2958

ok jasper@

net/dnsmasq/Makefile

@@ -1,8 +1,9 @@
-# $OpenBSD: Makefile,v 1.14 2009/06/14 17:07:25 kili Exp $
+# $OpenBSD: Makefile,v 1.15 2009/08/31 18:01:01 rui Exp $
 
 COMMENT=	caching DNS forwarder and DHCP server
 
 DISTNAME=	dnsmasq-2.49
+PKGNAME=	${DISTNAME}p0
 CATEGORIES=	net
 
 MAINTAINER=	Rui Reis <rui@openbsd.org>

net/dnsmasq/patches/patch-src_tftp_c

@@ -1,6 +1,76 @@
-$OpenBSD: patch-src_tftp_c,v 1.5 2009/06/14 17:07:25 kili Exp $
---- src/tftp.c.orig	Mon Jun  8 23:12:43 2009
-+++ src/tftp.c	Sat Jun 13 12:05:54 2009
+$OpenBSD: patch-src_tftp_c,v 1.6 2009/08/31 18:01:01 rui Exp $
+
+CVE-2009-2957,2958
+plus gcc2 fixes to struct errmess, struct oackmess, struct datamess from kili
+
+--- src/tftp.c.orig	Mon Jun  8 22:12:43 2009
++++ src/tftp.c	Sun Aug 30 22:21:35 2009
+@@ -192,20 +192,21 @@ void tftp_request(struct listener *listen, time_t now)
+       
+       while ((opt = next(&p, end)))
+ 	{
+-	  if (strcasecmp(opt, "blksize") == 0 &&
+-	      (opt = next(&p, end)) &&
+-	      !(daemon->options & OPT_TFTP_NOBLOCK))
++	  if (strcasecmp(opt, "blksize") == 0)
+ 	    {
+-	      transfer->blocksize = atoi(opt);
+-	      if (transfer->blocksize < 1)
+-		transfer->blocksize = 1;
+-	      if (transfer->blocksize > (unsigned)daemon->packet_buff_sz - 4)
+-		transfer->blocksize = (unsigned)daemon->packet_buff_sz - 4;
+-	      transfer->opt_blocksize = 1;
+-	      transfer->block = 0;
++	      if ((opt = next(&p, end)) &&
++		  !(daemon->options & OPT_TFTP_NOBLOCK))
++		{
++		  transfer->blocksize = atoi(opt);
++		  if (transfer->blocksize < 1)
++		    transfer->blocksize = 1;
++		  if (transfer->blocksize > (unsigned)daemon->packet_buff_sz - 4)
++		    transfer->blocksize = (unsigned)daemon->packet_buff_sz - 4;
++		  transfer->opt_blocksize = 1;
++		  transfer->block = 0;
++		}
+ 	    }
+-	  
+-	  if (strcasecmp(opt, "tsize") == 0 && next(&p, end) && !transfer->netascii)
++	  else if (strcasecmp(opt, "tsize") == 0 && next(&p, end) && !transfer->netascii)
+ 	    {
+ 	      transfer->opt_transize = 1;
+ 	      transfer->block = 0;
+@@ -217,17 +218,17 @@ void tftp_request(struct listener *listen, time_t now)
+ 	{
+ 	  if (daemon->tftp_prefix[0] == '/')
+ 	    daemon->namebuff[0] = 0;
+-	  strncat(daemon->namebuff, daemon->tftp_prefix, MAXDNAME);
++	  strncat(daemon->namebuff, daemon->tftp_prefix, (MAXDNAME-1) - strlen(daemon->namebuff));
+ 	  if (daemon->tftp_prefix[strlen(daemon->tftp_prefix)-1] != '/')
+-	    strncat(daemon->namebuff, "/", MAXDNAME);
++	    strncat(daemon->namebuff, "/", (MAXDNAME-1) - strlen(daemon->namebuff));
+ 
+ 	  if (daemon->options & OPT_TFTP_APREF)
+ 	    {
+ 	      size_t oldlen = strlen(daemon->namebuff);
+ 	      struct stat statbuf;
+ 	      
+-	      strncat(daemon->namebuff, inet_ntoa(peer.sin_addr), MAXDNAME);
+-	      strncat(daemon->namebuff, "/", MAXDNAME);
++	      strncat(daemon->namebuff, inet_ntoa(peer.sin_addr), (MAXDNAME-1) - strlen(daemon->namebuff));
++	      strncat(daemon->namebuff, "/", (MAXDNAME-1) - strlen(daemon->namebuff));
+ 	      
+ 	      /* remove unique-directory if it doesn't exist */
+ 	      if (stat(daemon->namebuff, &statbuf) == -1 || !S_ISDIR(statbuf.st_mode))
+@@ -245,8 +246,7 @@ void tftp_request(struct listener *listen, time_t now)
+ 	}
+       else if (filename[0] == '/')
+ 	daemon->namebuff[0] = 0;
+-      strncat(daemon->namebuff, filename, MAXDNAME);
+-      daemon->namebuff[MAXDNAME-1] = 0;
++      strncat(daemon->namebuff, filename, (MAXDNAME-1) - strlen(daemon->namebuff));
+ 
+       /* check permissions and open file */
+       if ((transfer->file = check_tftp_fileperm(&len)))
 @@ -481,7 +481,7 @@ static ssize_t tftp_err(int err, char *packet, char *m
  {
    struct errmess {