24 files changed, 144 insertions, 516 deletions

diff --git a/www/squid/Makefile b/www/squid/Makefile
index c01bb810d8ea..a168b219b975 100644
--- a/www/squid/Makefile
+++ b/www/squid/Makefile
@@ -29,7 +29,7 @@
 
 PORTNAME=	squid
 PORTVERSION=	2.5.5
-PORTREVISION=	11
+PORTREVISION=	12
 CATEGORIES=	www
 MASTER_SITES=	\
 		ftp://ftp.squid-cache.org/pub/%SUBDIR%/ \
@@ -65,7 +65,8 @@ PATCHFILES=	squid-2.5.STABLE5-ntlm_assert.patch \
 		squid-2.5.STABLE5-dns_localhost.patch \
 		squid-2.5.STABLE5-msnt_auth_doc.patch \
 		squid-2.5.STABLE5-CONNECT_log_size.patch \
-		squid-2.5.STABLE5-proxy_abuse.patch
+		squid-2.5.STABLE5-proxy_abuse.patch \
+		squid-2.5.STABLE5-ntlm_auth_overflow.patch
 PATCH_DIST_STRIP=	-p1
 
 MAINTAINER=	tmseck@netcologne.de
@@ -123,7 +124,7 @@ CONFIGURE_ARGS=	--bindir=${PREFIX}/sbin  --sysconfdir=${PREFIX}/etc/squid \
 
 # Authentication methods and modules:
 
-basic_auth=	NCSA PAM YP MSNT winbind
+basic_auth=	NCSA PAM YP MSNT SMB winbind
 external_acl=	ip_user unix_group wbinfo_group winbind_group
 MAN8+=		pam_auth.8 squid_unix_group.8
 .if defined(WITH_SQUID_LDAP_AUTH)
diff --git a/www/squid/distinfo b/www/squid/distinfo
index 98d0c1344ded..9f798808315e 100644
--- a/www/squid/distinfo
+++ b/www/squid/distinfo
@@ -48,3 +48,5 @@ MD5 (squid2.5/squid-2.5.STABLE5-CONNECT_log_size.patch) = 9bc3c39ca19ae2a4922d4a
 SIZE (squid2.5/squid-2.5.STABLE5-CONNECT_log_size.patch) = 2011
 MD5 (squid2.5/squid-2.5.STABLE5-proxy_abuse.patch) = 8b169a288a0491a760f4d04c4f5eab21
 SIZE (squid2.5/squid-2.5.STABLE5-proxy_abuse.patch) = 761
+MD5 (squid2.5/squid-2.5.STABLE5-ntlm_auth_overflow.patch) = 30c7c5e2ba03655dbde9d3e65409baed
+SIZE (squid2.5/squid-2.5.STABLE5-ntlm_auth_overflow.patch) = 3198
diff --git a/www/squid/files/follow_xff-configure.patch b/www/squid/files/follow_xff-configure.patch
index a0920813868d..0cf30da6c147 100644
--- a/www/squid/files/follow_xff-configure.patch
+++ b/www/squid/files/follow_xff-configure.patch
@@ -1,10 +1,23 @@
-!Patch configure directly to enable testing for the
-!--enable-follow-x-forwarding-for configuration option
-!instead of running configure.in through autoconf as in the
-!original follow-XFF patchset from devel.squid-cache.org.
+!Simulate the autotools bootstrap of the follow-x-forwarded-for patchset.
+!
 !Beware that all line number informations in configure.log greater
-!than 2972 are offset by -29 (correcting all line numbers would have
+!than 2972 are offset by at least -29 (correcting all line numbers would have
 !bloated the patch by 92kB!)
+--- include/autoconf.h.in.orig	Sat Jan 18 02:46:11 2003
++++ include/autoconf.h.in	Thu Jun 24 13:19:07 2004
+@@ -291,6 +291,12 @@
+ #define USE_IDENT 1
+ 
+ /*
++ * Compile in support for following X-Forwarded-For headers?
++ * Enabled by default.
++ */
++#define FOLLOW_X_FORWARDED_FOR 1
++
++/*
+  * If your system has statvfs(), and if it actually works!
+  */
+ #undef HAVE_STATVFS
 --- configure.orig	Tue Mar  2 10:18:14 2004
 +++ configure	Tue Mar  2 10:18:56 2004
 @@ -222,6 +222,12 @@
diff --git a/www/squid/files/patch-helpers-ntlm_auth-SMB-libntlmssp.c b/www/squid/files/patch-helpers-ntlm_auth-SMB-libntlmssp.c
deleted file mode 100644
index 54eeeb6bcdeb..000000000000
--- a/www/squid/files/patch-helpers-ntlm_auth-SMB-libntlmssp.c
+++ /dev/null
@@ -1,78 +0,0 @@
-This patch fixes a buffer overflow vulnerability in the NTLM auth
-helper which was reported by iDefense on the 07th June 2004.
-Original advisory:
-<http://www.idefense.com/application/poi/display?id=107&type=vulnerabilities&flashstatus=false>
-CVE-ID: CAN-2004-0541
-Patch and correction obtained from:
-<http://www.squid-cache.org/~wessels/patch/libntlmssp.c.patch>
-<http://www.squid-cache.org/bugs/show_bug.cgi?id=998>
-
---- helpers/ntlm_auth/SMB/libntlmssp.c.orig	Fri Nov 30 10:50:06 2001
-+++ helpers/ntlm_auth/SMB/libntlmssp.c	Fri Jun 18 13:17:35 2004
-@@ -161,7 +161,10 @@ make_challenge(char *domain, char *domai
- #define min(A,B) (A<B?A:B)
- 
- int ntlm_errno;
--static char credentials[1024];	/* we can afford to waste */
-+#define MAX_USERNAME_LEN 255
-+#define MAX_DOMAIN_LEN 255
-+#define MAX_PASSWD_LEN 31
-+static char credentials[MAX_USERNAME_LEN+MAX_DOMAIN_LEN+2];	/* we can afford to waste */
- 
- 
- /* Fetches the user's credentials from the challenge.
-@@ -197,7 +200,7 @@ char *
- ntlm_check_auth(ntlm_authenticate * auth, int auth_length)
- {
-     int rv;
--    char pass[25] /*, encrypted_pass[40] */;
-+    char pass[MAX_PASSWD_LEN+1];
-     char *domain = credentials;
-     char *user;
-     lstring tmp;
-@@ -215,6 +218,11 @@ ntlm_check_auth(ntlm_authenticate * auth
- 	ntlm_errno = NTLM_LOGON_ERROR;
- 	return NULL;
-     }
-+    if (tmp.l > MAX_DOMAIN_LEN) {
-+	debug("Domain string exceeds %d bytes, rejecting\n", MAX_DOMAIN_LEN);
-+	ntlm_errno = NTLM_LOGON_ERROR;
-+	return NULL;
-+    }
-     memcpy(domain, tmp.str, tmp.l);
-     user = domain + tmp.l;
-     *user++ = '\0';
-@@ -226,20 +234,30 @@ ntlm_check_auth(ntlm_authenticate * auth
- 	ntlm_errno = NTLM_LOGON_ERROR;
- 	return NULL;
-     }
-+    if (tmp.l > MAX_USERNAME_LEN) {
-+	debug("Username string exceeds %d bytes, rejecting\n", MAX_USERNAME_LEN);
-+	ntlm_errno = NTLM_LOGON_ERROR;
-+	return NULL;
-+    }
-     memcpy(user, tmp.str, tmp.l);
-     *(user + tmp.l) = '\0';
- 
- 		
--		/* Authenticating against the NT response doesn't seem to work... */
-+    /* Authenticating against the NT response doesn't seem to work... */
-     tmp = ntlm_fetch_string((char *) auth, auth_length, &auth->lmresponse);
-     if (tmp.str == NULL || tmp.l == 0) {
- 	fprintf(stderr, "No auth at all. Returning no-auth\n");
- 	ntlm_errno = NTLM_LOGON_ERROR;
- 	return NULL;
-     }
--		
-+    if (tmp.l > MAX_PASSWD_LEN) {
-+	debug("Password string exceeds %d bytes, rejecting\n", MAX_PASSWD_LEN);
-+	ntlm_errno = NTLM_LOGON_ERROR;
-+	return NULL;
-+    }
-+
-     memcpy(pass, tmp.str, tmp.l);
--    pass[25] = '\0';
-+    pass[min(MAX_PASSWD_LEN,tmp.l)] = '\0';
- 
- #if 1
- 		debug ("Empty LM pass detection: user: '%s', ours:'%s', his: '%s'"
diff --git a/www/squid25/Makefile b/www/squid25/Makefile
index c01bb810d8ea..a168b219b975 100644
--- a/www/squid25/Makefile
+++ b/www/squid25/Makefile
@@ -29,7 +29,7 @@
 
 PORTNAME=	squid
 PORTVERSION=	2.5.5
-PORTREVISION=	11
+PORTREVISION=	12
 CATEGORIES=	www
 MASTER_SITES=	\
 		ftp://ftp.squid-cache.org/pub/%SUBDIR%/ \
@@ -65,7 +65,8 @@ PATCHFILES=	squid-2.5.STABLE5-ntlm_assert.patch \
 		squid-2.5.STABLE5-dns_localhost.patch \
 		squid-2.5.STABLE5-msnt_auth_doc.patch \
 		squid-2.5.STABLE5-CONNECT_log_size.patch \
-		squid-2.5.STABLE5-proxy_abuse.patch
+		squid-2.5.STABLE5-proxy_abuse.patch \
+		squid-2.5.STABLE5-ntlm_auth_overflow.patch
 PATCH_DIST_STRIP=	-p1
 
 MAINTAINER=	tmseck@netcologne.de
@@ -123,7 +124,7 @@ CONFIGURE_ARGS=	--bindir=${PREFIX}/sbin  --sysconfdir=${PREFIX}/etc/squid \
 
 # Authentication methods and modules:
 
-basic_auth=	NCSA PAM YP MSNT winbind
+basic_auth=	NCSA PAM YP MSNT SMB winbind
 external_acl=	ip_user unix_group wbinfo_group winbind_group
 MAN8+=		pam_auth.8 squid_unix_group.8
 .if defined(WITH_SQUID_LDAP_AUTH)
diff --git a/www/squid25/distinfo b/www/squid25/distinfo
index 98d0c1344ded..9f798808315e 100644
--- a/www/squid25/distinfo
+++ b/www/squid25/distinfo
@@ -48,3 +48,5 @@ MD5 (squid2.5/squid-2.5.STABLE5-CONNECT_log_size.patch) = 9bc3c39ca19ae2a4922d4a
 SIZE (squid2.5/squid-2.5.STABLE5-CONNECT_log_size.patch) = 2011
 MD5 (squid2.5/squid-2.5.STABLE5-proxy_abuse.patch) = 8b169a288a0491a760f4d04c4f5eab21
 SIZE (squid2.5/squid-2.5.STABLE5-proxy_abuse.patch) = 761
+MD5 (squid2.5/squid-2.5.STABLE5-ntlm_auth_overflow.patch) = 30c7c5e2ba03655dbde9d3e65409baed
+SIZE (squid2.5/squid-2.5.STABLE5-ntlm_auth_overflow.patch) = 3198
diff --git a/www/squid25/files/follow_xff-configure.patch b/www/squid25/files/follow_xff-configure.patch
index a0920813868d..0cf30da6c147 100644
--- a/www/squid25/files/follow_xff-configure.patch
+++ b/www/squid25/files/follow_xff-configure.patch
@@ -1,10 +1,23 @@
-!Patch configure directly to enable testing for the
-!--enable-follow-x-forwarding-for configuration option
-!instead of running configure.in through autoconf as in the
-!original follow-XFF patchset from devel.squid-cache.org.
+!Simulate the autotools bootstrap of the follow-x-forwarded-for patchset.
+!
 !Beware that all line number informations in configure.log greater
-!than 2972 are offset by -29 (correcting all line numbers would have
+!than 2972 are offset by at least -29 (correcting all line numbers would have
 !bloated the patch by 92kB!)
+--- include/autoconf.h.in.orig	Sat Jan 18 02:46:11 2003
++++ include/autoconf.h.in	Thu Jun 24 13:19:07 2004
+@@ -291,6 +291,12 @@
+ #define USE_IDENT 1
+ 
+ /*
++ * Compile in support for following X-Forwarded-For headers?
++ * Enabled by default.
++ */
++#define FOLLOW_X_FORWARDED_FOR 1
++
++/*
+  * If your system has statvfs(), and if it actually works!
+  */
+ #undef HAVE_STATVFS
 --- configure.orig	Tue Mar  2 10:18:14 2004
 +++ configure	Tue Mar  2 10:18:56 2004
 @@ -222,6 +222,12 @@
diff --git a/www/squid25/files/patch-helpers-ntlm_auth-SMB-libntlmssp.c b/www/squid25/files/patch-helpers-ntlm_auth-SMB-libntlmssp.c
deleted file mode 100644
index 54eeeb6bcdeb..000000000000
--- a/www/squid25/files/patch-helpers-ntlm_auth-SMB-libntlmssp.c
+++ /dev/null
@@ -1,78 +0,0 @@
-This patch fixes a buffer overflow vulnerability in the NTLM auth
-helper which was reported by iDefense on the 07th June 2004.
-Original advisory:
-<http://www.idefense.com/application/poi/display?id=107&type=vulnerabilities&flashstatus=false>
-CVE-ID: CAN-2004-0541
-Patch and correction obtained from:
-<http://www.squid-cache.org/~wessels/patch/libntlmssp.c.patch>
-<http://www.squid-cache.org/bugs/show_bug.cgi?id=998>
-
---- helpers/ntlm_auth/SMB/libntlmssp.c.orig	Fri Nov 30 10:50:06 2001
-+++ helpers/ntlm_auth/SMB/libntlmssp.c	Fri Jun 18 13:17:35 2004
-@@ -161,7 +161,10 @@ make_challenge(char *domain, char *domai
- #define min(A,B) (A<B?A:B)
- 
- int ntlm_errno;
--static char credentials[1024];	/* we can afford to waste */
-+#define MAX_USERNAME_LEN 255
-+#define MAX_DOMAIN_LEN 255
-+#define MAX_PASSWD_LEN 31
-+static char credentials[MAX_USERNAME_LEN+MAX_DOMAIN_LEN+2];	/* we can afford to waste */
- 
- 
- /* Fetches the user's credentials from the challenge.
-@@ -197,7 +200,7 @@ char *
- ntlm_check_auth(ntlm_authenticate * auth, int auth_length)
- {
-     int rv;
--    char pass[25] /*, encrypted_pass[40] */;
-+    char pass[MAX_PASSWD_LEN+1];
-     char *domain = credentials;
-     char *user;
-     lstring tmp;
-@@ -215,6 +218,11 @@ ntlm_check_auth(ntlm_authenticate * auth
- 	ntlm_errno = NTLM_LOGON_ERROR;
- 	return NULL;
-     }
-+    if (tmp.l > MAX_DOMAIN_LEN) {
-+	debug("Domain string exceeds %d bytes, rejecting\n", MAX_DOMAIN_LEN);
-+	ntlm_errno = NTLM_LOGON_ERROR;
-+	return NULL;
-+    }
-     memcpy(domain, tmp.str, tmp.l);
-     user = domain + tmp.l;
-     *user++ = '\0';
-@@ -226,20 +234,30 @@ ntlm_check_auth(ntlm_authenticate * auth
- 	ntlm_errno = NTLM_LOGON_ERROR;
- 	return NULL;
-     }
-+    if (tmp.l > MAX_USERNAME_LEN) {
-+	debug("Username string exceeds %d bytes, rejecting\n", MAX_USERNAME_LEN);
-+	ntlm_errno = NTLM_LOGON_ERROR;
-+	return NULL;
-+    }
-     memcpy(user, tmp.str, tmp.l);
-     *(user + tmp.l) = '\0';
- 
- 		
--		/* Authenticating against the NT response doesn't seem to work... */
-+    /* Authenticating against the NT response doesn't seem to work... */
-     tmp = ntlm_fetch_string((char *) auth, auth_length, &auth->lmresponse);
-     if (tmp.str == NULL || tmp.l == 0) {
- 	fprintf(stderr, "No auth at all. Returning no-auth\n");
- 	ntlm_errno = NTLM_LOGON_ERROR;
- 	return NULL;
-     }
--		
-+    if (tmp.l > MAX_PASSWD_LEN) {
-+	debug("Password string exceeds %d bytes, rejecting\n", MAX_PASSWD_LEN);
-+	ntlm_errno = NTLM_LOGON_ERROR;
-+	return NULL;
-+    }
-+
-     memcpy(pass, tmp.str, tmp.l);
--    pass[25] = '\0';
-+    pass[min(MAX_PASSWD_LEN,tmp.l)] = '\0';
- 
- #if 1
- 		debug ("Empty LM pass detection: user: '%s', ours:'%s', his: '%s'"
diff --git a/www/squid26/Makefile b/www/squid26/Makefile
index c01bb810d8ea..a168b219b975 100644
--- a/www/squid26/Makefile
+++ b/www/squid26/Makefile
@@ -29,7 +29,7 @@
 
 PORTNAME=	squid
 PORTVERSION=	2.5.5
-PORTREVISION=	11
+PORTREVISION=	12
 CATEGORIES=	www
 MASTER_SITES=	\
 		ftp://ftp.squid-cache.org/pub/%SUBDIR%/ \
@@ -65,7 +65,8 @@ PATCHFILES=	squid-2.5.STABLE5-ntlm_assert.patch \
 		squid-2.5.STABLE5-dns_localhost.patch \
 		squid-2.5.STABLE5-msnt_auth_doc.patch \
 		squid-2.5.STABLE5-CONNECT_log_size.patch \
-		squid-2.5.STABLE5-proxy_abuse.patch
+		squid-2.5.STABLE5-proxy_abuse.patch \
+		squid-2.5.STABLE5-ntlm_auth_overflow.patch
 PATCH_DIST_STRIP=	-p1
 
 MAINTAINER=	tmseck@netcologne.de
@@ -123,7 +124,7 @@ CONFIGURE_ARGS=	--bindir=${PREFIX}/sbin  --sysconfdir=${PREFIX}/etc/squid \
 
 # Authentication methods and modules:
 
-basic_auth=	NCSA PAM YP MSNT winbind
+basic_auth=	NCSA PAM YP MSNT SMB winbind
 external_acl=	ip_user unix_group wbinfo_group winbind_group
 MAN8+=		pam_auth.8 squid_unix_group.8
 .if defined(WITH_SQUID_LDAP_AUTH)
diff --git a/www/squid26/distinfo b/www/squid26/distinfo
index 98d0c1344ded..9f798808315e 100644
--- a/www/squid26/distinfo
+++ b/www/squid26/distinfo
@@ -48,3 +48,5 @@ MD5 (squid2.5/squid-2.5.STABLE5-CONNECT_log_size.patch) = 9bc3c39ca19ae2a4922d4a
 SIZE (squid2.5/squid-2.5.STABLE5-CONNECT_log_size.patch) = 2011
 MD5 (squid2.5/squid-2.5.STABLE5-proxy_abuse.patch) = 8b169a288a0491a760f4d04c4f5eab21
 SIZE (squid2.5/squid-2.5.STABLE5-proxy_abuse.patch) = 761
+MD5 (squid2.5/squid-2.5.STABLE5-ntlm_auth_overflow.patch) = 30c7c5e2ba03655dbde9d3e65409baed
+SIZE (squid2.5/squid-2.5.STABLE5-ntlm_auth_overflow.patch) = 3198
diff --git a/www/squid26/files/follow_xff-configure.patch b/www/squid26/files/follow_xff-configure.patch
index a0920813868d..0cf30da6c147 100644
--- a/www/squid26/files/follow_xff-configure.patch
+++ b/www/squid26/files/follow_xff-configure.patch
@@ -1,10 +1,23 @@
-!Patch configure directly to enable testing for the
-!--enable-follow-x-forwarding-for configuration option
-!instead of running configure.in through autoconf as in the
-!original follow-XFF patchset from devel.squid-cache.org.
+!Simulate the autotools bootstrap of the follow-x-forwarded-for patchset.
+!
 !Beware that all line number informations in configure.log greater
-!than 2972 are offset by -29 (correcting all line numbers would have
+!than 2972 are offset by at least -29 (correcting all line numbers would have
 !bloated the patch by 92kB!)
+--- include/autoconf.h.in.orig	Sat Jan 18 02:46:11 2003
++++ include/autoconf.h.in	Thu Jun 24 13:19:07 2004
+@@ -291,6 +291,12 @@
+ #define USE_IDENT 1
+ 
+ /*
++ * Compile in support for following X-Forwarded-For headers?
++ * Enabled by default.
++ */
++#define FOLLOW_X_FORWARDED_FOR 1
++
++/*
+  * If your system has statvfs(), and if it actually works!
+  */
+ #undef HAVE_STATVFS
 --- configure.orig	Tue Mar  2 10:18:14 2004
 +++ configure	Tue Mar  2 10:18:56 2004
 @@ -222,6 +222,12 @@
diff --git a/www/squid26/files/patch-helpers-ntlm_auth-SMB-libntlmssp.c b/www/squid26/files/patch-helpers-ntlm_auth-SMB-libntlmssp.c
deleted file mode 100644
index 54eeeb6bcdeb..000000000000
--- a/www/squid26/files/patch-helpers-ntlm_auth-SMB-libntlmssp.c
+++ /dev/null
@@ -1,78 +0,0 @@
-This patch fixes a buffer overflow vulnerability in the NTLM auth
-helper which was reported by iDefense on the 07th June 2004.
-Original advisory:
-<http://www.idefense.com/application/poi/display?id=107&type=vulnerabilities&flashstatus=false>
-CVE-ID: CAN-2004-0541
-Patch and correction obtained from:
-<http://www.squid-cache.org/~wessels/patch/libntlmssp.c.patch>
-<http://www.squid-cache.org/bugs/show_bug.cgi?id=998>
-
---- helpers/ntlm_auth/SMB/libntlmssp.c.orig	Fri Nov 30 10:50:06 2001
-+++ helpers/ntlm_auth/SMB/libntlmssp.c	Fri Jun 18 13:17:35 2004
-@@ -161,7 +161,10 @@ make_challenge(char *domain, char *domai
- #define min(A,B) (A<B?A:B)
- 
- int ntlm_errno;
--static char credentials[1024];	/* we can afford to waste */
-+#define MAX_USERNAME_LEN 255
-+#define MAX_DOMAIN_LEN 255
-+#define MAX_PASSWD_LEN 31
-+static char credentials[MAX_USERNAME_LEN+MAX_DOMAIN_LEN+2];	/* we can afford to waste */
- 
- 
- /* Fetches the user's credentials from the challenge.
-@@ -197,7 +200,7 @@ char *
- ntlm_check_auth(ntlm_authenticate * auth, int auth_length)
- {
-     int rv;
--    char pass[25] /*, encrypted_pass[40] */;
-+    char pass[MAX_PASSWD_LEN+1];
-     char *domain = credentials;
-     char *user;
-     lstring tmp;
-@@ -215,6 +218,11 @@ ntlm_check_auth(ntlm_authenticate * auth
- 	ntlm_errno = NTLM_LOGON_ERROR;
- 	return NULL;
-     }
-+    if (tmp.l > MAX_DOMAIN_LEN) {
-+	debug("Domain string exceeds %d bytes, rejecting\n", MAX_DOMAIN_LEN);
-+	ntlm_errno = NTLM_LOGON_ERROR;
-+	return NULL;
-+    }
-     memcpy(domain, tmp.str, tmp.l);
-     user = domain + tmp.l;
-     *user++ = '\0';
-@@ -226,20 +234,30 @@ ntlm_check_auth(ntlm_authenticate * auth
- 	ntlm_errno = NTLM_LOGON_ERROR;
- 	return NULL;
-     }
-+    if (tmp.l > MAX_USERNAME_LEN) {
-+	debug("Username string exceeds %d bytes, rejecting\n", MAX_USERNAME_LEN);
-+	ntlm_errno = NTLM_LOGON_ERROR;
-+	return NULL;
-+    }
-     memcpy(user, tmp.str, tmp.l);
-     *(user + tmp.l) = '\0';
- 
- 		
--		/* Authenticating against the NT response doesn't seem to work... */
-+    /* Authenticating against the NT response doesn't seem to work... */
-     tmp = ntlm_fetch_string((char *) auth, auth_length, &auth->lmresponse);
-     if (tmp.str == NULL || tmp.l == 0) {
- 	fprintf(stderr, "No auth at all. Returning no-auth\n");
- 	ntlm_errno = NTLM_LOGON_ERROR;
- 	return NULL;
-     }
--		
-+    if (tmp.l > MAX_PASSWD_LEN) {
-+	debug("Password string exceeds %d bytes, rejecting\n", MAX_PASSWD_LEN);
-+	ntlm_errno = NTLM_LOGON_ERROR;
-+	return NULL;
-+    }
-+
-     memcpy(pass, tmp.str, tmp.l);
--    pass[25] = '\0';
-+    pass[min(MAX_PASSWD_LEN,tmp.l)] = '\0';
- 
- #if 1
- 		debug ("Empty LM pass detection: user: '%s', ours:'%s', his: '%s'"
diff --git a/www/squid27/Makefile b/www/squid27/Makefile
index c01bb810d8ea..a168b219b975 100644
--- a/www/squid27/Makefile
+++ b/www/squid27/Makefile
@@ -29,7 +29,7 @@
 
 PORTNAME=	squid
 PORTVERSION=	2.5.5
-PORTREVISION=	11
+PORTREVISION=	12
 CATEGORIES=	www
 MASTER_SITES=	\
 		ftp://ftp.squid-cache.org/pub/%SUBDIR%/ \
@@ -65,7 +65,8 @@ PATCHFILES=	squid-2.5.STABLE5-ntlm_assert.patch \
 		squid-2.5.STABLE5-dns_localhost.patch \
 		squid-2.5.STABLE5-msnt_auth_doc.patch \
 		squid-2.5.STABLE5-CONNECT_log_size.patch \
-		squid-2.5.STABLE5-proxy_abuse.patch
+		squid-2.5.STABLE5-proxy_abuse.patch \
+		squid-2.5.STABLE5-ntlm_auth_overflow.patch
 PATCH_DIST_STRIP=	-p1
 
 MAINTAINER=	tmseck@netcologne.de
@@ -123,7 +124,7 @@ CONFIGURE_ARGS=	--bindir=${PREFIX}/sbin  --sysconfdir=${PREFIX}/etc/squid \
 
 # Authentication methods and modules:
 
-basic_auth=	NCSA PAM YP MSNT winbind
+basic_auth=	NCSA PAM YP MSNT SMB winbind
 external_acl=	ip_user unix_group wbinfo_group winbind_group
 MAN8+=		pam_auth.8 squid_unix_group.8
 .if defined(WITH_SQUID_LDAP_AUTH)
diff --git a/www/squid27/distinfo b/www/squid27/distinfo
index 98d0c1344ded..9f798808315e 100644
--- a/www/squid27/distinfo
+++ b/www/squid27/distinfo
@@ -48,3 +48,5 @@ MD5 (squid2.5/squid-2.5.STABLE5-CONNECT_log_size.patch) = 9bc3c39ca19ae2a4922d4a
 SIZE (squid2.5/squid-2.5.STABLE5-CONNECT_log_size.patch) = 2011
 MD5 (squid2.5/squid-2.5.STABLE5-proxy_abuse.patch) = 8b169a288a0491a760f4d04c4f5eab21
 SIZE (squid2.5/squid-2.5.STABLE5-proxy_abuse.patch) = 761
+MD5 (squid2.5/squid-2.5.STABLE5-ntlm_auth_overflow.patch) = 30c7c5e2ba03655dbde9d3e65409baed
+SIZE (squid2.5/squid-2.5.STABLE5-ntlm_auth_overflow.patch) = 3198
diff --git a/www/squid27/files/follow_xff-configure.patch b/www/squid27/files/follow_xff-configure.patch
index a0920813868d..0cf30da6c147 100644
--- a/www/squid27/files/follow_xff-configure.patch
+++ b/www/squid27/files/follow_xff-configure.patch
@@ -1,10 +1,23 @@
-!Patch configure directly to enable testing for the
-!--enable-follow-x-forwarding-for configuration option
-!instead of running configure.in through autoconf as in the
-!original follow-XFF patchset from devel.squid-cache.org.
+!Simulate the autotools bootstrap of the follow-x-forwarded-for patchset.
+!
 !Beware that all line number informations in configure.log greater
-!than 2972 are offset by -29 (correcting all line numbers would have
+!than 2972 are offset by at least -29 (correcting all line numbers would have
 !bloated the patch by 92kB!)
+--- include/autoconf.h.in.orig	Sat Jan 18 02:46:11 2003
++++ include/autoconf.h.in	Thu Jun 24 13:19:07 2004
+@@ -291,6 +291,12 @@
+ #define USE_IDENT 1
+ 
+ /*
++ * Compile in support for following X-Forwarded-For headers?
++ * Enabled by default.
++ */
++#define FOLLOW_X_FORWARDED_FOR 1
++
++/*
+  * If your system has statvfs(), and if it actually works!
+  */
+ #undef HAVE_STATVFS
 --- configure.orig	Tue Mar  2 10:18:14 2004
 +++ configure	Tue Mar  2 10:18:56 2004
 @@ -222,6 +222,12 @@
diff --git a/www/squid27/files/patch-helpers-ntlm_auth-SMB-libntlmssp.c b/www/squid27/files/patch-helpers-ntlm_auth-SMB-libntlmssp.c
deleted file mode 100644
index 54eeeb6bcdeb..000000000000
--- a/www/squid27/files/patch-helpers-ntlm_auth-SMB-libntlmssp.c
+++ /dev/null
@@ -1,78 +0,0 @@
-This patch fixes a buffer overflow vulnerability in the NTLM auth
-helper which was reported by iDefense on the 07th June 2004.
-Original advisory:
-<http://www.idefense.com/application/poi/display?id=107&type=vulnerabilities&flashstatus=false>
-CVE-ID: CAN-2004-0541
-Patch and correction obtained from:
-<http://www.squid-cache.org/~wessels/patch/libntlmssp.c.patch>
-<http://www.squid-cache.org/bugs/show_bug.cgi?id=998>
-
---- helpers/ntlm_auth/SMB/libntlmssp.c.orig	Fri Nov 30 10:50:06 2001
-+++ helpers/ntlm_auth/SMB/libntlmssp.c	Fri Jun 18 13:17:35 2004
-@@ -161,7 +161,10 @@ make_challenge(char *domain, char *domai
- #define min(A,B) (A<B?A:B)
- 
- int ntlm_errno;
--static char credentials[1024];	/* we can afford to waste */
-+#define MAX_USERNAME_LEN 255
-+#define MAX_DOMAIN_LEN 255
-+#define MAX_PASSWD_LEN 31
-+static char credentials[MAX_USERNAME_LEN+MAX_DOMAIN_LEN+2];	/* we can afford to waste */
- 
- 
- /* Fetches the user's credentials from the challenge.
-@@ -197,7 +200,7 @@ char *
- ntlm_check_auth(ntlm_authenticate * auth, int auth_length)
- {
-     int rv;
--    char pass[25] /*, encrypted_pass[40] */;
-+    char pass[MAX_PASSWD_LEN+1];
-     char *domain = credentials;
-     char *user;
-     lstring tmp;
-@@ -215,6 +218,11 @@ ntlm_check_auth(ntlm_authenticate * auth
- 	ntlm_errno = NTLM_LOGON_ERROR;
- 	return NULL;
-     }
-+    if (tmp.l > MAX_DOMAIN_LEN) {
-+	debug("Domain string exceeds %d bytes, rejecting\n", MAX_DOMAIN_LEN);
-+	ntlm_errno = NTLM_LOGON_ERROR;
-+	return NULL;
-+    }
-     memcpy(domain, tmp.str, tmp.l);
-     user = domain + tmp.l;
-     *user++ = '\0';
-@@ -226,20 +234,30 @@ ntlm_check_auth(ntlm_authenticate * auth
- 	ntlm_errno = NTLM_LOGON_ERROR;
- 	return NULL;
-     }
-+    if (tmp.l > MAX_USERNAME_LEN) {
-+	debug("Username string exceeds %d bytes, rejecting\n", MAX_USERNAME_LEN);
-+	ntlm_errno = NTLM_LOGON_ERROR;
-+	return NULL;
-+    }
-     memcpy(user, tmp.str, tmp.l);
-     *(user + tmp.l) = '\0';
- 
- 		
--		/* Authenticating against the NT response doesn't seem to work... */
-+    /* Authenticating against the NT response doesn't seem to work... */
-     tmp = ntlm_fetch_string((char *) auth, auth_length, &auth->lmresponse);
-     if (tmp.str == NULL || tmp.l == 0) {
- 	fprintf(stderr, "No auth at all. Returning no-auth\n");
- 	ntlm_errno = NTLM_LOGON_ERROR;
- 	return NULL;
-     }
--		
-+    if (tmp.l > MAX_PASSWD_LEN) {
-+	debug("Password string exceeds %d bytes, rejecting\n", MAX_PASSWD_LEN);
-+	ntlm_errno = NTLM_LOGON_ERROR;
-+	return NULL;
-+    }
-+
-     memcpy(pass, tmp.str, tmp.l);
--    pass[25] = '\0';
-+    pass[min(MAX_PASSWD_LEN,tmp.l)] = '\0';
- 
- #if 1
- 		debug ("Empty LM pass detection: user: '%s', ours:'%s', his: '%s'"
diff --git a/www/squid30/Makefile b/www/squid30/Makefile
index c01bb810d8ea..a168b219b975 100644
--- a/www/squid30/Makefile
+++ b/www/squid30/Makefile
@@ -29,7 +29,7 @@
 
 PORTNAME=	squid
 PORTVERSION=	2.5.5
-PORTREVISION=	11
+PORTREVISION=	12
 CATEGORIES=	www
 MASTER_SITES=	\
 		ftp://ftp.squid-cache.org/pub/%SUBDIR%/ \
@@ -65,7 +65,8 @@ PATCHFILES=	squid-2.5.STABLE5-ntlm_assert.patch \
 		squid-2.5.STABLE5-dns_localhost.patch \
 		squid-2.5.STABLE5-msnt_auth_doc.patch \
 		squid-2.5.STABLE5-CONNECT_log_size.patch \
-		squid-2.5.STABLE5-proxy_abuse.patch
+		squid-2.5.STABLE5-proxy_abuse.patch \
+		squid-2.5.STABLE5-ntlm_auth_overflow.patch
 PATCH_DIST_STRIP=	-p1
 
 MAINTAINER=	tmseck@netcologne.de
@@ -123,7 +124,7 @@ CONFIGURE_ARGS=	--bindir=${PREFIX}/sbin  --sysconfdir=${PREFIX}/etc/squid \
 
 # Authentication methods and modules:
 
-basic_auth=	NCSA PAM YP MSNT winbind
+basic_auth=	NCSA PAM YP MSNT SMB winbind
 external_acl=	ip_user unix_group wbinfo_group winbind_group
 MAN8+=		pam_auth.8 squid_unix_group.8
 .if defined(WITH_SQUID_LDAP_AUTH)
diff --git a/www/squid30/distinfo b/www/squid30/distinfo
index 98d0c1344ded..9f798808315e 100644
--- a/www/squid30/distinfo
+++ b/www/squid30/distinfo
@@ -48,3 +48,5 @@ MD5 (squid2.5/squid-2.5.STABLE5-CONNECT_log_size.patch) = 9bc3c39ca19ae2a4922d4a
 SIZE (squid2.5/squid-2.5.STABLE5-CONNECT_log_size.patch) = 2011
 MD5 (squid2.5/squid-2.5.STABLE5-proxy_abuse.patch) = 8b169a288a0491a760f4d04c4f5eab21
 SIZE (squid2.5/squid-2.5.STABLE5-proxy_abuse.patch) = 761
+MD5 (squid2.5/squid-2.5.STABLE5-ntlm_auth_overflow.patch) = 30c7c5e2ba03655dbde9d3e65409baed
+SIZE (squid2.5/squid-2.5.STABLE5-ntlm_auth_overflow.patch) = 3198
diff --git a/www/squid30/files/follow_xff-configure.patch b/www/squid30/files/follow_xff-configure.patch
index a0920813868d..0cf30da6c147 100644
--- a/www/squid30/files/follow_xff-configure.patch
+++ b/www/squid30/files/follow_xff-configure.patch
@@ -1,10 +1,23 @@
-!Patch configure directly to enable testing for the
-!--enable-follow-x-forwarding-for configuration option
-!instead of running configure.in through autoconf as in the
-!original follow-XFF patchset from devel.squid-cache.org.
+!Simulate the autotools bootstrap of the follow-x-forwarded-for patchset.
+!
 !Beware that all line number informations in configure.log greater
-!than 2972 are offset by -29 (correcting all line numbers would have
+!than 2972 are offset by at least -29 (correcting all line numbers would have
 !bloated the patch by 92kB!)
+--- include/autoconf.h.in.orig	Sat Jan 18 02:46:11 2003
++++ include/autoconf.h.in	Thu Jun 24 13:19:07 2004
+@@ -291,6 +291,12 @@
+ #define USE_IDENT 1
+ 
+ /*
++ * Compile in support for following X-Forwarded-For headers?
++ * Enabled by default.
++ */
++#define FOLLOW_X_FORWARDED_FOR 1
++
++/*
+  * If your system has statvfs(), and if it actually works!
+  */
+ #undef HAVE_STATVFS
 --- configure.orig	Tue Mar  2 10:18:14 2004
 +++ configure	Tue Mar  2 10:18:56 2004
 @@ -222,6 +222,12 @@
diff --git a/www/squid30/files/patch-helpers-ntlm_auth-SMB-libntlmssp.c b/www/squid30/files/patch-helpers-ntlm_auth-SMB-libntlmssp.c
deleted file mode 100644
index 54eeeb6bcdeb..000000000000
--- a/www/squid30/files/patch-helpers-ntlm_auth-SMB-libntlmssp.c
+++ /dev/null
@@ -1,78 +0,0 @@
-This patch fixes a buffer overflow vulnerability in the NTLM auth
-helper which was reported by iDefense on the 07th June 2004.
-Original advisory:
-<http://www.idefense.com/application/poi/display?id=107&type=vulnerabilities&flashstatus=false>
-CVE-ID: CAN-2004-0541
-Patch and correction obtained from:
-<http://www.squid-cache.org/~wessels/patch/libntlmssp.c.patch>
-<http://www.squid-cache.org/bugs/show_bug.cgi?id=998>
-
---- helpers/ntlm_auth/SMB/libntlmssp.c.orig	Fri Nov 30 10:50:06 2001
-+++ helpers/ntlm_auth/SMB/libntlmssp.c	Fri Jun 18 13:17:35 2004
-@@ -161,7 +161,10 @@ make_challenge(char *domain, char *domai
- #define min(A,B) (A<B?A:B)
- 
- int ntlm_errno;
--static char credentials[1024];	/* we can afford to waste */
-+#define MAX_USERNAME_LEN 255
-+#define MAX_DOMAIN_LEN 255
-+#define MAX_PASSWD_LEN 31
-+static char credentials[MAX_USERNAME_LEN+MAX_DOMAIN_LEN+2];	/* we can afford to waste */
- 
- 
- /* Fetches the user's credentials from the challenge.
-@@ -197,7 +200,7 @@ char *
- ntlm_check_auth(ntlm_authenticate * auth, int auth_length)
- {
-     int rv;
--    char pass[25] /*, encrypted_pass[40] */;
-+    char pass[MAX_PASSWD_LEN+1];
-     char *domain = credentials;
-     char *user;
-     lstring tmp;
-@@ -215,6 +218,11 @@ ntlm_check_auth(ntlm_authenticate * auth
- 	ntlm_errno = NTLM_LOGON_ERROR;
- 	return NULL;
-     }
-+    if (tmp.l > MAX_DOMAIN_LEN) {
-+	debug("Domain string exceeds %d bytes, rejecting\n", MAX_DOMAIN_LEN);
-+	ntlm_errno = NTLM_LOGON_ERROR;
-+	return NULL;
-+    }
-     memcpy(domain, tmp.str, tmp.l);
-     user = domain + tmp.l;
-     *user++ = '\0';
-@@ -226,20 +234,30 @@ ntlm_check_auth(ntlm_authenticate * auth
- 	ntlm_errno = NTLM_LOGON_ERROR;
- 	return NULL;
-     }
-+    if (tmp.l > MAX_USERNAME_LEN) {
-+	debug("Username string exceeds %d bytes, rejecting\n", MAX_USERNAME_LEN);
-+	ntlm_errno = NTLM_LOGON_ERROR;
-+	return NULL;
-+    }
-     memcpy(user, tmp.str, tmp.l);
-     *(user + tmp.l) = '\0';
- 
- 		
--		/* Authenticating against the NT response doesn't seem to work... */
-+    /* Authenticating against the NT response doesn't seem to work... */
-     tmp = ntlm_fetch_string((char *) auth, auth_length, &auth->lmresponse);
-     if (tmp.str == NULL || tmp.l == 0) {
- 	fprintf(stderr, "No auth at all. Returning no-auth\n");
- 	ntlm_errno = NTLM_LOGON_ERROR;
- 	return NULL;
-     }
--		
-+    if (tmp.l > MAX_PASSWD_LEN) {
-+	debug("Password string exceeds %d bytes, rejecting\n", MAX_PASSWD_LEN);
-+	ntlm_errno = NTLM_LOGON_ERROR;
-+	return NULL;
-+    }
-+
-     memcpy(pass, tmp.str, tmp.l);
--    pass[25] = '\0';
-+    pass[min(MAX_PASSWD_LEN,tmp.l)] = '\0';
- 
- #if 1
- 		debug ("Empty LM pass detection: user: '%s', ours:'%s', his: '%s'"
diff --git a/www/squid31/Makefile b/www/squid31/Makefile
index c01bb810d8ea..a168b219b975 100644
--- a/www/squid31/Makefile
+++ b/www/squid31/Makefile
@@ -29,7 +29,7 @@
 
 PORTNAME=	squid
 PORTVERSION=	2.5.5
-PORTREVISION=	11
+PORTREVISION=	12
 CATEGORIES=	www
 MASTER_SITES=	\
 		ftp://ftp.squid-cache.org/pub/%SUBDIR%/ \
@@ -65,7 +65,8 @@ PATCHFILES=	squid-2.5.STABLE5-ntlm_assert.patch \
 		squid-2.5.STABLE5-dns_localhost.patch \
 		squid-2.5.STABLE5-msnt_auth_doc.patch \
 		squid-2.5.STABLE5-CONNECT_log_size.patch \
-		squid-2.5.STABLE5-proxy_abuse.patch
+		squid-2.5.STABLE5-proxy_abuse.patch \
+		squid-2.5.STABLE5-ntlm_auth_overflow.patch
 PATCH_DIST_STRIP=	-p1
 
 MAINTAINER=	tmseck@netcologne.de
@@ -123,7 +124,7 @@ CONFIGURE_ARGS=	--bindir=${PREFIX}/sbin  --sysconfdir=${PREFIX}/etc/squid \
 
 # Authentication methods and modules:
 
-basic_auth=	NCSA PAM YP MSNT winbind
+basic_auth=	NCSA PAM YP MSNT SMB winbind
 external_acl=	ip_user unix_group wbinfo_group winbind_group
 MAN8+=		pam_auth.8 squid_unix_group.8
 .if defined(WITH_SQUID_LDAP_AUTH)
diff --git a/www/squid31/distinfo b/www/squid31/distinfo
index 98d0c1344ded..9f798808315e 100644
--- a/www/squid31/distinfo
+++ b/www/squid31/distinfo
@@ -48,3 +48,5 @@ MD5 (squid2.5/squid-2.5.STABLE5-CONNECT_log_size.patch) = 9bc3c39ca19ae2a4922d4a
 SIZE (squid2.5/squid-2.5.STABLE5-CONNECT_log_size.patch) = 2011
 MD5 (squid2.5/squid-2.5.STABLE5-proxy_abuse.patch) = 8b169a288a0491a760f4d04c4f5eab21
 SIZE (squid2.5/squid-2.5.STABLE5-proxy_abuse.patch) = 761
+MD5 (squid2.5/squid-2.5.STABLE5-ntlm_auth_overflow.patch) = 30c7c5e2ba03655dbde9d3e65409baed
+SIZE (squid2.5/squid-2.5.STABLE5-ntlm_auth_overflow.patch) = 3198
diff --git a/www/squid31/files/follow_xff-configure.patch b/www/squid31/files/follow_xff-configure.patch
index a0920813868d..0cf30da6c147 100644
--- a/www/squid31/files/follow_xff-configure.patch
+++ b/www/squid31/files/follow_xff-configure.patch
@@ -1,10 +1,23 @@
-!Patch configure directly to enable testing for the
-!--enable-follow-x-forwarding-for configuration option
-!instead of running configure.in through autoconf as in the
-!original follow-XFF patchset from devel.squid-cache.org.
+!Simulate the autotools bootstrap of the follow-x-forwarded-for patchset.
+!
 !Beware that all line number informations in configure.log greater
-!than 2972 are offset by -29 (correcting all line numbers would have
+!than 2972 are offset by at least -29 (correcting all line numbers would have
 !bloated the patch by 92kB!)
+--- include/autoconf.h.in.orig	Sat Jan 18 02:46:11 2003
++++ include/autoconf.h.in	Thu Jun 24 13:19:07 2004
+@@ -291,6 +291,12 @@
+ #define USE_IDENT 1
+ 
+ /*
++ * Compile in support for following X-Forwarded-For headers?
++ * Enabled by default.
++ */
++#define FOLLOW_X_FORWARDED_FOR 1
++
++/*
+  * If your system has statvfs(), and if it actually works!
+  */
+ #undef HAVE_STATVFS
 --- configure.orig	Tue Mar  2 10:18:14 2004
 +++ configure	Tue Mar  2 10:18:56 2004
 @@ -222,6 +222,12 @@
diff --git a/www/squid31/files/patch-helpers-ntlm_auth-SMB-libntlmssp.c b/www/squid31/files/patch-helpers-ntlm_auth-SMB-libntlmssp.c
deleted file mode 100644
index 54eeeb6bcdeb..000000000000
--- a/www/squid31/files/patch-helpers-ntlm_auth-SMB-libntlmssp.c
+++ /dev/null
@@ -1,78 +0,0 @@
-This patch fixes a buffer overflow vulnerability in the NTLM auth
-helper which was reported by iDefense on the 07th June 2004.
-Original advisory:
-<http://www.idefense.com/application/poi/display?id=107&type=vulnerabilities&flashstatus=false>
-CVE-ID: CAN-2004-0541
-Patch and correction obtained from:
-<http://www.squid-cache.org/~wessels/patch/libntlmssp.c.patch>
-<http://www.squid-cache.org/bugs/show_bug.cgi?id=998>
-
---- helpers/ntlm_auth/SMB/libntlmssp.c.orig	Fri Nov 30 10:50:06 2001
-+++ helpers/ntlm_auth/SMB/libntlmssp.c	Fri Jun 18 13:17:35 2004
-@@ -161,7 +161,10 @@ make_challenge(char *domain, char *domai
- #define min(A,B) (A<B?A:B)
- 
- int ntlm_errno;
--static char credentials[1024];	/* we can afford to waste */
-+#define MAX_USERNAME_LEN 255
-+#define MAX_DOMAIN_LEN 255
-+#define MAX_PASSWD_LEN 31
-+static char credentials[MAX_USERNAME_LEN+MAX_DOMAIN_LEN+2];	/* we can afford to waste */
- 
- 
- /* Fetches the user's credentials from the challenge.
-@@ -197,7 +200,7 @@ char *
- ntlm_check_auth(ntlm_authenticate * auth, int auth_length)
- {
-     int rv;
--    char pass[25] /*, encrypted_pass[40] */;
-+    char pass[MAX_PASSWD_LEN+1];
-     char *domain = credentials;
-     char *user;
-     lstring tmp;
-@@ -215,6 +218,11 @@ ntlm_check_auth(ntlm_authenticate * auth
- 	ntlm_errno = NTLM_LOGON_ERROR;
- 	return NULL;
-     }
-+    if (tmp.l > MAX_DOMAIN_LEN) {
-+	debug("Domain string exceeds %d bytes, rejecting\n", MAX_DOMAIN_LEN);
-+	ntlm_errno = NTLM_LOGON_ERROR;
-+	return NULL;
-+    }
-     memcpy(domain, tmp.str, tmp.l);
-     user = domain + tmp.l;
-     *user++ = '\0';
-@@ -226,20 +234,30 @@ ntlm_check_auth(ntlm_authenticate * auth
- 	ntlm_errno = NTLM_LOGON_ERROR;
- 	return NULL;
-     }
-+    if (tmp.l > MAX_USERNAME_LEN) {
-+	debug("Username string exceeds %d bytes, rejecting\n", MAX_USERNAME_LEN);
-+	ntlm_errno = NTLM_LOGON_ERROR;
-+	return NULL;
-+    }
-     memcpy(user, tmp.str, tmp.l);
-     *(user + tmp.l) = '\0';
- 
- 		
--		/* Authenticating against the NT response doesn't seem to work... */
-+    /* Authenticating against the NT response doesn't seem to work... */
-     tmp = ntlm_fetch_string((char *) auth, auth_length, &auth->lmresponse);
-     if (tmp.str == NULL || tmp.l == 0) {
- 	fprintf(stderr, "No auth at all. Returning no-auth\n");
- 	ntlm_errno = NTLM_LOGON_ERROR;
- 	return NULL;
-     }
--		
-+    if (tmp.l > MAX_PASSWD_LEN) {
-+	debug("Password string exceeds %d bytes, rejecting\n", MAX_PASSWD_LEN);
-+	ntlm_errno = NTLM_LOGON_ERROR;
-+	return NULL;
-+    }
-+
-     memcpy(pass, tmp.str, tmp.l);
--    pass[25] = '\0';
-+    pass[min(MAX_PASSWD_LEN,tmp.l)] = '\0';
- 
- #if 1
- 		debug ("Empty LM pass detection: user: '%s', ours:'%s', his: '%s'"