[Feature]add MT2731_MP2_MR2_SVN388 baseline version
Change-Id: Ief04314834b31e27effab435d3ca8ba33b499059
diff --git a/meta/meta-openembedded/meta-networking/recipes-daemons/squid/files/0001-Bug-4843-pt1-ext_edirectory_userip_acl-refactoring-f.patch b/meta/meta-openembedded/meta-networking/recipes-daemons/squid/files/0001-Bug-4843-pt1-ext_edirectory_userip_acl-refactoring-f.patch
new file mode 100644
index 0000000..001d9e9
--- /dev/null
+++ b/meta/meta-openembedded/meta-networking/recipes-daemons/squid/files/0001-Bug-4843-pt1-ext_edirectory_userip_acl-refactoring-f.patch
@@ -0,0 +1,506 @@
+From 01a44c96dbd04936e9cb2501745a834a0b09d504 Mon Sep 17 00:00:00 2001
+From: Amos Jeffries <yadij@users.noreply.github.com>
+Date: Sun, 13 May 2018 06:57:41 +0000
+Subject: [PATCH] Bug 4843 pt1: ext_edirectory_userip_acl refactoring for GCC-8
+ (#204)
+
+Proposed changes to this helper to fix strcat / strncat buffer
+overread / overflow issues.
+
+The approach takes three parts:
+
+* adds a makeHexString function to replace many for-loops
+ catenating bits of strings together with hex conversion into a
+ second buffer. Replacing with a snprintf() and buffer overflow
+ handling.
+
+* a copy of Ip::Address::lookupHostIp to convert the input
+ string into IP address binary format, then generate the hex
+ string using the above new hex function instead of looped
+ sub-string concatenations across several buffers.
+ This removes all the "00" and "0000" strncat() calls and
+ allows far simpler code even with added buffer overflow
+ handling.
+
+* replace multiple string part concatenations with a few simpler
+ calls to snprintf() for all the search_ip buffer constructions.
+ Adding buffer overflow handling as needed for the new calls.
+---
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+Upstream-Status: Backport
+
+ .../ext_edirectory_userip_acl.cc | 376 ++++++------------
+ 1 file changed, 120 insertions(+), 256 deletions(-)
+
+diff --git a/helpers/external_acl/eDirectory_userip/ext_edirectory_userip_acl.cc b/helpers/external_acl/eDirectory_userip/ext_edirectory_userip_acl.cc
+index 63609e4..ad16bfd 100644
+--- a/helpers/external_acl/eDirectory_userip/ext_edirectory_userip_acl.cc
++++ b/helpers/external_acl/eDirectory_userip/ext_edirectory_userip_acl.cc
+@@ -67,6 +67,9 @@
+ #ifdef HAVE_LDAP_H
+ #include <ldap.h>
+ #endif
++#ifdef HAVE_NETDB_H
++#include <netdb.h>
++#endif
+
+ #ifdef HELPER_INPUT_BUFFER
+ #define EDUI_MAXLEN HELPER_INPUT_BUFFER
+@@ -714,11 +717,14 @@ BindLDAP(edui_ldap_t *l, char *dn, char *pw, unsigned int t)
+
+ /* Copy details - dn and pw CAN be NULL for anonymous and/or TLS */
+ if (dn != NULL) {
++ if (strlen(dn) >= sizeof(l->dn))
++ return LDAP_ERR_OOB; /* DN too large */
++
+ if ((l->basedn[0] != '\0') && (strstr(dn, l->basedn) == NULL)) {
+ /* We got a basedn, but it's not part of dn */
+- xstrncpy(l->dn, dn, sizeof(l->dn));
+- strncat(l->dn, ",", 1);
+- strncat(l->dn, l->basedn, strlen(l->basedn));
++ const int x = snprintf(l->dn, sizeof(l->dn)-1, "%s,%s", dn, l->basedn);
++ if (x < 0 || static_cast<size_t>(x) >= sizeof(l->dn))
++ return LDAP_ERR_OOB; /* DN too large */
+ } else
+ xstrncpy(l->dn, dn, sizeof(l->dn));
+ }
+@@ -778,24 +784,73 @@ BindLDAP(edui_ldap_t *l, char *dn, char *pw, unsigned int t)
+ }
+ }
+
++// XXX: duplicate (partial) of Ip::Address::lookupHostIp
++/**
++ * Convert the IP address string representation in src to
++ * its binary representation.
++ *
++ * \return binary representation of the src IP address.
++ * Must be free'd using freeaddrinfo().
++ */
++static struct addrinfo *
++makeIpBinary(const char *src)
++{
++ struct addrinfo want;
++ memset(&want, 0, sizeof(want));
++ want.ai_flags = AI_NUMERICHOST; // prevent actual DNS lookups!
++
++ struct addrinfo *dst = nullptr;
++ if (getaddrinfo(src, nullptr, &want, &dst) != 0) {
++ // not an IP address
++ /* free any memory getaddrinfo() dynamically allocated. */
++ if (dst)
++ freeaddrinfo(dst);
++ return nullptr;
++ }
++
++ return dst;
++}
++
++/**
++ * Convert srcLen bytes from src into HEX and store into dst, which
++ * has a maximum content size of dstSize including c-string terminator.
++ * The dst value produced will be a 0-terminated c-string.
++ *
++ * \retval N length of dst written (excluding c-string terminator)
++ * \retval -11 (LDAP_ERR_OOB) buffer overflow detected
++ */
++static int
++makeHexString(char *dst, const int dstSize, const char *src, const int srcLen)
++{
++ // HEX encoding doubles the amount of bytes/octets copied
++ if ((srcLen*2) >= dstSize)
++ return LDAP_ERR_OOB; // cannot copy that many
++
++ *dst = 0;
++
++ for (int k = 0; k < srcLen; ++k) {
++ int c = static_cast<int>(src[k]);
++ if (c < 0)
++ c = c + 256;
++ char hexc[4];
++ const int hlen = snprintf(hexc, sizeof(hexc), "%02X", c);
++ if (hlen < 0 || static_cast<size_t>(hlen) > sizeof(hexc)) // should be impossible
++ return LDAP_ERR_OOB;
++ strcat(dst, hexc);
++ }
++ return strlen(dst);
++}
++
+ /*
+ * ConvertIP() - <edui_ldap_t> <ip>
+ *
+ * Take an IPv4 address in dot-decimal or IPv6 notation, and convert to 2-digit HEX stored in l->search_ip
+ * This is the networkAddress that we search LDAP for.
+- *
+- * PENDING -- CHANGE OVER TO inet*_pton, but inet6_pton does not provide the correct syntax
+- *
+ */
+ static int
+ ConvertIP(edui_ldap_t *l, char *ip)
+ {
+- char bufa[EDUI_MAXLEN], bufb[EDUI_MAXLEN], obj[EDUI_MAXLEN];
+- char hexc[4], *p;
+ void *y, *z;
+- size_t s;
+- long x;
+- int i, j, t, swi; /* IPv6 "::" cut over toggle */
+ if (l == NULL) return LDAP_ERR_NULL;
+ if (ip == NULL) return LDAP_ERR_PARAM;
+ if (!(l->status & LDAP_INIT_S)) return LDAP_ERR_INIT; /* Not initalized */
+@@ -831,183 +886,22 @@ ConvertIP(edui_ldap_t *l, char *ip)
+ l->status |= (LDAP_IPV4_S);
+ z = NULL;
+ }
+- s = strlen(ip);
+- *(bufa) = '\0';
+- *(bufb) = '\0';
+- *(obj) = '\0';
+- /* StringSplit() will zero out bufa & obj at each call */
+- memset(l->search_ip, '\0', sizeof(l->search_ip));
+- xstrncpy(bufa, ip, sizeof(bufa)); /* To avoid segfaults, use bufa instead of ip */
+- swi = 0;
+- if (l->status & LDAP_IPV6_S) {
+- /* Search for :: in string */
+- if ((bufa[0] == ':') && (bufa[1] == ':')) {
+- /* bufa starts with a ::, so just copy and clear */
+- xstrncpy(bufb, bufa, sizeof(bufb));
+- *(bufa) = '\0';
+- ++swi; /* Indicates that there is a bufb */
+- } else if ((bufa[0] == ':') && (bufa[1] != ':')) {
+- /* bufa starts with a :, a typo so just fill in a ':', cat and clear */
+- bufb[0] = ':';
+- strncat(bufb, bufa, strlen(bufa));
+- *(bufa) = '\0';
+- ++swi; /* Indicates that there is a bufb */
+- } else {
+- p = strstr(bufa, "::");
+- if (p != NULL) {
+- /* Found it, break bufa down and split into bufb here */
+- *(bufb) = '\0';
+- i = strlen(p);
+- memcpy(bufb, p, i);
+- *p = '\0';
+- bufb[i] = '\0';
+- ++swi; /* Indicates that there is a bufb */
+- }
+- }
+- }
+- s = strlen(bufa);
+- if (s < 1)
+- s = strlen(bufb);
+- while (s > 0) {
+- if ((l->status & LDAP_IPV4_S) && (swi == 0)) {
+- /* Break down IPv4 address */
+- t = StringSplit(bufa, '.', obj, sizeof(obj));
+- if (t > 0) {
+- errno = 0;
+- x = strtol(obj, (char **)NULL, 10);
+- if (((x < 0) || (x > 255)) || ((errno != 0) && (x == 0)) || ((obj[0] != '0') && (x == 0)))
+- return LDAP_ERR_OOB; /* Out of bounds -- Invalid address */
+- memset(hexc, '\0', sizeof(hexc));
+- int hlen = snprintf(hexc, sizeof(hexc), "%02X", (int)x);
+- strncat(l->search_ip, hexc, hlen);
+- } else
+- break; /* reached end of octet */
+- } else if (l->status & LDAP_IPV6_S) {
+- /* Break down IPv6 address */
+- if (swi > 1)
+- t = StringSplit(bufb, ':', obj, sizeof(obj)); /* After "::" */
+- else
+- t = StringSplit(bufa, ':', obj, sizeof(obj)); /* Before "::" */
+- /* Convert octet by size (t) - and fill 0's */
+- switch (t) { /* IPv6 is already in HEX, copy contents */
+- case 4:
+- hexc[0] = (char) toupper((int)obj[0]);
+- i = (int)hexc[0];
+- if (!isxdigit(i))
+- return LDAP_ERR_OOB; /* Out of bounds */
+- hexc[1] = (char) toupper((int)obj[1]);
+- i = (int)hexc[1];
+- if (!isxdigit(i))
+- return LDAP_ERR_OOB; /* Out of bounds */
+- hexc[2] = '\0';
+- strncat(l->search_ip, hexc, 2);
+- hexc[0] = (char) toupper((int)obj[2]);
+- i = (int)hexc[0];
+- if (!isxdigit(i))
+- return LDAP_ERR_OOB; /* Out of bounds */
+- hexc[1] = (char) toupper((int)obj[3]);
+- i = (int)hexc[1];
+- if (!isxdigit(i))
+- return LDAP_ERR_OOB; /* Out of bounds */
+- hexc[2] = '\0';
+- strncat(l->search_ip, hexc, 2);
+- break;
+- case 3:
+- hexc[0] = '0';
+- hexc[1] = (char) toupper((int)obj[0]);
+- i = (int)hexc[1];
+- if (!isxdigit(i))
+- return LDAP_ERR_OOB; /* Out of bounds */
+- hexc[2] = '\0';
+- strncat(l->search_ip, hexc, 2);
+- hexc[0] = (char) toupper((int)obj[1]);
+- i = (int)hexc[0];
+- if (!isxdigit(i))
+- return LDAP_ERR_OOB; /* Out of bounds */
+- hexc[1] = (char) toupper((int)obj[2]);
+- i = (int)hexc[1];
+- if (!isxdigit(i))
+- return LDAP_ERR_OOB; /* Out of bounds */
+- hexc[2] = '\0';
+- strncat(l->search_ip, hexc, 2);
+- break;
+- case 2:
+- strncat(l->search_ip, "00", 2);
+- hexc[0] = (char) toupper((int)obj[0]);
+- i = (int)hexc[0];
+- if (!isxdigit(i))
+- return LDAP_ERR_OOB; /* Out of bounds */
+- hexc[1] = (char) toupper((int)obj[1]);
+- i = (int)hexc[1];
+- if (!isxdigit(i))
+- return LDAP_ERR_OOB; /* Out of bounds */
+- hexc[2] = '\0';
+- strncat(l->search_ip, hexc, 2);
+- break;
+- case 1:
+- strncat(l->search_ip, "00", 2);
+- hexc[0] = '0';
+- hexc[1] = (char) toupper((int)obj[0]);
+- i = (int)hexc[1];
+- if (!isxdigit(i))
+- return LDAP_ERR_OOB; /* Out of bounds */
+- hexc[2] = '\0';
+- strncat(l->search_ip, hexc, 2);
+- break;
+- default:
+- if (t > 4)
+- return LDAP_ERR_OOB;
+- break;
+- }
+- /* Code to pad the address with 0's between a '::' */
+- if ((strlen(bufa) == 0) && (swi == 1)) {
+- /* We are *AT* the split, pad in some 0000 */
+- t = strlen(bufb);
+- /* How many ':' exist in bufb ? */
+- j = 0;
+- for (i = 0; i < t; ++i) {
+- if (bufb[i] == ':')
+- ++j;
+- }
+- --j; /* Preceding "::" doesn't count */
+- t = 8 - (strlen(l->search_ip) / 4) - j; /* Remainder */
+- if (t > 0) {
+- for (i = 0; i < t; ++i)
+- strncat(l->search_ip, "0000", 4);
+- }
+- }
+- }
+- if ((bufa[0] == '\0') && (swi > 0)) {
+- s = strlen(bufb);
+- ++swi;
+- } else
+- s = strlen(bufa);
+- }
+- s = strlen(l->search_ip);
+
+- /* CHECK sizes of address, truncate or pad */
+- /* if "::" is at end of ip, then pad another block or two */
+- while ((l->status & LDAP_IPV6_S) && (s < 32)) {
+- strncat(l->search_ip, "0000", 4);
+- s = strlen(l->search_ip);
+- }
+- if ((l->status & LDAP_IPV6_S) && (s > 32)) {
+- /* Too long, truncate */
+- l->search_ip[32] = '\0';
+- s = strlen(l->search_ip);
+- }
+- /* If at end of ip, and its not long enough, then pad another block or two */
+- while ((l->status & LDAP_IPV4_S) && (s < 8)) {
+- strncat(l->search_ip, "00", 2);
+- s = strlen(l->search_ip);
+- }
+- if ((l->status & LDAP_IPV4_S) && (s > 8)) {
+- /* Too long, truncate */
+- l->search_ip[8] = '\0';
+- s = strlen(l->search_ip);
++ size_t s = LDAP_ERR_INVALID;
++ if (struct addrinfo *dst = makeIpBinary(ip)) {
++ if (dst->ai_family == AF_INET6) {
++ struct sockaddr_in6 *sia = reinterpret_cast<struct sockaddr_in6 *>(dst->ai_addr);
++ const char *ia = reinterpret_cast<const char *>(sia->sin6_addr.s6_addr);
++ s = makeHexString(l->search_ip, sizeof(l->search_ip), ia, 16); // IPv6 = 16-byte address
++
++ } else if (dst->ai_family == AF_INET) {
++ struct sockaddr_in *sia = reinterpret_cast<struct sockaddr_in *>(dst->ai_addr);
++ const char *ia = reinterpret_cast<const char *>(&(sia->sin_addr));
++ s = makeHexString(l->search_ip, sizeof(l->search_ip), ia, 4); // IPv4 = 4-byte address
++ } // else leave s with LDAP_ERR_INVALID value
++ freeaddrinfo(dst);
+ }
+
+- /* Completed, s is length of address in HEX */
+ return s;
+ }
+
+@@ -1099,48 +993,42 @@ SearchFilterLDAP(edui_ldap_t *l, char *group)
+ }
+ if (group == NULL) {
+ /* No groupMembership= to add, yay! */
+- xstrncpy(bufa, "(&", sizeof(bufa));
+- strncat(bufa, edui_conf.search_filter, strlen(edui_conf.search_filter));
+ /* networkAddress */
+- snprintf(bufb, sizeof(bufb), "(|(networkAddress=1\\23%s)", bufc);
+ if (l->status & LDAP_IPV4_S) {
+- int ln = snprintf(bufd, sizeof(bufd), "(networkAddress=8\\23\\00\\00%s)(networkAddress=9\\23\\00\\00%s))", \
+- bufc, bufc);
+- strncat(bufb, bufd, ln);
++ const int ln = snprintf(bufd, sizeof(bufd), "(networkAddress=8\\23\\00\\00%s)(networkAddress=9\\23\\00\\00%s)", bufc, bufc);
++ if (ln < 0 || static_cast<size_t>(ln) >= sizeof(bufd))
++ return LDAP_ERR_OOB;
++
+ } else if (l->status & LDAP_IPV6_S) {
+- int ln = snprintf(bufd, sizeof(bufd), "(networkAddress=10\\23\\00\\00%s)(networkAddress=11\\23\\00\\00%s))", \
+- bufc, bufc);
+- strncat(bufb, bufd, ln);
+- } else
+- strncat(bufb, ")", 1);
+- strncat(bufa, bufb, strlen(bufb));
+- strncat(bufa, ")", 1);
++ const int ln = snprintf(bufd, sizeof(bufd), "(networkAddress=10\\23\\00\\00%s)(networkAddress=11\\23\\00\\00%s)", bufc, bufc);
++ if (ln < 0 || static_cast<size_t>(ln) >= sizeof(bufd))
++ return LDAP_ERR_OOB;
++ }
++ const int x = snprintf(bufa, sizeof(bufa), "(&%s(|(networkAddress=1\\23%s)%s))", edui_conf.search_filter, bufc, bufd);
++ if (x < 0 || static_cast<size_t>(x) >= sizeof(bufa))
++ return LDAP_ERR_OOB;
++
+ } else {
+ /* Needs groupMembership= to add... */
+- xstrncpy(bufa, "(&(&", sizeof(bufa));
+- strncat(bufa, edui_conf.search_filter, strlen(edui_conf.search_filter));
+ /* groupMembership -- NOTE: Squid *MUST* provide "cn=" from squid.conf */
+- snprintf(bufg, sizeof(bufg), "(groupMembership=%s", group);
+ if ((l->basedn[0] != '\0') && (strstr(group, l->basedn) == NULL)) {
+- strncat(bufg, ",", 1);
+- strncat(bufg, l->basedn, strlen(l->basedn));
++ const int ln = snprintf(bufg, sizeof(bufg), ",%s", l->basedn);
++ if (ln < 0 || static_cast<size_t>(ln) >= sizeof(bufd))
++ return LDAP_ERR_OOB;
+ }
+- strncat(bufg, ")", 1);
+- strncat(bufa, bufg, strlen(bufg));
+ /* networkAddress */
+- snprintf(bufb, sizeof(bufb), "(|(networkAddress=1\\23%s)", bufc);
+ if (l->status & LDAP_IPV4_S) {
+- int ln = snprintf(bufd, sizeof(bufd), "(networkAddress=8\\23\\00\\00%s)(networkAddress=9\\23\\00\\00%s))", \
+- bufc, bufc);
+- strncat(bufb, bufd, ln);
++ const int ln = snprintf(bufd, sizeof(bufd), "(networkAddress=8\\23\\00\\00%s)(networkAddress=9\\23\\00\\00%s)", bufc, bufc);
++ if (ln < 0 || static_cast<size_t>(ln) >= sizeof(bufd))
++ return LDAP_ERR_OOB;
+ } else if (l->status & LDAP_IPV6_S) {
+- int ln = snprintf(bufd, sizeof(bufd), "(networkAddress=10\\23\\00\\00%s)(networkAddress=11\\23\\00\\00%s))", \
+- bufc, bufc);
+- strncat(bufb, bufd, ln);
+- } else
+- strncat(bufb, ")", 1);
+- strncat(bufa, bufb, strlen(bufb));
+- strncat(bufa, "))", 2);
++ const int ln = snprintf(bufd, sizeof(bufd), "(networkAddress=10\\23\\00\\00%s)(networkAddress=11\\23\\00\\00%s)", bufc, bufc);
++ if (ln < 0 || static_cast<size_t>(ln) >= sizeof(bufd))
++ return LDAP_ERR_OOB;
++ }
++ const int x = snprintf(bufa, sizeof(bufa), "(&(&%s(groupMembership=%s%s)(|(networkAddress=1\\23%s)%s)))", edui_conf.search_filter, group, bufg, bufc, bufd);
++ if (x < 0 || static_cast<size_t>(x) >= sizeof(bufa))
++ return LDAP_ERR_OOB;
+ }
+ s = strlen(bufa);
+ xstrncpy(l->search_filter, bufa, sizeof(l->search_filter));
+@@ -1212,10 +1100,10 @@ static int
+ SearchIPLDAP(edui_ldap_t *l)
+ {
+ ber_len_t i, x;
+- ber_len_t j, k;
+- ber_len_t y, z;
+- int c;
+- char bufa[EDUI_MAXLEN], bufb[EDUI_MAXLEN], hexc[4];
++ ber_len_t j;
++ ber_len_t z;
++ char bufa[EDUI_MAXLEN];
++ char bufb[EDUI_MAXLEN];
+ LDAPMessage *ent;
+ if (l == NULL) return LDAP_ERR_NULL;
+ if (l->lp == NULL) return LDAP_ERR_POINTER;
+@@ -1273,19 +1161,11 @@ SearchIPLDAP(edui_ldap_t *l)
+ /* bufa is the address, just compare it */
+ if (!(l->status & LDAP_IPV4_S) || (l->status & LDAP_IPV6_S))
+ break; /* Not looking for IPv4 */
+- for (k = 0; k < z; ++k) {
+- c = (int) bufa[k];
+- if (c < 0)
+- c = c + 256;
+- int hlen = snprintf(hexc, sizeof(hexc), "%02X", c);
+- if (k == 0)
+- xstrncpy(bufb, hexc, sizeof(bufb));
+- else
+- strncat(bufb, hexc, hlen);
+- }
+- y = strlen(bufb);
++ const int blen = makeHexString(bufb, sizeof(bufb), bufa, z);
++ if (blen < 0)
++ return blen;
+ /* Compare value with IP */
+- if (memcmp(l->search_ip, bufb, y) == 0) {
++ if (memcmp(l->search_ip, bufb, blen) == 0) {
+ /* We got a match! - Scan 'ber' for 'cn' values */
+ z = ldap_count_values_len(ber);
+ for (j = 0; j < z; ++j) {
+@@ -1308,19 +1188,11 @@ SearchIPLDAP(edui_ldap_t *l)
+ /* bufa + 2 is the address (skip 2 digit port) */
+ if (!(l->status & LDAP_IPV4_S) || (l->status & LDAP_IPV6_S))
+ break; /* Not looking for IPv4 */
+- for (k = 2; k < z; ++k) {
+- c = (int) bufa[k];
+- if (c < 0)
+- c = c + 256;
+- int hlen = snprintf(hexc, sizeof(hexc), "%02X", c);
+- if (k == 2)
+- xstrncpy(bufb, hexc, sizeof(bufb));
+- else
+- strncat(bufb, hexc, hlen);
+- }
+- y = strlen(bufb);
++ const int blen = makeHexString(bufb, sizeof(bufb), &bufa[2], z);
++ if (blen < 0)
++ return blen;
+ /* Compare value with IP */
+- if (memcmp(l->search_ip, bufb, y) == 0) {
++ if (memcmp(l->search_ip, bufb, blen) == 0) {
+ /* We got a match! - Scan 'ber' for 'cn' values */
+ z = ldap_count_values_len(ber);
+ for (j = 0; j < z; ++j) {
+@@ -1343,19 +1215,11 @@ SearchIPLDAP(edui_ldap_t *l)
+ /* bufa + 2 is the address (skip 2 digit port) */
+ if (!(l->status & LDAP_IPV6_S))
+ break; /* Not looking for IPv6 */
+- for (k = 2; k < z; ++k) {
+- c = (int) bufa[k];
+- if (c < 0)
+- c = c + 256;
+- int hlen = snprintf(hexc, sizeof(hexc), "%02X", c);
+- if (k == 2)
+- xstrncpy(bufb, hexc, sizeof(bufb));
+- else
+- strncat(bufb, hexc, hlen);
+- }
+- y = strlen(bufb);
++ const int blen = makeHexString(bufb, sizeof(bufb), &bufa[2], z);
++ if (blen < 0)
++ return blen;
+ /* Compare value with IP */
+- if (memcmp(l->search_ip, bufb, y) == 0) {
++ if (memcmp(l->search_ip, bufb, blen) == 0) {
+ /* We got a match! - Scan 'ber' for 'cn' values */
+ z = ldap_count_values_len(ber);
+ for (j = 0; j < z; ++j) {
diff --git a/meta/meta-openembedded/meta-networking/recipes-daemons/squid/files/0001-configure-Check-for-Wno-error-format-truncation-comp.patch b/meta/meta-openembedded/meta-networking/recipes-daemons/squid/files/0001-configure-Check-for-Wno-error-format-truncation-comp.patch
new file mode 100644
index 0000000..302136a
--- /dev/null
+++ b/meta/meta-openembedded/meta-networking/recipes-daemons/squid/files/0001-configure-Check-for-Wno-error-format-truncation-comp.patch
@@ -0,0 +1,118 @@
+From c21adbb0b230ffba97cf5d059e2bd024e13a37df Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Sat, 22 Apr 2017 11:54:57 -0700
+Subject: [PATCH] configure: Check for -Wno-error=format-truncation compiler
+ option
+
+If this option is supported by compiler then disable it ( gcc7+)
+Fixes
+client.c:834:23: error: '%s' directive output may be truncated writing up to 1023 bytes into a region of size 1010 [-Werror=format-truncation=]
+
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+
+---
+ acinclude/ax_check_compile_flag.m4 | 74 ++++++++++++++++++++++++++++++++++++++
+ configure.ac | 2 ++
+ 2 files changed, 76 insertions(+)
+ create mode 100644 acinclude/ax_check_compile_flag.m4
+
+diff --git a/acinclude/ax_check_compile_flag.m4 b/acinclude/ax_check_compile_flag.m4
+new file mode 100644
+index 0000000..dcabb92
+--- /dev/null
++++ b/acinclude/ax_check_compile_flag.m4
+@@ -0,0 +1,74 @@
++# ===========================================================================
++# https://www.gnu.org/software/autoconf-archive/ax_check_compile_flag.html
++# ===========================================================================
++#
++# SYNOPSIS
++#
++# AX_CHECK_COMPILE_FLAG(FLAG, [ACTION-SUCCESS], [ACTION-FAILURE], [EXTRA-FLAGS], [INPUT])
++#
++# DESCRIPTION
++#
++# Check whether the given FLAG works with the current language's compiler
++# or gives an error. (Warnings, however, are ignored)
++#
++# ACTION-SUCCESS/ACTION-FAILURE are shell commands to execute on
++# success/failure.
++#
++# If EXTRA-FLAGS is defined, it is added to the current language's default
++# flags (e.g. CFLAGS) when the check is done. The check is thus made with
++# the flags: "CFLAGS EXTRA-FLAGS FLAG". This can for example be used to
++# force the compiler to issue an error when a bad flag is given.
++#
++# INPUT gives an alternative input source to AC_COMPILE_IFELSE.
++#
++# NOTE: Implementation based on AX_CFLAGS_GCC_OPTION. Please keep this
++# macro in sync with AX_CHECK_{PREPROC,LINK}_FLAG.
++#
++# LICENSE
++#
++# Copyright (c) 2008 Guido U. Draheim <guidod@gmx.de>
++# Copyright (c) 2011 Maarten Bosmans <mkbosmans@gmail.com>
++#
++# This program is free software: you can redistribute it and/or modify it
++# under the terms of the GNU General Public License as published by the
++# Free Software Foundation, either version 3 of the License, or (at your
++# option) any later version.
++#
++# This program is distributed in the hope that it will be useful, but
++# WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
++# Public License for more details.
++#
++# You should have received a copy of the GNU General Public License along
++# with this program. If not, see <https://www.gnu.org/licenses/>.
++#
++# As a special exception, the respective Autoconf Macro's copyright owner
++# gives unlimited permission to copy, distribute and modify the configure
++# scripts that are the output of Autoconf when processing the Macro. You
++# need not follow the terms of the GNU General Public License when using
++# or distributing such scripts, even though portions of the text of the
++# Macro appear in them. The GNU General Public License (GPL) does govern
++# all other use of the material that constitutes the Autoconf Macro.
++#
++# This special exception to the GPL applies to versions of the Autoconf
++# Macro released by the Autoconf Archive. When you make and distribute a
++# modified version of the Autoconf Macro, you may extend this special
++# exception to the GPL to apply to your modified version as well.
++
++#serial 5
++
++AC_DEFUN([AX_CHECK_COMPILE_FLAG],
++[AC_PREREQ(2.64)dnl for _AC_LANG_PREFIX and AS_VAR_IF
++AS_VAR_PUSHDEF([CACHEVAR],[ax_cv_check_[]_AC_LANG_ABBREV[]flags_$4_$1])dnl
++AC_CACHE_CHECK([whether _AC_LANG compiler accepts $1], CACHEVAR, [
++ ax_check_save_flags=$[]_AC_LANG_PREFIX[]FLAGS
++ _AC_LANG_PREFIX[]FLAGS="$[]_AC_LANG_PREFIX[]FLAGS $4 $1"
++ AC_COMPILE_IFELSE([m4_default([$5],[AC_LANG_PROGRAM()])],
++ [AS_VAR_SET(CACHEVAR,[yes])],
++ [AS_VAR_SET(CACHEVAR,[no])])
++ _AC_LANG_PREFIX[]FLAGS=$ax_check_save_flags])
++AS_VAR_IF(CACHEVAR,yes,
++ [m4_default([$2], :)],
++ [m4_default([$3], :)])
++AS_VAR_POPDEF([CACHEVAR])dnl
++])dnl AX_CHECK_COMPILE_FLAGS
+diff --git a/configure.ac b/configure.ac
+index ff4688c..9382fdf 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -26,6 +26,7 @@ m4_include([acinclude/pkg.m4])
+ m4_include([acinclude/lib-checks.m4])
+ m4_include([acinclude/ax_cxx_compile_stdcxx_11.m4])
+ m4_include([acinclude/ax_cxx_0x_types.m4])
++m4_include([acinclude/ax_check_compile_flag.m4])
+
+ HOSTCXX="$BUILD_CXX"
+ PRESET_CFLAGS="$CFLAGS"
+@@ -44,6 +45,7 @@ AC_PROG_CXX
+ AC_LANG([C++])
+ AC_CANONICAL_HOST
+
++AX_CHECK_COMPILE_FLAG([-Werror=format-truncation],[CFLAGS="$CFLAGS -Wno-error=format-truncation" CXXFLAGS="$CXXFLAGS -Wno-error=format-truncation"])
+ # Clang 3.2 on some CPUs requires -march-native to detect correctly.
+ # GCC 4.3+ can also produce faster executables when its used.
+ # But building inside a virtual machine environment has been found to
diff --git a/meta/meta-openembedded/meta-networking/recipes-daemons/squid/files/0001-tools.cc-fixed-unused-result-warning.patch b/meta/meta-openembedded/meta-networking/recipes-daemons/squid/files/0001-tools.cc-fixed-unused-result-warning.patch
new file mode 100644
index 0000000..8ea55d0
--- /dev/null
+++ b/meta/meta-openembedded/meta-networking/recipes-daemons/squid/files/0001-tools.cc-fixed-unused-result-warning.patch
@@ -0,0 +1,32 @@
+From faaa796a138cbd5033b1e53f33faac0cf4162bf5 Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Sun, 25 Jun 2017 00:59:24 -0700
+Subject: [PATCH] tools.cc: fixed unused-result warning
+
+fix
+| ../../squid-3.5.26/src/tools.cc: In function 'void enter_suid()':
+| ../../squid-3.5.26/src/tools.cc:616:11: error: ignoring return value of 'int setuid(__uid_t)', declared with attribute warn_unused_result [-Werror=unused-result]
+| setuid(0);
+| ~~~~~~^~~
+
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+
+---
+ src/tools.cc | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/tools.cc b/src/tools.cc
+index 8137a03..843e266 100644
+--- a/src/tools.cc
++++ b/src/tools.cc
+@@ -612,8 +612,8 @@ enter_suid(void)
+ if (setresuid((uid_t)-1, 0, (uid_t)-1) < 0)
+ debugs (21, 3, "enter_suid: setresuid failed: " << xstrerror ());
+ #else
+-
+- setuid(0);
++ if (setuid(0) < 0)
++ debugs(50, DBG_IMPORTANT, "WARNING: no_suid: setuid(0): " << xstrerror());
+ #endif
+ #if HAVE_PRCTL && defined(PR_SET_DUMPABLE)
+ /* Set Linux DUMPABLE flag */
diff --git a/meta/meta-openembedded/meta-networking/recipes-daemons/squid/files/0002-smblib-fix-buffer-over-read.patch b/meta/meta-openembedded/meta-networking/recipes-daemons/squid/files/0002-smblib-fix-buffer-over-read.patch
new file mode 100644
index 0000000..c8f0c47
--- /dev/null
+++ b/meta/meta-openembedded/meta-networking/recipes-daemons/squid/files/0002-smblib-fix-buffer-over-read.patch
@@ -0,0 +1,39 @@
+From a6b1e0fd14311587186e40d09bff5c8c3aada2e4 Mon Sep 17 00:00:00 2001
+From: Amos Jeffries <squid3@treenet.co.nz>
+Date: Sat, 25 Jul 2015 05:53:16 -0700
+Subject: [PATCH] smblib: fix buffer over-read
+
+When parsing SMB LanManager packets with invalid protocol ID and the
+default set of Squid supported protocols. It may access memory outside
+the buffer storing protocol names.
+
+smblib is only used by already deprecated helpers which are deprecated
+due to far more significant NTLM protocol issues. It will also only
+result in packets being rejected later with invalid protocol names. So
+this is a minor bug rather than a vulnerability.
+
+ Detected by Coverity Scan. Issue 1256165
+---
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+Upstream-Status: Backport
+
+ lib/smblib/smblib-util.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/lib/smblib/smblib-util.c b/lib/smblib/smblib-util.c
+index 6139ae2..e722cbb 100644
+--- a/lib/smblib/smblib-util.c
++++ b/lib/smblib/smblib-util.c
+@@ -204,7 +204,11 @@ int SMB_Figure_Protocol(const char *dialects[], int prot_index)
+ {
+ int i;
+
+- if (dialects == SMB_Prots) { /* The jobs is easy, just index into table */
++ // prot_index may be a value outside the table SMB_Types[]
++ // which holds data at offsets 0 to 11
++ int ourType = (prot_index < 0 || prot_index > 11);
++
++ if (ourType && dialects == SMB_Prots) { /* The jobs is easy, just index into table */
+
+ return(SMB_Types[prot_index]);
+ } else { /* Search through SMB_Prots looking for a match */
diff --git a/meta/meta-openembedded/meta-networking/recipes-daemons/squid/files/Fix-flawed-dynamic-ldb-link-test-in-configure.patch b/meta/meta-openembedded/meta-networking/recipes-daemons/squid/files/Fix-flawed-dynamic-ldb-link-test-in-configure.patch
new file mode 100644
index 0000000..25f68af
--- /dev/null
+++ b/meta/meta-openembedded/meta-networking/recipes-daemons/squid/files/Fix-flawed-dynamic-ldb-link-test-in-configure.patch
@@ -0,0 +1,40 @@
+From b4943594654cd340b95aabdc2f3750a4705cc0de Mon Sep 17 00:00:00 2001
+From: Jim Somerville <Jim.Somerville@windriver.com>
+Date: Mon, 21 Oct 2013 12:50:44 -0400
+Subject: [PATCH] Fix flawed dynamic -ldb link test in configure
+
+The test uses dbopen, but just ignores the fact
+that this function may not exist in the db version
+used. This leads to the dynamic link test failing
+and the configure script just making assumptions
+about why and setting the need for -ldb incorrectly.
+
+Signed-off-by: Jim Somerville <Jim.Somerville@windriver.com>
+
+---
+ configure.ac | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index 57cd1ac..3827222 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -3229,8 +3229,16 @@ AC_CHECK_DECL(dbopen,,,[
+ #include <db.h>
+ #endif])
+
+-dnl 1.85
+-SQUID_CHECK_DBOPEN_NEEDS_LIBDB
++if test "x$ac_cv_have_decl_dbopen" = "xyes"; then
++ dnl 1.85
++ SQUID_CHECK_DBOPEN_NEEDS_LIBDB
++else
++ # dbopen isn't there. So instead of running a compile/link test that
++ # uses it and is thus guaranteed to fail, we just assume that we will
++ # need to link in the db library, rather than fabricate some other
++ # dynamic compile/link test.
++ ac_cv_dbopen_libdb="yes"
++fi
+ if test "x$ac_cv_dbopen_libdb" = "xyes"; then
+ LIB_DB="-ldb"
+ fi
diff --git a/meta/meta-openembedded/meta-networking/recipes-daemons/squid/files/Set-up-for-cross-compilation.patch b/meta/meta-openembedded/meta-networking/recipes-daemons/squid/files/Set-up-for-cross-compilation.patch
new file mode 100644
index 0000000..3852f7c
--- /dev/null
+++ b/meta/meta-openembedded/meta-networking/recipes-daemons/squid/files/Set-up-for-cross-compilation.patch
@@ -0,0 +1,28 @@
+From 995aaf30799fa972441354b6feb45f0621968929 Mon Sep 17 00:00:00 2001
+From: Jim Somerville <Jim.Somerville@windriver.com>
+Date: Wed, 16 Oct 2013 16:41:03 -0400
+Subject: [PATCH] Set up for cross compilation
+
+Message-Id: <17e5a28667f667859c48bee25e575a072d39ee1b.1381956170.git.Jim.Somerville@windriver.com>
+
+Set the host compiler to BUILD_CXX so
+proper cross compilation can occur.
+
+Signed-off-by: Jim Somerville <Jim.Somerville@windriver.com>
+
+---
+ configure.ac | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/configure.ac b/configure.ac
+index fe80ee0..57cd1ac 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -27,6 +27,7 @@ m4_include([acinclude/lib-checks.m4])
+ m4_include([acinclude/ax_cxx_compile_stdcxx_11.m4])
+ m4_include([acinclude/ax_cxx_0x_types.m4])
+
++HOSTCXX="$BUILD_CXX"
+ PRESET_CFLAGS="$CFLAGS"
+ PRESET_CXXFLAGS="$CXXFLAGS"
+ PRESET_LDFLAGS="$LDFLAGS"
diff --git a/meta/meta-openembedded/meta-networking/recipes-daemons/squid/files/Skip-AC_RUN_IFELSE-tests.patch b/meta/meta-openembedded/meta-networking/recipes-daemons/squid/files/Skip-AC_RUN_IFELSE-tests.patch
new file mode 100644
index 0000000..6a33525
--- /dev/null
+++ b/meta/meta-openembedded/meta-networking/recipes-daemons/squid/files/Skip-AC_RUN_IFELSE-tests.patch
@@ -0,0 +1,65 @@
+From a85311965707ba2fa78f7ce044e6f61e65e66fd0 Mon Sep 17 00:00:00 2001
+From: Jim Somerville <Jim.Somerville@windriver.com>
+Date: Tue, 14 Oct 2014 02:56:08 -0400
+Subject: [PATCH] Skip AC_RUN_IFELSE tests
+
+Upstream-Status: Inappropriate [cross compiling specific]
+
+Such tests are not supported in a cross compile
+environment. Choose sane defaults.
+
+Signed-off-by: Jim Somerville <Jim.Somerville@windriver.com>
+Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
+
+---
+ acinclude/krb5.m4 | 10 +++++++++-
+ acinclude/lib-checks.m4 | 8 ++++++--
+ 2 files changed, 15 insertions(+), 3 deletions(-)
+
+diff --git a/acinclude/krb5.m4 b/acinclude/krb5.m4
+index 5c83d88..c264118 100644
+--- a/acinclude/krb5.m4
++++ b/acinclude/krb5.m4
+@@ -61,7 +61,15 @@ main(void)
+
+ return 0;
+ }
+-]])], [ squid_cv_broken_heimdal_krb5_h=yes ], [ squid_cv_broken_heimdal_krb5_h=no ])
++]])], [ squid_cv_broken_heimdal_krb5_h=yes ], [ squid_cv_broken_heimdal_krb5_h=no ],
++[
++ dnl Can't test in cross compiled env - so assume good
++ squid_cv_broken_heimdal_krb5_h=no
++])
++ ],
++ [
++ dnl Can't test in cross compiled env - so assume good
++ squid_cv_broken_heimdal_krb5_h=no
+ ])
+ ])
+ ]) dnl SQUID_CHECK_KRB5_HEIMDAL_BROKEN_KRB5_H
+diff --git a/acinclude/lib-checks.m4 b/acinclude/lib-checks.m4
+index c4874da..ba72982 100644
+--- a/acinclude/lib-checks.m4
++++ b/acinclude/lib-checks.m4
+@@ -177,7 +177,9 @@ AC_DEFUN([SQUID_CHECK_OPENSSL_CONST_SSL_METHOD],[
+ [
+ AC_MSG_RESULT([no])
+ ],
+- [])
++ [
++ AC_MSG_RESULT([skipped - can't test in cross-compiled env])
++ ])
+
+ SQUID_STATE_ROLLBACK(check_const_SSL_METHOD)
+ ]
+@@ -265,7 +267,9 @@ AC_DEFUN([SQUID_CHECK_OPENSSL_TXTDB],[
+ AC_MSG_RESULT([yes])
+ AC_DEFINE(SQUID_USE_SSLLHASH_HACK, 1)
+ ],
+-[])
++[
++ AC_MSG_RESULT([skipped - can't test in cross-compiled env])
++])
+
+ SQUID_STATE_ROLLBACK(check_TXTDB)
+ ])
diff --git a/meta/meta-openembedded/meta-networking/recipes-daemons/squid/files/run-ptest b/meta/meta-openembedded/meta-networking/recipes-daemons/squid/files/run-ptest
new file mode 100644
index 0000000..de79a29
--- /dev/null
+++ b/meta/meta-openembedded/meta-networking/recipes-daemons/squid/files/run-ptest
@@ -0,0 +1,3 @@
+#!/bin/sh
+#
+make -C test-suite -k runtest-TESTS
diff --git a/meta/meta-openembedded/meta-networking/recipes-daemons/squid/files/set_sysroot_patch.patch b/meta/meta-openembedded/meta-networking/recipes-daemons/squid/files/set_sysroot_patch.patch
new file mode 100644
index 0000000..e990480
--- /dev/null
+++ b/meta/meta-openembedded/meta-networking/recipes-daemons/squid/files/set_sysroot_patch.patch
@@ -0,0 +1,41 @@
+From 702bd881b66dc034e711c0ff47805f2da40b6e0d Mon Sep 17 00:00:00 2001
+From: Yue Tao <yue.tao@windriver.com>
+Date: Mon, 8 Aug 2016 16:04:33 +0800
+Subject: [PATCH] Set the SYSROOT for libxml2 header file to avoid host
+ contamination.
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Yue Tao <yue.tao@windriver.com>
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+
+---
+ configure.ac | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index 504a844..ff4688c 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -974,15 +974,15 @@ if test "x$squid_opt_use_esi" = "xyes" -a "x$with_libxml2" != "xno" ; then
+ dnl Find the main header and include path...
+ AC_CACHE_CHECK([location of libxml2 include files], [ac_cv_libxml2_include], [
+ AC_CHECK_HEADERS([libxml/parser.h], [], [
+- AC_MSG_NOTICE([Testing in /usr/include/libxml2])
++ AC_MSG_NOTICE([Testing in $SYSROOT/usr/include/libxml2])
+ SAVED_CPPFLAGS="$CPPFLAGS"
+- CPPFLAGS="-I/usr/include/libxml2 $CPPFLAGS"
++ CPPFLAGS="-I$SYSROOT/usr/include/libxml2 $CPPFLAGS"
+ unset ac_cv_header_libxml_parser_h
+- AC_CHECK_HEADERS([libxml/parser.h], [ac_cv_libxml2_include="-I/usr/include/libxml2"], [
+- AC_MSG_NOTICE([Testing in /usr/local/include/libxml2])
+- CPPFLAGS="-I/usr/local/include/libxml2 $SAVED_CPPFLAGS"
++ AC_CHECK_HEADERS([libxml/parser.h], [ac_cv_libxml2_include="-I$SYSROOT/usr/include/libxml2"], [
++ AC_MSG_NOTICE([Testing in $SYSROOT/usr/local/include/libxml2])
++ CPPFLAGS="-I$SYSROOT/usr/local/include/libxml2 $SAVED_CPPFLAGS"
+ unset ac_cv_header_libxml_parser_h
+- AC_CHECK_HEADERS([libxml/parser.h], [ac_cv_libxml2_include="-I/usr/local/include/libxml2"], [
++ AC_CHECK_HEADERS([libxml/parser.h], [ac_cv_libxml2_include="-I$SYSROOT/usr/local/include/libxml2"], [
+ AC_MSG_NOTICE([Failed to find libxml2 header file libxml/parser.h])
+ ])
+ ])
diff --git a/meta/meta-openembedded/meta-networking/recipes-daemons/squid/files/squid-don-t-do-squid-conf-tests-at-build-time.patch b/meta/meta-openembedded/meta-networking/recipes-daemons/squid/files/squid-don-t-do-squid-conf-tests-at-build-time.patch
new file mode 100644
index 0000000..e5267ea
--- /dev/null
+++ b/meta/meta-openembedded/meta-networking/recipes-daemons/squid/files/squid-don-t-do-squid-conf-tests-at-build-time.patch
@@ -0,0 +1,61 @@
+From 8786b91488dae3f6dfeadd686e80d2ffc5c29320 Mon Sep 17 00:00:00 2001
+From: Jackie Huang <jackie.huang@windriver.com>
+Date: Thu, 25 Aug 2016 15:22:57 +0800
+Subject: [PATCH] squid: don't do squid-conf-tests at build time
+
+* squid-conf-tests is a test to run "squid -k parse -f"
+ to perse the config files, which should not be run
+ at build time since we are cross compiling, so remove
+ it but it will be added back for the runtime ptest.
+
+* Fix the directories of the conf files for squid-conf-tests
+ so that it can run on the target board.
+
+Upstream-Status: Inappropriate [cross compile specific]
+
+Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
+
+---
+ test-suite/Makefile.am | 15 +++++++--------
+ 1 file changed, 7 insertions(+), 8 deletions(-)
+
+diff --git a/test-suite/Makefile.am b/test-suite/Makefile.am
+index 061a463..350dfb2 100644
+--- a/test-suite/Makefile.am
++++ b/test-suite/Makefile.am
+@@ -41,8 +41,7 @@ TESTS += debug \
+ MemPoolTest\
+ mem_node_test\
+ mem_hdr_test\
+- $(ESI_TESTS) \
+- squid-conf-tests
++ $(ESI_TESTS)
+
+ ## Sort by alpha - any build failures are significant.
+ check_PROGRAMS += debug \
+@@ -125,19 +124,19 @@ VirtualDeleteOperator_SOURCES = VirtualDeleteOperator.cc $(DEBUG_SOURCE)
+ ##$(TARGLIB): $(LIBOBJS)
+ ## $(AR_R) $(TARGLIB) $(LIBOBJS)
+
+-squid-conf-tests: $(top_builddir)/src/squid.conf.default $(srcdir)/squidconf/*
++squid-conf-tests: $(sysconfdir)/squid.conf.default squidconf/*
+ @failed=0; cfglist="$?"; rm -f $@ || $(TRUE); \
+ for cfg in $$cfglist ; do \
+- $(top_builddir)/src/squid -k parse -f $$cfg || \
++ squid -k parse -f $$cfg || \
+ { echo "FAIL: squid.conf test: $$cfg" | \
+- sed s%$(top_builddir)/src/%% | \
+- sed s%$(srcdir)/squidconf/%% ; \
++ sed s%$(sysconfdir)/%% | \
++ sed s%squidconf/%% ; \
+ failed=1; break; \
+ }; \
+ if test "$$failed" -eq 0; then \
+ echo "PASS: squid.conf test: $$cfg" | \
+- sed s%$(top_builddir)/src/%% | \
+- sed s%$(srcdir)/squidconf/%% ; \
++ sed s%$(sysconfdir)/%% | \
++ sed s%squidconf/%% ; \
+ else break; fi; \
+ done; \
+ if test "$$failed" -eq 0; then cp $(TRUE) $@ ; fi
diff --git a/meta/meta-openembedded/meta-networking/recipes-daemons/squid/files/squid-use-serial-tests-config-needed-by-ptest.patch b/meta/meta-openembedded/meta-networking/recipes-daemons/squid/files/squid-use-serial-tests-config-needed-by-ptest.patch
new file mode 100644
index 0000000..9c75f17
--- /dev/null
+++ b/meta/meta-openembedded/meta-networking/recipes-daemons/squid/files/squid-use-serial-tests-config-needed-by-ptest.patch
@@ -0,0 +1,29 @@
+From 9bcec221a2bb438d8a9ed59aed846ffe3be9cffa Mon Sep 17 00:00:00 2001
+From: Jackie Huang <jackie.huang@windriver.com>
+Date: Tue, 19 Jul 2016 01:56:23 -0400
+Subject: [PATCH] squid: use serial-tests config needed by ptest
+
+ptest needs buildtest-TESTS and runtest-TESTS targets.
+serial-tests is required to generate those targets.
+
+Upstream-Status: Inappropriate [default automake behavior incompatible with ptest]
+
+Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
+
+---
+ configure.ac | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/configure.ac b/configure.ac
+index 3827222..504a844 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -10,7 +10,7 @@ AC_PREREQ(2.61)
+ AC_CONFIG_HEADERS([include/autoconf.h])
+ AC_CONFIG_AUX_DIR(cfgaux)
+ AC_CONFIG_SRCDIR([src/main.cc])
+-AM_INIT_AUTOMAKE([tar-ustar nostdinc subdir-objects])
++AM_INIT_AUTOMAKE([tar-ustar nostdinc subdir-objects serial-tests])
+ AC_REVISION($Revision$)dnl
+ AC_PREFIX_DEFAULT(/usr/local/squid)
+ AM_MAINTAINER_MODE
diff --git a/meta/meta-openembedded/meta-networking/recipes-daemons/squid/files/volatiles.03_squid b/meta/meta-openembedded/meta-networking/recipes-daemons/squid/files/volatiles.03_squid
new file mode 100644
index 0000000..83e1f8b
--- /dev/null
+++ b/meta/meta-openembedded/meta-networking/recipes-daemons/squid/files/volatiles.03_squid
@@ -0,0 +1,3 @@
+# <type> <owner> <group> <mode> <path> <linksource>
+d squid squid 0755 /var/run/squid none
+d squid squid 0750 /var/log/squid none