Date: Sun, 5 Feb 2006 14:22:11 +0100 (CET) From: Helge Oldach <freebsdntpd@oldach.net> To: FreeBSD-gnats-submit@FreeBSD.org Subject: bin/92839: contrib/ntp PARSE buffer overrun [patch] Message-ID: <200602051322.k15DMBPL043207@sep.oldach.net> Resent-Message-ID: <200602051330.k15DU3t3001229@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 92839 >Category: bin >Synopsis: contrib/ntp PARSE buffer overrun [patch] >Confidential: no >Severity: serious >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sun Feb 05 13:30:03 GMT 2006 >Closed-Date: >Last-Modified: >Originator: Helge Oldach >Release: FreeBSD 5.5-PRERELEASE i386 >Organization: >Environment: System: FreeBSD localhost 5.5-PRERELEASE FreeBSD 5.5-PRERELEASE #619: Sun Feb 5 11:24:48 CET 2006 toor@localhost:/usr/obj/usr/src/sys/HMO i386 >Description: contrib/ntp/libparse/clk_rawdcf.c contains a buffer overrun due to lack of bounds checking. This leads to obscure syslogging as below, and also to ntpd core dumps: Feb 5 05:00:23 sep ntpd[554]: parse: convert_rawdcf: parity check FAILED for "-##-#-####-###-RAD-LS1248124P12-812P-248121-412-811-481248P^B^D^H========================================= # 57/tcp any private terminal access #PROBLEMS!============================================================== # 57/udp any private terminal access xns-mail 58/tcp #XNS Mail xns-mail 58/udp #XNS Mail # 59/tcp any private file service # 59/udp any private file service ni-mail 61/tcp #NI MAIL ni-mail 61/udp #NI MAIL acas 62/tcp #ACA Services acas 62/udp #ACA Services whois++ 63/tcp whois++ 63/udp covia 64/tcp #Communications Integrator (CI) covia 64/udp #Communications Integrator (CI) tacacs-ds 65/tcp #TACACS-Database Service tacacs-ds 65/udp #TACACS-Database Service sql*net 66/tcp #Oracle SQL*NET sql*net 66/udp #Oracle SQL*NET bootps 67/tcp dhcps #Bootstrap Protocol Server bootps 67/udp dhcps #Bootstrap Pr! otocol Server bootpc 68/tcp dhc >How-To-Repeat: System with RAWDCF receiver. This is usually a simple DCF-77 receiver connected to a serial port. In my case, per /etc/ntp.conf: # raw DCF77 receiver server 127.127.8.0 mode 16 prefer >Fix: --- contrib/ntp/libparse/clk_rawdcf.c.ctm Wed Aug 18 16:23:11 2004 +++ contrib/ntp/libparse/clk_rawdcf.c Sun Feb 5 13:53:51 2006 @@ -207,7 +207,7 @@ register unsigned char *c = dcfprm->zerobits; register int i; - parseprintf(DD_RAWDCF,("parse: convert_rawdcf: \"%s\"\n", buffer)); + parseprintf(DD_RAWDCF,("parse: convert_rawdcf: \"%.*s\"\n", size, buffer)); if (size < 57) { @@ -225,7 +225,7 @@ * we only have two types of bytes (ones and zeros) */ #ifndef PARSEKERNEL - msyslog(LOG_ERR, "parse: convert_rawdcf: BAD DATA - no conversion for \"%s\"\n", buffer); + msyslog(LOG_ERR, "parse: convert_rawdcf: BAD DATA - no conversion for \"%.*s\"\n", size, buffer); #endif return CVT_NONE; } @@ -298,7 +298,7 @@ * bad format - not for us */ #ifndef PARSEKERNEL - msyslog(LOG_ERR, "parse: convert_rawdcf: parity check FAILED for \"%s\"\n", buffer); + msyslog(LOG_ERR, "parse: convert_rawdcf: parity check FAILED for \"%.*s\"\n", size, buffer); #endif return CVT_FAIL|CVT_BADFMT; } >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200602051322.k15DMBPL043207>