From owner-freebsd-bugs@FreeBSD.ORG Sun Feb 5 13:30:04 2006 Return-Path: X-Original-To: freebsd-bugs@hub.freebsd.org Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 856C016A420 for ; Sun, 5 Feb 2006 13:30:04 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id D615543D4C for ; Sun, 5 Feb 2006 13:30:03 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k15DU3kj001230 for ; Sun, 5 Feb 2006 13:30:03 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k15DU3t3001229; Sun, 5 Feb 2006 13:30:03 GMT (envelope-from gnats) Resent-Date: Sun, 5 Feb 2006 13:30:03 GMT Resent-Message-Id: <200602051330.k15DU3t3001229@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Helge Oldach Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5876E16A420 for ; Sun, 5 Feb 2006 13:25:13 +0000 (GMT) (envelope-from freebsdntpd@oldach.net) Received: from sep.oldach.net (sep.oldach.net [194.180.25.6]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3516243D46 for ; Sun, 5 Feb 2006 13:25:11 +0000 (GMT) (envelope-from freebsdntpd@oldach.net) Received: from sep.oldach.net (localhost [127.0.0.1]) by sep.oldach.net (8.13.4/8.13.4/hmo26jun05) with ESMTP id k15DP5wC043499 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Sun, 5 Feb 2006 14:25:06 +0100 (CET) (envelope-from freebsdntpd@oldach.net) Received: (from hmo@localhost) by sep.oldach.net (8.13.4/8.13.4/Submit/hmo26jun05) id k15DP5hb043498 for FreeBSD-gnats-submit@freebsd.org; Sun, 5 Feb 2006 14:25:05 +0100 (CET) (envelope-from freebsdntpd@oldach.net) Received: from sep.oldach.net (localhost [127.0.0.1]) by sep.oldach.net (8.13.4/8.13.4/hmo26jun05) with ESMTP id k15DMCeK043208 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 5 Feb 2006 14:22:12 +0100 (CET) (envelope-from hmo@sep.oldach.net) Received: (from hmo@localhost) by sep.oldach.net (8.13.4/8.13.4/Submit/hmo26jun05) id k15DMBPL043207; Sun, 5 Feb 2006 14:22:11 +0100 (CET) (envelope-from hmo) Message-Id: <200602051322.k15DMBPL043207@sep.oldach.net> Date: Sun, 5 Feb 2006 14:22:11 +0100 (CET) From: Helge Oldach To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Cc: Subject: bin/92839: contrib/ntp PARSE buffer overrun [patch] X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Helge Oldach List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 05 Feb 2006 13:30:04 -0000 >Number: 92839 >Category: bin >Synopsis: contrib/ntp PARSE buffer overrun [patch] >Confidential: no >Severity: serious >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sun Feb 05 13:30:03 GMT 2006 >Closed-Date: >Last-Modified: >Originator: Helge Oldach >Release: FreeBSD 5.5-PRERELEASE i386 >Organization: >Environment: System: FreeBSD localhost 5.5-PRERELEASE FreeBSD 5.5-PRERELEASE #619: Sun Feb 5 11:24:48 CET 2006 toor@localhost:/usr/obj/usr/src/sys/HMO i386 >Description: contrib/ntp/libparse/clk_rawdcf.c contains a buffer overrun due to lack of bounds checking. This leads to obscure syslogging as below, and also to ntpd core dumps: Feb 5 05:00:23 sep ntpd[554]: parse: convert_rawdcf: parity check FAILED for "-##-#-####-###-RAD-LS1248124P12-812P-248121-412-811-481248P^B^D^H========================================= # 57/tcp any private terminal access #PROBLEMS!============================================================== # 57/udp any private terminal access xns-mail 58/tcp #XNS Mail xns-mail 58/udp #XNS Mail # 59/tcp any private file service # 59/udp any private file service ni-mail 61/tcp #NI MAIL ni-mail 61/udp #NI MAIL acas 62/tcp #ACA Services acas 62/udp #ACA Services whois++ 63/tcp whois++ 63/udp covia 64/tcp #Communications Integrator (CI) covia 64/udp #Communications Integrator (CI) tacacs-ds 65/tcp #TACACS-Database Service tacacs-ds 65/udp #TACACS-Database Service sql*net 66/tcp #Oracle SQL*NET sql*net 66/udp #Oracle SQL*NET bootps 67/tcp dhcps #Bootstrap Protocol Server bootps 67/udp dhcps #Bootstrap Pr! otocol Server bootpc 68/tcp dhc >How-To-Repeat: System with RAWDCF receiver. This is usually a simple DCF-77 receiver connected to a serial port. In my case, per /etc/ntp.conf: # raw DCF77 receiver server 127.127.8.0 mode 16 prefer >Fix: --- contrib/ntp/libparse/clk_rawdcf.c.ctm Wed Aug 18 16:23:11 2004 +++ contrib/ntp/libparse/clk_rawdcf.c Sun Feb 5 13:53:51 2006 @@ -207,7 +207,7 @@ register unsigned char *c = dcfprm->zerobits; register int i; - parseprintf(DD_RAWDCF,("parse: convert_rawdcf: \"%s\"\n", buffer)); + parseprintf(DD_RAWDCF,("parse: convert_rawdcf: \"%.*s\"\n", size, buffer)); if (size < 57) { @@ -225,7 +225,7 @@ * we only have two types of bytes (ones and zeros) */ #ifndef PARSEKERNEL - msyslog(LOG_ERR, "parse: convert_rawdcf: BAD DATA - no conversion for \"%s\"\n", buffer); + msyslog(LOG_ERR, "parse: convert_rawdcf: BAD DATA - no conversion for \"%.*s\"\n", size, buffer); #endif return CVT_NONE; } @@ -298,7 +298,7 @@ * bad format - not for us */ #ifndef PARSEKERNEL - msyslog(LOG_ERR, "parse: convert_rawdcf: parity check FAILED for \"%s\"\n", buffer); + msyslog(LOG_ERR, "parse: convert_rawdcf: parity check FAILED for \"%.*s\"\n", size, buffer); #endif return CVT_FAIL|CVT_BADFMT; } >Release-Note: >Audit-Trail: >Unformatted: