Date: Thu, 05 Apr 2001 15:45:31 +1000 From: Mark.Andrews@nominum.com To: freebsd-security@freebsd.org Subject: ntpd: committed fix still contains buffer overrun Message-ID: <200104050545.f355jVT38066@drugs.dv.isc.org>
next in thread | raw e-mail | index | archive | help
The is still buffer over and under runs and the previous fix
introduces a DoS.
Mark
Index: ntp_control.c
===================================================================
RCS file: /home/ncvs/src/contrib/ntp/ntpd/ntp_control.c,v
retrieving revision 1.1.1.2.2.1
diff -u -r1.1.1.2.2.1 ntp_control.c
--- ntp_control.c 2001/04/04 23:09:10 1.1.1.2.2.1
+++ ntp_control.c 2001/04/05 05:35:37
@@ -1656,22 +1656,14 @@
cp++;
while (cp < reqend && *cp != ',') {
*tp++ = *cp++;
- if (tp > buf + sizeof(buf)) {
- msyslog(LOG_WARNING, "Attempted \"ntpdx\" exploit from IP %d.%d.%d.%d:%d (possibly spoofed)\n",
- (ntohl(rmt_addr->sin_addr.s_addr) >> 24) & 0xff,
- (ntohl(rmt_addr->sin_addr.s_addr) >> 16) & 0xff,
- (ntohl(rmt_addr->sin_addr.s_addr) >> 8) & 0xff,
- (ntohl(rmt_addr->sin_addr.s_addr) >> 0) & 0xff,
- ntohs(rmt_addr->sin_port)
-);
-
+ if (tp > buf + sizeof(buf) - 1)
return (0);
- }
}
if (cp < reqend)
cp++;
*tp = '\0';
- while (isspace((int)(*(tp-1))))
+ while (tp != buf &&
+ isspace((int)(*(tp-1))))
*(--tp) = '\0';
reqpt = cp;
*data = buf;
--
Mark Andrews, Nominum Inc.
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews@nominum.com
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200104050545.f355jVT38066>