Date: Fri, 06 Apr 2001 09:56:22 +1000 From: Mark.Andrews@nominum.com To: Matt Dillon <dillon@earth.backplane.com> Cc: Chris Byrnes <chris@jeah.net>, security@FreeBSD.ORG Subject: Re: ntpd patch Message-ID: <200104052356.f35NuMT54272@drugs.dv.isc.org> In-Reply-To: Your message of "Thu, 05 Apr 2001 16:28:23 MST." <200104052328.f35NSN232886@earth.backplane.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> Poul's patch: http://apollo.backplane.com/FreeBSD/ntpd-patch1.diff > > Off-by-1 fix + > buffer underflow http://apollo.backplane.com/FreeBSD/ntpd-patch2.diff > > (second patch from Mark Andrews and others?) > > -Matt > I've reimplemented the Off-by-1 fix ">=" vs "- 1". Fixed isspace() calling. Index: ntp_control.c =================================================================== RCS file: /home/ncvs/src/contrib/ntp/ntpd/ntp_control.c,v retrieving revision 1.1.1.2.2.1 diff -u -r1.1.1.2.2.1 ntp_control.c --- ntp_control.c 2001/04/04 23:09:10 1.1.1.2.2.1 +++ ntp_control.c 2001/04/05 23:53:13 @@ -1615,7 +1615,8 @@ /* * Delete leading commas and white space */ - while (reqpt < reqend && (*reqpt == ',' || isspace((int)*reqpt))) { + while (reqpt < reqend && (*reqpt == ',' || + isspace((unsigned char)*reqpt))) { reqpt++; } @@ -1639,7 +1640,8 @@ tp++; } if ((*tp == '\0') || (*tp == '=')) { - while (cp < reqend && isspace((int)*cp)) + while (cp < reqend && + isspace((unsigned char)*cp)) cp++; if (cp == reqend || *cp == ',') { buf[0] = '\0'; @@ -1652,26 +1654,19 @@ if (*cp == '=') { cp++; tp = buf; - while (cp < reqend && isspace((int)*cp)) + while (cp < reqend && + isspace((unsigned char)*cp)) cp++; while (cp < reqend && *cp != ',') { *tp++ = *cp++; - if (tp > buf + sizeof(buf)) { - msyslog(LOG_WARNING, "Attempted \"ntpdx\" exploit from IP %d.%d.%d.%d:%d (possibly spoofed)\n", - (ntohl(rmt_addr->sin_addr.s_addr) >> 24) & 0xff, - (ntohl(rmt_addr->sin_addr.s_addr) >> 16) & 0xff, - (ntohl(rmt_addr->sin_addr.s_addr) >> 8) & 0xff, - (ntohl(rmt_addr->sin_addr.s_addr) >> 0) & 0xff, - ntohs(rmt_addr->sin_port) -); - + if (tp >= buf + sizeof(buf)) return (0); - } } if (cp < reqend) cp++; *tp = '\0'; - while (isspace((int)(*(tp-1)))) + while (tp != buf && + isspace((unsigned char)(*(tp-1)))) *(--tp) = '\0'; reqpt = cp; *data = buf; -- Mark Andrews, Nominum Inc. 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews@nominum.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200104052356.f35NuMT54272>