Date: Thu, 5 Apr 2001 18:59:12 -0500 (CDT) From: Chris Byrnes <chris@jeah.net> To: <Mark.Andrews@nominum.com> Cc: Matt Dillon <dillon@earth.backplane.com>, <security@FreeBSD.ORG> Subject: Re: ntpd patch Message-ID: <Pine.BSF.4.33.0104051858580.2769-100000@awww.jeah.net> In-Reply-To: <200104052356.f35NuMT54272@drugs.dv.isc.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Can you put it on the web somewhere, or attach it to an email, as everytime I get a patch from the list it fails when I try to patch? + Chris Byrnes, chris@JEAH.net + JEAH Communications + 1-866-AWW-JEAH (Toll-Free) On Fri, 6 Apr 2001 Mark.Andrews@nominum.com wrote: > > > Poul's patch: http://apollo.backplane.com/FreeBSD/ntpd-patch1.diff > > > > Off-by-1 fix + > > buffer underflow http://apollo.backplane.com/FreeBSD/ntpd-patch2.diff > > > > (second patch from Mark Andrews and others?) > > > > -Matt > > > > I've reimplemented the Off-by-1 fix ">=" vs "- 1". > Fixed isspace() calling. > > Index: ntp_control.c > =================================================================== > RCS file: /home/ncvs/src/contrib/ntp/ntpd/ntp_control.c,v > retrieving revision 1.1.1.2.2.1 > diff -u -r1.1.1.2.2.1 ntp_control.c > --- ntp_control.c 2001/04/04 23:09:10 1.1.1.2.2.1 > +++ ntp_control.c 2001/04/05 23:53:13 > @@ -1615,7 +1615,8 @@ > /* > * Delete leading commas and white space > */ > - while (reqpt < reqend && (*reqpt == ',' || isspace((int)*reqpt))) { > + while (reqpt < reqend && (*reqpt == ',' || > + isspace((unsigned char)*reqpt))) { > reqpt++; > } > > @@ -1639,7 +1640,8 @@ > tp++; > } > if ((*tp == '\0') || (*tp == '=')) { > - while (cp < reqend && isspace((int)*cp)) > + while (cp < reqend && > + isspace((unsigned char)*cp)) > cp++; > if (cp == reqend || *cp == ',') { > buf[0] = '\0'; > @@ -1652,26 +1654,19 @@ > if (*cp == '=') { > cp++; > tp = buf; > - while (cp < reqend && isspace((int)*cp)) > + while (cp < reqend && > + isspace((unsigned char)*cp)) > cp++; > while (cp < reqend && *cp != ',') { > *tp++ = *cp++; > - if (tp > buf + sizeof(buf)) { > - msyslog(LOG_WARNING, "Attempted \"ntpdx\" exploit from IP %d.%d.%d.%d:%d (possibly spoofed)\n", > - (ntohl(rmt_addr->sin_addr.s_addr) >> 24) & 0xff, > - (ntohl(rmt_addr->sin_addr.s_addr) >> 16) & 0xff, > - (ntohl(rmt_addr->sin_addr.s_addr) >> 8) & 0xff, > - (ntohl(rmt_addr->sin_addr.s_addr) >> 0) & 0xff, > - ntohs(rmt_addr->sin_port) > -); > - > + if (tp >= buf + sizeof(buf)) > return (0); > - } > } > if (cp < reqend) > cp++; > *tp = '\0'; > - while (isspace((int)(*(tp-1)))) > + while (tp != buf && > + isspace((unsigned char)(*(tp-1)))) > *(--tp) = '\0'; > reqpt = cp; > *data = buf; > -- > Mark Andrews, Nominum Inc. > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews@nominum.com > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.33.0104051858580.2769-100000>