Date: Thu, 5 Apr 2001 20:38:14 -0400 From: Chris Faulhaber <jedgar@fxp.org> To: Mark.Andrews@nominum.com Cc: Matt Dillon <dillon@earth.backplane.com>, security@FreeBSD.ORG Subject: Re: ntpd patch Message-ID: <20010405203814.B91568@peitho.fxp.org> In-Reply-To: <200104052356.f35NuMT54272@drugs.dv.isc.org>; from Mark.Andrews@nominum.com on Fri, Apr 06, 2001 at 09:56:22AM %2B1000 References: <200104052328.f35NSN232886@earth.backplane.com> <200104052356.f35NuMT54272@drugs.dv.isc.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--kXdP64Ggrk/fb43R Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Apr 06, 2001 at 09:56:22AM +1000, Mark.Andrews@nominum.com wrote: >=20 > > Poul's patch: http://apollo.backplane.com/FreeBSD/ntpd-patch1.diff > >=20 > > Off-by-1 fix + > > buffer underflow http://apollo.backplane.com/FreeBSD/ntpd-patch2.diff > >=20 > > (second patch from Mark Andrews and others?) > >=20 > > -Matt > >=20 >=20 > I've reimplemented the Off-by-1 fix ">=3D" vs "- 1". > Fixed isspace() calling. >=20 alternatively, fix the off-by-one and underflow in one line (obtained from NetBSD): Index: ntp_control.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /home/ncvs/src/contrib/ntp/ntpd/ntp_control.c,v retrieving revision 1.2 diff -u -r1.2 ntp_control.c --- ntp_control.c 2001/04/04 23:07:22 1.2 +++ ntp_control.c 2001/04/05 21:42:48 @@ -1656,17 +1656,8 @@ cp++; while (cp < reqend && *cp !=3D ',') { *tp++ =3D *cp++; - if (tp > buf + sizeof(buf)) { - msyslog(LOG_WARNING, "Attempted \"ntpdx\" exploit from IP %d.%d.%d= .%d:%d (possibly spoofed)\n",=20 - (ntohl(rmt_addr->sin_addr.s_addr) >> 24) & 0xff, - (ntohl(rmt_addr->sin_addr.s_addr) >> 16) & 0xff, - (ntohl(rmt_addr->sin_addr.s_addr) >> 8) & 0xff, - (ntohl(rmt_addr->sin_addr.s_addr) >> 0) & 0xff, - ntohs(rmt_addr->sin_port) -); - + if (tp >=3D buf + sizeof(buf) - 1) return (0); - } } if (cp < reqend) cp++; --=20 Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org -------------------------------------------------------- FreeBSD: The Power To Serve - http://www.FreeBSD.org --kXdP64Ggrk/fb43R Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: FreeBSD: The Power To Serve iEYEARECAAYFAjrND/YACgkQObaG4P6BelDDGACgpDLBm0zwjg9afKKJITxNyCh1 GUMAn0Ic64pH9PxXIz2QSMae6BF/XlRm =kkDS -----END PGP SIGNATURE----- --kXdP64Ggrk/fb43R-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010405203814.B91568>