Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 5 Apr 2001 20:38:14 -0400
From:      Chris Faulhaber <jedgar@fxp.org>
To:        Mark.Andrews@nominum.com
Cc:        Matt Dillon <dillon@earth.backplane.com>, security@FreeBSD.ORG
Subject:   Re: ntpd patch
Message-ID:  <20010405203814.B91568@peitho.fxp.org>
In-Reply-To: <200104052356.f35NuMT54272@drugs.dv.isc.org>; from Mark.Andrews@nominum.com on Fri, Apr 06, 2001 at 09:56:22AM %2B1000
References:  <200104052328.f35NSN232886@earth.backplane.com> <200104052356.f35NuMT54272@drugs.dv.isc.org>
next in thread | previous in thread | raw e-mail | index | archive | help 

[-- Attachment #1 --]
On Fri, Apr 06, 2001 at 09:56:22AM +1000, Mark.Andrews@nominum.com wrote:
> 
> >    Poul's patch:	http://apollo.backplane.com/FreeBSD/ntpd-patch1.diff
> > 
> >    Off-by-1 fix +
> >    buffer underflow	http://apollo.backplane.com/FreeBSD/ntpd-patch2.diff
> > 
> >    (second patch from Mark Andrews and others?)
> > 
> > 						-Matt
> > 
> 
> 	I've reimplemented the Off-by-1 fix ">=" vs "- 1".
> 	Fixed isspace() calling.
> 

alternatively, fix the off-by-one and underflow in one line
(obtained from NetBSD):

Index: ntp_control.c
===================================================================
RCS file: /home/ncvs/src/contrib/ntp/ntpd/ntp_control.c,v
retrieving revision 1.2
diff -u -r1.2 ntp_control.c
--- ntp_control.c	2001/04/04 23:07:22	1.2
+++ ntp_control.c	2001/04/05 21:42:48
@@ -1656,17 +1656,8 @@
 						cp++;
 					while (cp < reqend && *cp != ',') {
 						*tp++ = *cp++;
-						if (tp > buf + sizeof(buf)) {
-							 msyslog(LOG_WARNING, "Attempted \"ntpdx\" exploit from IP %d.%d.%d.%d:%d (possibly spoofed)\n", 
-	(ntohl(rmt_addr->sin_addr.s_addr) >> 24) & 0xff,
-	(ntohl(rmt_addr->sin_addr.s_addr) >> 16) & 0xff,
-	(ntohl(rmt_addr->sin_addr.s_addr) >> 8) & 0xff,
-	(ntohl(rmt_addr->sin_addr.s_addr) >> 0) & 0xff,
-	ntohs(rmt_addr->sin_port)
-);
-
+						if (tp >= buf + sizeof(buf) - 1)
 							return (0);
-						}
 					}
 					if (cp < reqend)
 						cp++;


-- 
Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org
--------------------------------------------------------
FreeBSD: The Power To Serve   -   http://www.FreeBSD.org

[-- Attachment #2 --]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (FreeBSD)
Comment: FreeBSD: The Power To Serve

iEYEARECAAYFAjrND/YACgkQObaG4P6BelDDGACgpDLBm0zwjg9afKKJITxNyCh1
GUMAn0Ic64pH9PxXIz2QSMae6BF/XlRm
=kkDS
-----END PGP SIGNATURE-----

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010405203814.B91568>