From owner-freebsd-security Thu Apr 5 17:38: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from peitho.fxp.org (peitho.fxp.org [209.26.95.40]) by hub.freebsd.org (Postfix) with ESMTP id 347F337B507 for ; Thu, 5 Apr 2001 17:37:58 -0700 (PDT) (envelope-from cdf.lists@fxp.org) Received: by peitho.fxp.org (Postfix, from userid 1501) id 98BAF13615; Thu, 5 Apr 2001 20:38:14 -0400 (EDT) Date: Thu, 5 Apr 2001 20:38:14 -0400 From: Chris Faulhaber To: Mark.Andrews@nominum.com Cc: Matt Dillon , security@FreeBSD.ORG Subject: Re: ntpd patch Message-ID: <20010405203814.B91568@peitho.fxp.org> References: <200104052328.f35NSN232886@earth.backplane.com> <200104052356.f35NuMT54272@drugs.dv.isc.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="kXdP64Ggrk/fb43R" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200104052356.f35NuMT54272@drugs.dv.isc.org>; from Mark.Andrews@nominum.com on Fri, Apr 06, 2001 at 09:56:22AM +1000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --kXdP64Ggrk/fb43R Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Apr 06, 2001 at 09:56:22AM +1000, Mark.Andrews@nominum.com wrote: >=20 > > Poul's patch: http://apollo.backplane.com/FreeBSD/ntpd-patch1.diff > >=20 > > Off-by-1 fix + > > buffer underflow http://apollo.backplane.com/FreeBSD/ntpd-patch2.diff > >=20 > > (second patch from Mark Andrews and others?) > >=20 > > -Matt > >=20 >=20 > I've reimplemented the Off-by-1 fix ">=3D" vs "- 1". > Fixed isspace() calling. >=20 alternatively, fix the off-by-one and underflow in one line (obtained from NetBSD): Index: ntp_control.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /home/ncvs/src/contrib/ntp/ntpd/ntp_control.c,v retrieving revision 1.2 diff -u -r1.2 ntp_control.c --- ntp_control.c 2001/04/04 23:07:22 1.2 +++ ntp_control.c 2001/04/05 21:42:48 @@ -1656,17 +1656,8 @@ cp++; while (cp < reqend && *cp !=3D ',') { *tp++ =3D *cp++; - if (tp > buf + sizeof(buf)) { - msyslog(LOG_WARNING, "Attempted \"ntpdx\" exploit from IP %d.%d.%d= .%d:%d (possibly spoofed)\n",=20 - (ntohl(rmt_addr->sin_addr.s_addr) >> 24) & 0xff, - (ntohl(rmt_addr->sin_addr.s_addr) >> 16) & 0xff, - (ntohl(rmt_addr->sin_addr.s_addr) >> 8) & 0xff, - (ntohl(rmt_addr->sin_addr.s_addr) >> 0) & 0xff, - ntohs(rmt_addr->sin_port) -); - + if (tp >=3D buf + sizeof(buf) - 1) return (0); - } } if (cp < reqend) cp++; --=20 Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org -------------------------------------------------------- FreeBSD: The Power To Serve - http://www.FreeBSD.org --kXdP64Ggrk/fb43R Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: FreeBSD: The Power To Serve iEYEARECAAYFAjrND/YACgkQObaG4P6BelDDGACgpDLBm0zwjg9afKKJITxNyCh1 GUMAn0Ic64pH9PxXIz2QSMae6BF/XlRm =kkDS -----END PGP SIGNATURE----- --kXdP64Ggrk/fb43R-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message