From owner-freebsd-stable  Sat Feb 15 20:36:39 2003
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 940E137B401; Sat, 15 Feb 2003 20:36:36 -0800 (PST)
Received: from HAL9000.homeunix.com (12-233-57-224.client.attbi.com [12.233.57.224])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 014E743F93; Sat, 15 Feb 2003 20:36:36 -0800 (PST)
	(envelope-from dschultz@uclink.Berkeley.EDU)
Received: from HAL9000.homeunix.com (localhost [127.0.0.1])
	by HAL9000.homeunix.com (8.12.6/8.12.5) with ESMTP id h1G4aZQb001181;
	Sat, 15 Feb 2003 20:36:35 -0800 (PST)
	(envelope-from dschultz@uclink.Berkeley.EDU)
Received: (from das@localhost)
	by HAL9000.homeunix.com (8.12.6/8.12.5/Submit) id h1G4aYIS001180;
	Sat, 15 Feb 2003 20:36:34 -0800 (PST)
	(envelope-from dschultz@uclink.Berkeley.EDU)
Date: Sat, 15 Feb 2003 20:36:34 -0800
From: David Schultz <dschultz@uclink.Berkeley.EDU>
To: Charles Sprickman <spork@inch.com>
Cc: security@FreeBSD.ORG
Subject: Re: chrooted non-priv ntpd
Message-ID: <20030216043634.GB733@HAL9000.homeunix.com>
Mail-Followup-To: Charles Sprickman <spork@inch.com>,
	security@FreeBSD.ORG
References: <20030215025035.F80945@shell.inch.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20030215025035.F80945@shell.inch.com>
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG

[from stable@]

Thus spake Charles Sprickman <spork@inch.com>:
> I saw this article on DaemonNews:
> 
> http://www.onlamp.com/lpt/a/3221
> 
> Is there any such clock-setting trickery planned or in progress in -stable
> or -current?  Pretty nifty idea given ntpd's sordid history.

Without volunteering to do anything about it for lack of time, I'd
like to profess my support for this idea.  ntpd has problems.  I
recommended running the part of ntpd that talks to the network as
non-root when I audited it last year.

I know of at least three buffer overflows (in the input from the
user who starts ntpd, not remotely exploitable), a possible bug in
the crypto code that causes one of the session keys used to be
predictable, two sloppy off-by-one errors (on the safe side,
fortunately), and a failure to null-terminate a string that is
passed to printf() when debug mode is used.  Rather than actually
using those brand new and terribly unportable interfaces like
snprintf(3) and strncpy(3), the author tries to precompute maximum
possible buffer sizes and occasionally seems to get it wrong.

I have to share the following excerpt from ntpd with you, partly
because it's some of the most screwed up non-IOCCC code I have
ever seen, and partly because if I had to suffer through it, I
figure others might as well, too.  It's actually a lot worse than
it looks, given that approximately 55% of the text-containing
lines in the file are either #ifdef, #elif, #else, or #endif, or
#if.  Audit that!

   285  int
   286  ntpdmain(
   287          int argc,
   288          char *argv[]
   289          )
   290  {
...
   345  #  ifdef DEBUG
   346          if (!debug && !nofork)
   347  #  else /* DEBUG */
   348          if (!nofork)
   349  #  endif /* DEBUG */
   350          {
...
   439          }
   440  # endif /* NODETACH */
   441  # if defined(SYS_WINNT) && !defined(NODETACH)
   442          else
   443                  service_main(argc, argv);
   444          return 0;       /* must return a value */
   445  } /* end main */

   446  /*
   447   * If this runs as a service under NT, the main thread will block at
   448   * StartServiceCtrlDispatcher() and another thread will be started by th
e
   449   * Service Control Dispatcher which will begin execution at the routine
   450   * specified in that call (viz. service_main)
   451   */
   452  void
   453  service_main(
   454          DWORD argc,
   455          LPTSTR *argv
   456          )
   457  {
...
   490  # endif /* defined(SYS_WINNT) && !defined(NODETACH) */
...
   503  #if !defined(SYS_WINNT) && !defined(VMS)
...
   518  #endif  /* !SYS_WINNT && !VMS */
...
   837  }

(In case you didn't catch that, notice that there are two possible
places where main() can end, and they're several hundred lines
apart.  There's actually a third possibility, which is not shown
above.  I just noticed that the 'if' I excerpted from line 346
might not be the right one, but it seems to be the only one at the
correct indentation.  I'd have to run the code through cpp again
to be sure.)

P.S.	Did I read correctly that Niels Provos is now with NetBSD?
	Did Theo scare him off?

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message