Date: Wed, 4 Apr 2001 18:26:46 -0600 (MDT) From: "David G. Andersen" <dga@pobox.com> To: phk@critter.freebsd.dk (Poul-Henning Kamp) Cc: sjohn@airlinksys.com (Scott Johnson), freebsd-security@FreeBSD.ORG Subject: Re: Fwd: ntpd =< 4.0.99k remote buffer overflow Message-ID: <200104050026.SAA17343@faith.cs.utah.edu> In-Reply-To: <52981.986429981@critter> from "Poul-Henning Kamp" at Apr 05, 2001 02:19:41 AM
next in thread | previous in thread | raw e-mail | index | archive | help
It doesn't go cleanly to my 4.2-STABLE
I stripped out the inessential bits of the patch:
diff -u -r1.1.1.2 ntp_control.c
--- ntp_control.c 2000/01/28 14:53:03 1.1.1.2
+++ ntp_control.c 2001/04/05 00:26:04
@@ -1649,8 +1649,20 @@
tp = buf;
while (cp < reqend && isspace((int)*cp))
cp++;
- while (cp < reqend && *cp != ',')
+ while (cp < reqend && *cp != ',') {
*tp++ = *cp++;
+ if (tp > buf + sizeof(buf)) {
+ msyslog(LOG_WARNING, "Attempted \"ntpdx\" exploit from IP %d.%d.%d.%d:%d (possibly spoofed)\n",
+ (ntohl(rmt_addr->sin_addr.s_addr) >> 24) & 0xff,
+ (ntohl(rmt_addr->sin_addr.s_addr) >> 16) & 0xff,
+ (ntohl(rmt_addr->sin_addr.s_addr) >> 8) & 0xff,
+ (ntohl(rmt_addr->sin_addr.s_addr) >> 0) & 0xff,
+ ntohs(rmt_addr->sin_port)
+ );
+
+ return (0);
+ }
+ }
Probably won't make a difference to most. <shrugs>
--Dave
Lo and behold, Poul-Henning Kamp once said:
>
> In message <20010404191626.A6071@ns2.airlinksys.com>, Scott Johnson writes:
> >Quoth Poul-Henning Kamp on Thu, Apr 05, 2001 at 01:55:57AM +0200:
> >>
> >> This has already been fixed in FreeBSD current & stable an hour
> >> ago or so.
> >>
> >> Poul-Henning
> >
> >Is a patch coming for 4.2-RELEASE? Will we just have to install the port
> >over our system binaries, like we did with bind? In that case, it appears
> >that just setting PREFIX=/usr won't do to overwrite the system version,
> >since the port puts its binaries in ${PREFIX}/bin.
>
> The patch should apply to pretty much any version of (x)ntpd so please
> help yourself while I get some sleep.
>
> The patch is here:
>
> http://www.freebsd.org/cgi/cvsweb.cgi/src/contrib/ntp/ntpd/ntp_control.c.diff?r1=1.1&r2=1.2
>
> --
> Poul-Henning Kamp | UNIX since Zilog Zeus 3.20
> phk@FreeBSD.ORG | TCP/IP since RFC 956
> FreeBSD committer | BSD since 4.3-tahoe
> Never attribute to malice what can adequately be explained by incompetence.
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>
--
work: dga@lcs.mit.edu me: dga@pobox.com
MIT Laboratory for Computer Science http://www.angio.net/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200104050026.SAA17343>