diff options
author | Chris D. Faulhaber <jedgar@FreeBSD.org> | 2001-04-06 14:46:42 +0000 |
---|---|---|
committer | Chris D. Faulhaber <jedgar@FreeBSD.org> | 2001-04-06 14:46:42 +0000 |
commit | 77f90805c835e1e3d17dbf8525e3ba61b11ade83 (patch) | |
tree | 6c3d88e975da1d66cc1ad8d27d73a443d759b679 /net | |
parent | 79c5636b9832d68a68330838b5767f2191b42970 (diff) | |
download | ports-77f90805c835e1e3d17dbf8525e3ba61b11ade83.tar.gz ports-77f90805c835e1e3d17dbf8525e3ba61b11ade83.zip |
- Fix off-by-one and buffer underflow
- Prevent potential denial-of-service via syslog
- int -> unsigned char fixes
Approved by: Maintainer
Notes
Notes:
svn path=/head/; revision=40952
Diffstat (limited to 'net')
-rw-r--r-- | net/ntp-devel/files/patch-ntp_control.c | 46 | ||||
-rw-r--r-- | net/ntp-stable/files/patch-ntp_control.c | 46 | ||||
-rw-r--r-- | net/ntp/files/patch-ntp_control.c | 46 |
3 files changed, 99 insertions, 39 deletions
diff --git a/net/ntp-devel/files/patch-ntp_control.c b/net/ntp-devel/files/patch-ntp_control.c index a0faa4906d04..e93732fb37fc 100644 --- a/net/ntp-devel/files/patch-ntp_control.c +++ b/net/ntp-devel/files/patch-ntp_control.c @@ -1,24 +1,44 @@ ---- ntpd/ntp_control.c.orig Sat Jul 15 23:46:05 2000 -+++ ntpd/ntp_control.c Fri Apr 6 01:05:57 2001 -@@ -1821,9 +1821,19 @@ +--- ntpd/ntp_control.c.orig Sat Jul 15 10:46:05 2000 ++++ ntpd/ntp_control.c Fri Apr 6 10:41:43 2001 +@@ -1782,7 +1782,7 @@ + * Delete leading commas and white space + */ + while (reqpt < reqend && (*reqpt == ',' || +- isspace((int)*reqpt))) ++ isspace((unsigned char)*reqpt))) + reqpt++; + if (reqpt >= reqend) + return (0); +@@ -1805,7 +1805,8 @@ + tp++; + } + if ((*tp == '\0') || (*tp == '=')) { +- while (cp < reqend && isspace((int)*cp)) ++ while (cp < reqend && ++ isspace((unsigned char)*cp)) + cp++; + if (cp == reqend || *cp == ',') { + buf[0] = '\0'; +@@ -1819,15 +1820,18 @@ + cp++; + tp = buf; while (cp < reqend && - isspace((int)*cp)) +- isspace((int)*cp)) ++ isspace((unsigned char)*cp)) cp++; - while (cp < reqend && *cp != - ',') + while (cp < reqend && *cp != ',') { *tp++ = *cp++; -+ if (tp > buf + sizeof(buf)) { -+ msyslog(LOG_WARNING, "Attempted \"ntpdx\" exploit from IP %d.%d.%d.%d:%d (possibly spoofed)\n", -+ (ntohl(rmt_addr->sin_addr.s_addr) >> 24) & 0xff, -+ (ntohl(rmt_addr->sin_addr.s_addr) >> 16) & 0xff, -+ (ntohl(rmt_addr->sin_addr.s_addr) >> 8) & 0xff, -+ (ntohl(rmt_addr->sin_addr.s_addr) >> 0) & 0xff, -+ ntohs(rmt_addr->sin_port) -+); ++ if (tp >= buf + sizeof(buf)) + return (0); -+ } + } if (cp < reqend) cp++; *tp = '\0'; +- while (isspace((int)(*(tp-1)))) ++ while (tp != buf && ++ isspace((unsigned char)(*(tp-1)))) + *(--tp) = '\0'; + reqpt = cp; + *data = buf; diff --git a/net/ntp-stable/files/patch-ntp_control.c b/net/ntp-stable/files/patch-ntp_control.c index a0faa4906d04..e93732fb37fc 100644 --- a/net/ntp-stable/files/patch-ntp_control.c +++ b/net/ntp-stable/files/patch-ntp_control.c @@ -1,24 +1,44 @@ ---- ntpd/ntp_control.c.orig Sat Jul 15 23:46:05 2000 -+++ ntpd/ntp_control.c Fri Apr 6 01:05:57 2001 -@@ -1821,9 +1821,19 @@ +--- ntpd/ntp_control.c.orig Sat Jul 15 10:46:05 2000 ++++ ntpd/ntp_control.c Fri Apr 6 10:41:43 2001 +@@ -1782,7 +1782,7 @@ + * Delete leading commas and white space + */ + while (reqpt < reqend && (*reqpt == ',' || +- isspace((int)*reqpt))) ++ isspace((unsigned char)*reqpt))) + reqpt++; + if (reqpt >= reqend) + return (0); +@@ -1805,7 +1805,8 @@ + tp++; + } + if ((*tp == '\0') || (*tp == '=')) { +- while (cp < reqend && isspace((int)*cp)) ++ while (cp < reqend && ++ isspace((unsigned char)*cp)) + cp++; + if (cp == reqend || *cp == ',') { + buf[0] = '\0'; +@@ -1819,15 +1820,18 @@ + cp++; + tp = buf; while (cp < reqend && - isspace((int)*cp)) +- isspace((int)*cp)) ++ isspace((unsigned char)*cp)) cp++; - while (cp < reqend && *cp != - ',') + while (cp < reqend && *cp != ',') { *tp++ = *cp++; -+ if (tp > buf + sizeof(buf)) { -+ msyslog(LOG_WARNING, "Attempted \"ntpdx\" exploit from IP %d.%d.%d.%d:%d (possibly spoofed)\n", -+ (ntohl(rmt_addr->sin_addr.s_addr) >> 24) & 0xff, -+ (ntohl(rmt_addr->sin_addr.s_addr) >> 16) & 0xff, -+ (ntohl(rmt_addr->sin_addr.s_addr) >> 8) & 0xff, -+ (ntohl(rmt_addr->sin_addr.s_addr) >> 0) & 0xff, -+ ntohs(rmt_addr->sin_port) -+); ++ if (tp >= buf + sizeof(buf)) + return (0); -+ } + } if (cp < reqend) cp++; *tp = '\0'; +- while (isspace((int)(*(tp-1)))) ++ while (tp != buf && ++ isspace((unsigned char)(*(tp-1)))) + *(--tp) = '\0'; + reqpt = cp; + *data = buf; diff --git a/net/ntp/files/patch-ntp_control.c b/net/ntp/files/patch-ntp_control.c index a0faa4906d04..e93732fb37fc 100644 --- a/net/ntp/files/patch-ntp_control.c +++ b/net/ntp/files/patch-ntp_control.c @@ -1,24 +1,44 @@ ---- ntpd/ntp_control.c.orig Sat Jul 15 23:46:05 2000 -+++ ntpd/ntp_control.c Fri Apr 6 01:05:57 2001 -@@ -1821,9 +1821,19 @@ +--- ntpd/ntp_control.c.orig Sat Jul 15 10:46:05 2000 ++++ ntpd/ntp_control.c Fri Apr 6 10:41:43 2001 +@@ -1782,7 +1782,7 @@ + * Delete leading commas and white space + */ + while (reqpt < reqend && (*reqpt == ',' || +- isspace((int)*reqpt))) ++ isspace((unsigned char)*reqpt))) + reqpt++; + if (reqpt >= reqend) + return (0); +@@ -1805,7 +1805,8 @@ + tp++; + } + if ((*tp == '\0') || (*tp == '=')) { +- while (cp < reqend && isspace((int)*cp)) ++ while (cp < reqend && ++ isspace((unsigned char)*cp)) + cp++; + if (cp == reqend || *cp == ',') { + buf[0] = '\0'; +@@ -1819,15 +1820,18 @@ + cp++; + tp = buf; while (cp < reqend && - isspace((int)*cp)) +- isspace((int)*cp)) ++ isspace((unsigned char)*cp)) cp++; - while (cp < reqend && *cp != - ',') + while (cp < reqend && *cp != ',') { *tp++ = *cp++; -+ if (tp > buf + sizeof(buf)) { -+ msyslog(LOG_WARNING, "Attempted \"ntpdx\" exploit from IP %d.%d.%d.%d:%d (possibly spoofed)\n", -+ (ntohl(rmt_addr->sin_addr.s_addr) >> 24) & 0xff, -+ (ntohl(rmt_addr->sin_addr.s_addr) >> 16) & 0xff, -+ (ntohl(rmt_addr->sin_addr.s_addr) >> 8) & 0xff, -+ (ntohl(rmt_addr->sin_addr.s_addr) >> 0) & 0xff, -+ ntohs(rmt_addr->sin_port) -+); ++ if (tp >= buf + sizeof(buf)) + return (0); -+ } + } if (cp < reqend) cp++; *tp = '\0'; +- while (isspace((int)(*(tp-1)))) ++ while (tp != buf && ++ isspace((unsigned char)(*(tp-1)))) + *(--tp) = '\0'; + reqpt = cp; + *data = buf; |