aboutsummaryrefslogtreecommitdiff
path: root/net
diff options
context:
space:
mode:
authorChris D. Faulhaber <jedgar@FreeBSD.org>2001-04-06 14:46:42 +0000
committerChris D. Faulhaber <jedgar@FreeBSD.org>2001-04-06 14:46:42 +0000
commit77f90805c835e1e3d17dbf8525e3ba61b11ade83 (patch)
tree6c3d88e975da1d66cc1ad8d27d73a443d759b679 /net
parent79c5636b9832d68a68330838b5767f2191b42970 (diff)
downloadports-77f90805c835e1e3d17dbf8525e3ba61b11ade83.tar.gz
ports-77f90805c835e1e3d17dbf8525e3ba61b11ade83.zip
- Fix off-by-one and buffer underflow
- Prevent potential denial-of-service via syslog - int -> unsigned char fixes Approved by: Maintainer
Notes
Notes: svn path=/head/; revision=40952
Diffstat (limited to 'net')
-rw-r--r--net/ntp-devel/files/patch-ntp_control.c46
-rw-r--r--net/ntp-stable/files/patch-ntp_control.c46
-rw-r--r--net/ntp/files/patch-ntp_control.c46
3 files changed, 99 insertions, 39 deletions
diff --git a/net/ntp-devel/files/patch-ntp_control.c b/net/ntp-devel/files/patch-ntp_control.c
index a0faa4906d04..e93732fb37fc 100644
--- a/net/ntp-devel/files/patch-ntp_control.c
+++ b/net/ntp-devel/files/patch-ntp_control.c
@@ -1,24 +1,44 @@
---- ntpd/ntp_control.c.orig Sat Jul 15 23:46:05 2000
-+++ ntpd/ntp_control.c Fri Apr 6 01:05:57 2001
-@@ -1821,9 +1821,19 @@
+--- ntpd/ntp_control.c.orig Sat Jul 15 10:46:05 2000
++++ ntpd/ntp_control.c Fri Apr 6 10:41:43 2001
+@@ -1782,7 +1782,7 @@
+ * Delete leading commas and white space
+ */
+ while (reqpt < reqend && (*reqpt == ',' ||
+- isspace((int)*reqpt)))
++ isspace((unsigned char)*reqpt)))
+ reqpt++;
+ if (reqpt >= reqend)
+ return (0);
+@@ -1805,7 +1805,8 @@
+ tp++;
+ }
+ if ((*tp == '\0') || (*tp == '=')) {
+- while (cp < reqend && isspace((int)*cp))
++ while (cp < reqend &&
++ isspace((unsigned char)*cp))
+ cp++;
+ if (cp == reqend || *cp == ',') {
+ buf[0] = '\0';
+@@ -1819,15 +1820,18 @@
+ cp++;
+ tp = buf;
while (cp < reqend &&
- isspace((int)*cp))
+- isspace((int)*cp))
++ isspace((unsigned char)*cp))
cp++;
- while (cp < reqend && *cp !=
- ',')
+ while (cp < reqend && *cp != ',') {
*tp++ = *cp++;
-+ if (tp > buf + sizeof(buf)) {
-+ msyslog(LOG_WARNING, "Attempted \"ntpdx\" exploit from IP %d.%d.%d.%d:%d (possibly spoofed)\n",
-+ (ntohl(rmt_addr->sin_addr.s_addr) >> 24) & 0xff,
-+ (ntohl(rmt_addr->sin_addr.s_addr) >> 16) & 0xff,
-+ (ntohl(rmt_addr->sin_addr.s_addr) >> 8) & 0xff,
-+ (ntohl(rmt_addr->sin_addr.s_addr) >> 0) & 0xff,
-+ ntohs(rmt_addr->sin_port)
-+);
++ if (tp >= buf + sizeof(buf))
+ return (0);
-+ }
+ }
if (cp < reqend)
cp++;
*tp = '\0';
+- while (isspace((int)(*(tp-1))))
++ while (tp != buf &&
++ isspace((unsigned char)(*(tp-1))))
+ *(--tp) = '\0';
+ reqpt = cp;
+ *data = buf;
diff --git a/net/ntp-stable/files/patch-ntp_control.c b/net/ntp-stable/files/patch-ntp_control.c
index a0faa4906d04..e93732fb37fc 100644
--- a/net/ntp-stable/files/patch-ntp_control.c
+++ b/net/ntp-stable/files/patch-ntp_control.c
@@ -1,24 +1,44 @@
---- ntpd/ntp_control.c.orig Sat Jul 15 23:46:05 2000
-+++ ntpd/ntp_control.c Fri Apr 6 01:05:57 2001
-@@ -1821,9 +1821,19 @@
+--- ntpd/ntp_control.c.orig Sat Jul 15 10:46:05 2000
++++ ntpd/ntp_control.c Fri Apr 6 10:41:43 2001
+@@ -1782,7 +1782,7 @@
+ * Delete leading commas and white space
+ */
+ while (reqpt < reqend && (*reqpt == ',' ||
+- isspace((int)*reqpt)))
++ isspace((unsigned char)*reqpt)))
+ reqpt++;
+ if (reqpt >= reqend)
+ return (0);
+@@ -1805,7 +1805,8 @@
+ tp++;
+ }
+ if ((*tp == '\0') || (*tp == '=')) {
+- while (cp < reqend && isspace((int)*cp))
++ while (cp < reqend &&
++ isspace((unsigned char)*cp))
+ cp++;
+ if (cp == reqend || *cp == ',') {
+ buf[0] = '\0';
+@@ -1819,15 +1820,18 @@
+ cp++;
+ tp = buf;
while (cp < reqend &&
- isspace((int)*cp))
+- isspace((int)*cp))
++ isspace((unsigned char)*cp))
cp++;
- while (cp < reqend && *cp !=
- ',')
+ while (cp < reqend && *cp != ',') {
*tp++ = *cp++;
-+ if (tp > buf + sizeof(buf)) {
-+ msyslog(LOG_WARNING, "Attempted \"ntpdx\" exploit from IP %d.%d.%d.%d:%d (possibly spoofed)\n",
-+ (ntohl(rmt_addr->sin_addr.s_addr) >> 24) & 0xff,
-+ (ntohl(rmt_addr->sin_addr.s_addr) >> 16) & 0xff,
-+ (ntohl(rmt_addr->sin_addr.s_addr) >> 8) & 0xff,
-+ (ntohl(rmt_addr->sin_addr.s_addr) >> 0) & 0xff,
-+ ntohs(rmt_addr->sin_port)
-+);
++ if (tp >= buf + sizeof(buf))
+ return (0);
-+ }
+ }
if (cp < reqend)
cp++;
*tp = '\0';
+- while (isspace((int)(*(tp-1))))
++ while (tp != buf &&
++ isspace((unsigned char)(*(tp-1))))
+ *(--tp) = '\0';
+ reqpt = cp;
+ *data = buf;
diff --git a/net/ntp/files/patch-ntp_control.c b/net/ntp/files/patch-ntp_control.c
index a0faa4906d04..e93732fb37fc 100644
--- a/net/ntp/files/patch-ntp_control.c
+++ b/net/ntp/files/patch-ntp_control.c
@@ -1,24 +1,44 @@
---- ntpd/ntp_control.c.orig Sat Jul 15 23:46:05 2000
-+++ ntpd/ntp_control.c Fri Apr 6 01:05:57 2001
-@@ -1821,9 +1821,19 @@
+--- ntpd/ntp_control.c.orig Sat Jul 15 10:46:05 2000
++++ ntpd/ntp_control.c Fri Apr 6 10:41:43 2001
+@@ -1782,7 +1782,7 @@
+ * Delete leading commas and white space
+ */
+ while (reqpt < reqend && (*reqpt == ',' ||
+- isspace((int)*reqpt)))
++ isspace((unsigned char)*reqpt)))
+ reqpt++;
+ if (reqpt >= reqend)
+ return (0);
+@@ -1805,7 +1805,8 @@
+ tp++;
+ }
+ if ((*tp == '\0') || (*tp == '=')) {
+- while (cp < reqend && isspace((int)*cp))
++ while (cp < reqend &&
++ isspace((unsigned char)*cp))
+ cp++;
+ if (cp == reqend || *cp == ',') {
+ buf[0] = '\0';
+@@ -1819,15 +1820,18 @@
+ cp++;
+ tp = buf;
while (cp < reqend &&
- isspace((int)*cp))
+- isspace((int)*cp))
++ isspace((unsigned char)*cp))
cp++;
- while (cp < reqend && *cp !=
- ',')
+ while (cp < reqend && *cp != ',') {
*tp++ = *cp++;
-+ if (tp > buf + sizeof(buf)) {
-+ msyslog(LOG_WARNING, "Attempted \"ntpdx\" exploit from IP %d.%d.%d.%d:%d (possibly spoofed)\n",
-+ (ntohl(rmt_addr->sin_addr.s_addr) >> 24) & 0xff,
-+ (ntohl(rmt_addr->sin_addr.s_addr) >> 16) & 0xff,
-+ (ntohl(rmt_addr->sin_addr.s_addr) >> 8) & 0xff,
-+ (ntohl(rmt_addr->sin_addr.s_addr) >> 0) & 0xff,
-+ ntohs(rmt_addr->sin_port)
-+);
++ if (tp >= buf + sizeof(buf))
+ return (0);
-+ }
+ }
if (cp < reqend)
cp++;
*tp = '\0';
+- while (isspace((int)(*(tp-1))))
++ while (tp != buf &&
++ isspace((unsigned char)(*(tp-1))))
+ *(--tp) = '\0';
+ reqpt = cp;
+ *data = buf;