diff options
author | jedgar <jedgar@FreeBSD.org> | 2001-04-06 14:46:42 +0000 |
---|---|---|
committer | jedgar <jedgar@FreeBSD.org> | 2001-04-06 14:46:42 +0000 |
commit | 51adad785feae279a56dc93e90c1f440c8a1849d (patch) | |
tree | a9ab267c664caf3a450f08b0316bded3a8969009 /net/ntp-stable | |
parent | e7c8505cc6117e0176876e24982d34daf896ddca (diff) | |
download | FreeBSD-ports-51adad785feae279a56dc93e90c1f440c8a1849d.zip FreeBSD-ports-51adad785feae279a56dc93e90c1f440c8a1849d.tar.gz |
- Fix off-by-one and buffer underflow
- Prevent potential denial-of-service via syslog
- int -> unsigned char fixes
Approved by: Maintainer
Diffstat (limited to 'net/ntp-stable')
-rw-r--r-- | net/ntp-stable/files/patch-ntp_control.c | 46 |
1 files changed, 33 insertions, 13 deletions
diff --git a/net/ntp-stable/files/patch-ntp_control.c b/net/ntp-stable/files/patch-ntp_control.c index a0faa49..e93732f 100644 --- a/net/ntp-stable/files/patch-ntp_control.c +++ b/net/ntp-stable/files/patch-ntp_control.c @@ -1,24 +1,44 @@ ---- ntpd/ntp_control.c.orig Sat Jul 15 23:46:05 2000 -+++ ntpd/ntp_control.c Fri Apr 6 01:05:57 2001 -@@ -1821,9 +1821,19 @@ +--- ntpd/ntp_control.c.orig Sat Jul 15 10:46:05 2000 ++++ ntpd/ntp_control.c Fri Apr 6 10:41:43 2001 +@@ -1782,7 +1782,7 @@ + * Delete leading commas and white space + */ + while (reqpt < reqend && (*reqpt == ',' || +- isspace((int)*reqpt))) ++ isspace((unsigned char)*reqpt))) + reqpt++; + if (reqpt >= reqend) + return (0); +@@ -1805,7 +1805,8 @@ + tp++; + } + if ((*tp == '\0') || (*tp == '=')) { +- while (cp < reqend && isspace((int)*cp)) ++ while (cp < reqend && ++ isspace((unsigned char)*cp)) + cp++; + if (cp == reqend || *cp == ',') { + buf[0] = '\0'; +@@ -1819,15 +1820,18 @@ + cp++; + tp = buf; while (cp < reqend && - isspace((int)*cp)) +- isspace((int)*cp)) ++ isspace((unsigned char)*cp)) cp++; - while (cp < reqend && *cp != - ',') + while (cp < reqend && *cp != ',') { *tp++ = *cp++; -+ if (tp > buf + sizeof(buf)) { -+ msyslog(LOG_WARNING, "Attempted \"ntpdx\" exploit from IP %d.%d.%d.%d:%d (possibly spoofed)\n", -+ (ntohl(rmt_addr->sin_addr.s_addr) >> 24) & 0xff, -+ (ntohl(rmt_addr->sin_addr.s_addr) >> 16) & 0xff, -+ (ntohl(rmt_addr->sin_addr.s_addr) >> 8) & 0xff, -+ (ntohl(rmt_addr->sin_addr.s_addr) >> 0) & 0xff, -+ ntohs(rmt_addr->sin_port) -+); ++ if (tp >= buf + sizeof(buf)) + return (0); -+ } + } if (cp < reqend) cp++; *tp = '\0'; +- while (isspace((int)(*(tp-1)))) ++ while (tp != buf && ++ isspace((unsigned char)(*(tp-1)))) + *(--tp) = '\0'; + reqpt = cp; + *data = buf; |