diff options
author | cy <cy@FreeBSD.org> | 2015-07-05 15:42:16 +0000 |
---|---|---|
committer | cy <cy@FreeBSD.org> | 2015-07-05 15:42:16 +0000 |
commit | 4798ffa9e1d37998fdd0d94d9c2ad9cb3fb5d110 (patch) | |
tree | fb96356e3ef85aaa8d1f5939a9decd315a7ca596 /contrib/ntp/ntpd/ntp_control.c | |
parent | 8920bf0c56d10d9413aa5f7595886836b12c974f (diff) | |
parent | 5ef283fde5be3bb35376b46b0d8cdc0e6dff0ad4 (diff) | |
download | FreeBSD-src-4798ffa9e1d37998fdd0d94d9c2ad9cb3fb5d110.zip FreeBSD-src-4798ffa9e1d37998fdd0d94d9c2ad9cb3fb5d110.tar.gz |
MFV ntp-4.2.8p3 (r284990).
Approved by: roberto, delphij
Security: VuXML: 0d0f3050-1f69-11e5-9ba9-d050996490d0
Security: http://bugs.ntp.org/show_bug.cgi?id=2853
Security: https://www.kb.cert.org/vuls/id/668167
Security: http://support.ntp.org/bin/view/Main/SecurityNotice#June_2015_NTP_Security_Vulnerabi
Diffstat (limited to 'contrib/ntp/ntpd/ntp_control.c')
-rw-r--r-- | contrib/ntp/ntpd/ntp_control.c | 73 |
1 files changed, 51 insertions, 22 deletions
diff --git a/contrib/ntp/ntpd/ntp_control.c b/contrib/ntp/ntpd/ntp_control.c index 2a1cf22..43d2b27 100644 --- a/contrib/ntp/ntpd/ntp_control.c +++ b/contrib/ntp/ntpd/ntp_control.c @@ -36,6 +36,7 @@ # include "ntp_syscall.h" #endif +extern size_t remoteconfig_cmdlength( const char *src_buf, const char *src_end ); #ifndef MIN #define MIN(a, b) (((a) <= (b)) ? (a) : (b)) @@ -229,7 +230,9 @@ static const struct ctl_proc control_codes[] = { #define CS_TIMER_XMTS 87 #define CS_FUZZ 88 #define CS_WANDER_THRESH 89 -#define CS_MAX_NOAUTOKEY CS_WANDER_THRESH +#define CS_LEAPSMEARINTV 90 +#define CS_LEAPSMEAROFFS 91 +#define CS_MAX_NOAUTOKEY CS_LEAPSMEAROFFS #ifdef AUTOKEY #define CS_FLAGS (1 + CS_MAX_NOAUTOKEY) #define CS_HOST (2 + CS_MAX_NOAUTOKEY) @@ -425,6 +428,10 @@ static const struct ctl_var sys_var[] = { { CS_TIMER_XMTS, RO, "timer_xmts" }, /* 87 */ { CS_FUZZ, RO, "fuzz" }, /* 88 */ { CS_WANDER_THRESH, RO, "clk_wander_threshold" }, /* 89 */ +#ifdef LEAP_SMEAR + { CS_LEAPSMEARINTV, RO, "leapsmearinterval" }, /* 90 */ + { CS_LEAPSMEAROFFS, RO, "leapsmearoffset" }, /* 91 */ +#endif /* LEAP_SMEAR */ #ifdef AUTOKEY { CS_FLAGS, RO, "flags" }, /* 1 + CS_MAX_NOAUTOKEY */ { CS_HOST, RO, "host" }, /* 2 + CS_MAX_NOAUTOKEY */ @@ -467,6 +474,8 @@ static const u_char def_sys_var[] = { CS_TAI, CS_LEAPTAB, CS_LEAPEND, + CS_LEAPSMEARINTV, + CS_LEAPSMEAROFFS, #ifdef AUTOKEY CS_HOST, CS_IDENT, @@ -1980,6 +1989,19 @@ ctl_putsys( break; } +#ifdef LEAP_SMEAR + case CS_LEAPSMEARINTV: + if (leap_smear_intv > 0) + ctl_putuint(sys_var[CS_LEAPSMEARINTV].text, leap_smear_intv); + break; + + case CS_LEAPSMEAROFFS: + if (leap_smear_intv > 0) + ctl_putdbl(sys_var[CS_LEAPSMEAROFFS].text, + leap_smear.doffset * 1e3); + break; +#endif /* LEAP_SMEAR */ + case CS_RATE: ctl_putuint(sys_var[CS_RATE].text, ntp_minpoll); break; @@ -3289,6 +3311,7 @@ write_variables( ctl_flushpkt(0); } + /* * configure() processes ntpq :config/config-from-file, allowing * generic runtime reconfiguration. @@ -3300,7 +3323,6 @@ static void configure( { size_t data_count; int retval; - int replace_nl; /* I haven't yet implemented changes to an existing association. * Hence check if the association id is 0 @@ -3326,7 +3348,7 @@ static void configure( } /* Initialize the remote config buffer */ - data_count = reqend - reqpt; + data_count = remoteconfig_cmdlength(reqpt, reqend); if (data_count > sizeof(remote_config.buffer) - 2) { snprintf(remote_config.err_msg, @@ -3340,34 +3362,41 @@ static void configure( stoa(&rbufp->recv_srcadr)); return; } + /* Bug 2853 -- check if all characters were acceptable */ + if (data_count != (size_t)(reqend - reqpt)) { + snprintf(remote_config.err_msg, + sizeof(remote_config.err_msg), + "runtime configuration failed: request contains an unprintable character"); + ctl_putdata(remote_config.err_msg, + strlen(remote_config.err_msg), 0); + ctl_flushpkt(0); + msyslog(LOG_NOTICE, + "runtime config from %s rejected: request contains an unprintable character: %0x", + stoa(&rbufp->recv_srcadr), + reqpt[data_count]); + return; + } memcpy(remote_config.buffer, reqpt, data_count); - if (data_count > 0 - && '\n' != remote_config.buffer[data_count - 1]) - remote_config.buffer[data_count++] = '\n'; + /* The buffer has no trailing linefeed or NUL right now. For + * logging, we do not want a newline, so we do that first after + * adding the necessary NUL byte. + */ remote_config.buffer[data_count] = '\0'; - remote_config.pos = 0; - remote_config.err_pos = 0; - remote_config.no_errors = 0; - - /* do not include terminating newline in log */ - if (data_count > 0 - && '\n' == remote_config.buffer[data_count - 1]) { - remote_config.buffer[data_count - 1] = '\0'; - replace_nl = TRUE; - } else { - replace_nl = FALSE; - } - DPRINTF(1, ("Got Remote Configuration Command: %s\n", remote_config.buffer)); msyslog(LOG_NOTICE, "%s config: %s", stoa(&rbufp->recv_srcadr), remote_config.buffer); - if (replace_nl) - remote_config.buffer[data_count - 1] = '\n'; - + /* Now we have to make sure there is a NL/NUL sequence at the + * end of the buffer before we parse it. + */ + remote_config.buffer[data_count++] = '\n'; + remote_config.buffer[data_count] = '\0'; + remote_config.pos = 0; + remote_config.err_pos = 0; + remote_config.no_errors = 0; config_remotely(&rbufp->recv_srcadr); /* |