Fix a potential ROOT-exploit in NTPD.

PR:		26358
Reviewed by:	dima

1 files changed, 18 insertions, 1 deletions

diff --git a/contrib/ntp/ntpd/ntp_control.c b/contrib/ntp/ntpd/ntp_control.c
index e2fb039..b2f9091 100644
--- a/contrib/ntp/ntpd/ntp_control.c
+++ b/contrib/ntp/ntpd/ntp_control.c
@@ -1,6 +1,11 @@
 /*
  * ntp_control.c - respond to control messages and send async traps
  */
+
+/*
+ * $FreeBSD$
+ */
+
 #ifdef HAVE_CONFIG_H
 #include <config.h>
 #endif
@@ -1649,8 +1654,20 @@ ctl_getitem(
 					tp = buf;
 					while (cp < reqend && isspace((int)*cp))
 						cp++;
-					while (cp < reqend && *cp != ',')
+					while (cp < reqend && *cp != ',') {
 						*tp++ = *cp++;
+						if (tp > buf + sizeof(buf)) {
+							 msyslog(LOG_WARNING, "Attempted \"ntpdx\" exploit from IP %d.%d.%d.%d:%d (possibly spoofed)\n", 
+	(ntohl(rmt_addr->sin_addr.s_addr) >> 24) & 0xff,
+	(ntohl(rmt_addr->sin_addr.s_addr) >> 16) & 0xff,
+	(ntohl(rmt_addr->sin_addr.s_addr) >> 8) & 0xff,
+	(ntohl(rmt_addr->sin_addr.s_addr) >> 0) & 0xff,
+	ntohs(rmt_addr->sin_port)
+);
+
+							return (0);
+						}
+					}
 					if (cp < reqend)
 						cp++;
 					*tp = '\0';