* Fix a segfault when timed(8) receives a packet with a bad tsp_type.

* Check that received packets aren't too short, as this could cause other
  problems.

Reviewed by:	imp, markm

1 files changed, 17 insertions, 2 deletions

diff --git a/usr.sbin/timed/timed/readmsg.c b/usr.sbin/timed/timed/readmsg.c
index 93366a6..6638390 100644
--- a/usr.sbin/timed/timed/readmsg.c
+++ b/usr.sbin/timed/timed/readmsg.c
@@ -88,6 +88,7 @@ readmsg(type, machfrom, intvl, netfrom)
 	struct tsplist *prev;
 	register struct netinfo *ntp;
 	register struct tsplist *ptr;
+	ssize_t n;
 
 	if (trace) {
 		fprintf(fd, "readmsg: looking for %s from %s, %s\n",
@@ -206,11 +207,18 @@ again:
 			continue;
 		}
 		length = sizeof(from);
-		if (recvfrom(sock, (char *)&msgin, sizeof(struct tsp), 0,
-			     (struct sockaddr*)&from, &length) < 0) {
+		if ((n = recvfrom(sock, (char *)&msgin, sizeof(struct tsp), 0,
+			     (struct sockaddr*)&from, &length)) < 0) {
 			syslog(LOG_ERR, "recvfrom: %m");
 			exit(1);
 		}
+		if (n < (ssize_t)sizeof(struct tsp)) {
+			syslog(LOG_NOTICE,
+			    "short packet (%u/%u bytes) from %s",
+			      n, sizeof(struct tsp),
+			      inet_ntoa(from.sin_addr));
+			continue;
+		}
 		(void)gettimeofday(&from_when, (struct timezone *)0);
 		bytehostorder(&msgin);
 
@@ -436,6 +444,13 @@ print(msg, addr)
 {
 	char tm[26];
 	time_t tsp_time_sec;
+
+	if (msg->tsp_type >= TSPTYPENUMBER) {
+		fprintf(fd, "bad type (%u) on packet from %s\n",
+		  msg->tsp_type, inet_ntoa(addr->sin_addr));
+		return;
+	}
+
 	switch (msg->tsp_type) {
 
 	case TSP_LOOP: