From e1c6e50d7281b90ecadee85d7fea77f46aa92ec7 Mon Sep 17 00:00:00 2001 From: phk Date: Wed, 4 Apr 2001 23:07:22 +0000 Subject: Fix a potential ROOT-exploit in NTPD. PR: 26358 Reviewed by: dima --- contrib/ntp/ntpd/ntp_control.c | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) (limited to 'contrib') diff --git a/contrib/ntp/ntpd/ntp_control.c b/contrib/ntp/ntpd/ntp_control.c index e2fb039..b2f9091 100644 --- a/contrib/ntp/ntpd/ntp_control.c +++ b/contrib/ntp/ntpd/ntp_control.c @@ -1,6 +1,11 @@ /* * ntp_control.c - respond to control messages and send async traps */ + +/* + * $FreeBSD$ + */ + #ifdef HAVE_CONFIG_H #include #endif @@ -1649,8 +1654,20 @@ ctl_getitem( tp = buf; while (cp < reqend && isspace((int)*cp)) cp++; - while (cp < reqend && *cp != ',') + while (cp < reqend && *cp != ',') { *tp++ = *cp++; + if (tp > buf + sizeof(buf)) { + msyslog(LOG_WARNING, "Attempted \"ntpdx\" exploit from IP %d.%d.%d.%d:%d (possibly spoofed)\n", + (ntohl(rmt_addr->sin_addr.s_addr) >> 24) & 0xff, + (ntohl(rmt_addr->sin_addr.s_addr) >> 16) & 0xff, + (ntohl(rmt_addr->sin_addr.s_addr) >> 8) & 0xff, + (ntohl(rmt_addr->sin_addr.s_addr) >> 0) & 0xff, + ntohs(rmt_addr->sin_port) +); + + return (0); + } + } if (cp < reqend) cp++; *tp = '\0'; -- cgit v1.1