- Fix off-by-one and buffer underflow

- Prevent potential denial-of-service via syslog - int -> unsigned char fixes Approved by: Maintainer
svn path=/head/; revision=40952
2001-04-06 14:46:42 +00:00 · 2001-04-06 14:46:42 +00:00 · 77f90805c8 · 2021-03-31 03:12:20 +00:00
commit 77f90805c8
parent 79c5636b98
3 changed files with 99 additions and 39 deletions
--- a/net/ntp-devel/files/patch-ntp_control.c
+++ b/net/ntp-devel/files/patch-ntp_control.c
@ -1,24 +1,44 @@
--- ntpd/ntp_control.c.orig	Sat Jul 15 23:46:05 2000
-+++ ntpd/ntp_control.c	Fri Apr  6 01:05:57 2001
-@@ -1821,9 +1821,19 @@
+--- ntpd/ntp_control.c.orig	Sat Jul 15 10:46:05 2000
+++ ntpd/ntp_control.c	Fri Apr  6 10:41:43 2001
+@@ -1782,7 +1782,7 @@
+ 	 * Delete leading commas and white space
+ 	 */
+ 	while (reqpt < reqend && (*reqpt == ',' ||
+-	    isspace((int)*reqpt)))
+	    isspace((unsigned char)*reqpt)))
+ 		reqpt++;
+ 	if (reqpt >= reqend)
+ 		return (0);
+@@ -1805,7 +1805,8 @@
+ 				tp++;
+ 			}
+ 			if ((*tp == '\0') || (*tp == '=')) {
+-				while (cp < reqend && isspace((int)*cp))
+				while (cp < reqend &&
+				    isspace((unsigned char)*cp))
+ 					cp++;
+ 				if (cp == reqend || *cp == ',') {
+ 					buf[0] = '\0';
+@@ -1819,15 +1820,18 @@
+ 					cp++;
+ 					tp = buf;
 					while (cp < reqend &&
- 					    isspace((int)*cp))
+-					    isspace((int)*cp))
+					    isspace((unsigned char)*cp))
 						cp++;
 -					while (cp < reqend && *cp !=
 -					    ',')
 +					while (cp < reqend && *cp != ',') {
 						*tp++ = *cp++;
-+						if (tp > buf + sizeof(buf)) {
-+							msyslog(LOG_WARNING, "Attempted \"ntpdx\" exploit from IP %d.%d.%d.%d:%d (possibly spoofed)\n",
-+	(ntohl(rmt_addr->sin_addr.s_addr) >> 24) & 0xff,
-+	(ntohl(rmt_addr->sin_addr.s_addr) >> 16) & 0xff,
-+	(ntohl(rmt_addr->sin_addr.s_addr) >> 8) & 0xff,
-+	(ntohl(rmt_addr->sin_addr.s_addr) >> 0) & 0xff,
-+	ntohs(rmt_addr->sin_port)
-+);
+						if (tp >= buf + sizeof(buf))
 +							return (0);
-+						}
 +					}
 					if (cp < reqend)
 						cp++;
 					*tp = '\0';
+-					while (isspace((int)(*(tp-1))))
+					while (tp != buf &&
+					    isspace((unsigned char)(*(tp-1))))
+ 						*(--tp) = '\0';
+ 					reqpt = cp;
+ 					*data = buf;
--- a/net/ntp-stable/files/patch-ntp_control.c
+++ b/net/ntp-stable/files/patch-ntp_control.c
@ -1,24 +1,44 @@
--- ntpd/ntp_control.c.orig	Sat Jul 15 23:46:05 2000
-+++ ntpd/ntp_control.c	Fri Apr  6 01:05:57 2001
-@@ -1821,9 +1821,19 @@
+--- ntpd/ntp_control.c.orig	Sat Jul 15 10:46:05 2000
+++ ntpd/ntp_control.c	Fri Apr  6 10:41:43 2001
+@@ -1782,7 +1782,7 @@
+ 	 * Delete leading commas and white space
+ 	 */
+ 	while (reqpt < reqend && (*reqpt == ',' ||
+-	    isspace((int)*reqpt)))
+	    isspace((unsigned char)*reqpt)))
+ 		reqpt++;
+ 	if (reqpt >= reqend)
+ 		return (0);
+@@ -1805,7 +1805,8 @@
+ 				tp++;
+ 			}
+ 			if ((*tp == '\0') || (*tp == '=')) {
+-				while (cp < reqend && isspace((int)*cp))
+				while (cp < reqend &&
+				    isspace((unsigned char)*cp))
+ 					cp++;
+ 				if (cp == reqend || *cp == ',') {
+ 					buf[0] = '\0';
+@@ -1819,15 +1820,18 @@
+ 					cp++;
+ 					tp = buf;
 					while (cp < reqend &&
- 					    isspace((int)*cp))
+-					    isspace((int)*cp))
+					    isspace((unsigned char)*cp))
 						cp++;
 -					while (cp < reqend && *cp !=
 -					    ',')
 +					while (cp < reqend && *cp != ',') {
 						*tp++ = *cp++;
-+						if (tp > buf + sizeof(buf)) {
-+							msyslog(LOG_WARNING, "Attempted \"ntpdx\" exploit from IP %d.%d.%d.%d:%d (possibly spoofed)\n",
-+	(ntohl(rmt_addr->sin_addr.s_addr) >> 24) & 0xff,
-+	(ntohl(rmt_addr->sin_addr.s_addr) >> 16) & 0xff,
-+	(ntohl(rmt_addr->sin_addr.s_addr) >> 8) & 0xff,
-+	(ntohl(rmt_addr->sin_addr.s_addr) >> 0) & 0xff,
-+	ntohs(rmt_addr->sin_port)
-+);
+						if (tp >= buf + sizeof(buf))
 +							return (0);
-+						}
 +					}
 					if (cp < reqend)
 						cp++;
 					*tp = '\0';
+-					while (isspace((int)(*(tp-1))))
+					while (tp != buf &&
+					    isspace((unsigned char)(*(tp-1))))
+ 						*(--tp) = '\0';
+ 					reqpt = cp;
+ 					*data = buf;
--- a/net/ntp/files/patch-ntp_control.c
+++ b/net/ntp/files/patch-ntp_control.c
@ -1,24 +1,44 @@
--- ntpd/ntp_control.c.orig	Sat Jul 15 23:46:05 2000
-+++ ntpd/ntp_control.c	Fri Apr  6 01:05:57 2001
-@@ -1821,9 +1821,19 @@
+--- ntpd/ntp_control.c.orig	Sat Jul 15 10:46:05 2000
+++ ntpd/ntp_control.c	Fri Apr  6 10:41:43 2001
+@@ -1782,7 +1782,7 @@
+ 	 * Delete leading commas and white space
+ 	 */
+ 	while (reqpt < reqend && (*reqpt == ',' ||
+-	    isspace((int)*reqpt)))
+	    isspace((unsigned char)*reqpt)))
+ 		reqpt++;
+ 	if (reqpt >= reqend)
+ 		return (0);
+@@ -1805,7 +1805,8 @@
+ 				tp++;
+ 			}
+ 			if ((*tp == '\0') || (*tp == '=')) {
+-				while (cp < reqend && isspace((int)*cp))
+				while (cp < reqend &&
+				    isspace((unsigned char)*cp))
+ 					cp++;
+ 				if (cp == reqend || *cp == ',') {
+ 					buf[0] = '\0';
+@@ -1819,15 +1820,18 @@
+ 					cp++;
+ 					tp = buf;
 					while (cp < reqend &&
- 					    isspace((int)*cp))
+-					    isspace((int)*cp))
+					    isspace((unsigned char)*cp))
 						cp++;
 -					while (cp < reqend && *cp !=
 -					    ',')
 +					while (cp < reqend && *cp != ',') {
 						*tp++ = *cp++;
-+						if (tp > buf + sizeof(buf)) {
-+							msyslog(LOG_WARNING, "Attempted \"ntpdx\" exploit from IP %d.%d.%d.%d:%d (possibly spoofed)\n",
-+	(ntohl(rmt_addr->sin_addr.s_addr) >> 24) & 0xff,
-+	(ntohl(rmt_addr->sin_addr.s_addr) >> 16) & 0xff,
-+	(ntohl(rmt_addr->sin_addr.s_addr) >> 8) & 0xff,
-+	(ntohl(rmt_addr->sin_addr.s_addr) >> 0) & 0xff,
-+	ntohs(rmt_addr->sin_port)
-+);
+						if (tp >= buf + sizeof(buf))
 +							return (0);
-+						}
 +					}
 					if (cp < reqend)
 						cp++;
 					*tp = '\0';
+-					while (isspace((int)(*(tp-1))))
+					while (tp != buf &&
+					    isspace((unsigned char)(*(tp-1))))
+ 						*(--tp) = '\0';
+ 					reqpt = cp;
+ 					*data = buf;