- Fix off-by-one and buffer underflow
- Prevent potential denial-of-service via syslog - int -> unsigned char fixes Approved by: Maintainer
This commit is contained in:
parent
79c5636b98
commit
77f90805c8
Notes:
svn2git
2021-03-31 03:12:20 +00:00
svn path=/head/; revision=40952
@ -1,24 +1,44 @@
|
||||
--- ntpd/ntp_control.c.orig Sat Jul 15 23:46:05 2000
|
||||
+++ ntpd/ntp_control.c Fri Apr 6 01:05:57 2001
|
||||
@@ -1821,9 +1821,19 @@
|
||||
--- ntpd/ntp_control.c.orig Sat Jul 15 10:46:05 2000
|
||||
+++ ntpd/ntp_control.c Fri Apr 6 10:41:43 2001
|
||||
@@ -1782,7 +1782,7 @@
|
||||
* Delete leading commas and white space
|
||||
*/
|
||||
while (reqpt < reqend && (*reqpt == ',' ||
|
||||
- isspace((int)*reqpt)))
|
||||
+ isspace((unsigned char)*reqpt)))
|
||||
reqpt++;
|
||||
if (reqpt >= reqend)
|
||||
return (0);
|
||||
@@ -1805,7 +1805,8 @@
|
||||
tp++;
|
||||
}
|
||||
if ((*tp == '\0') || (*tp == '=')) {
|
||||
- while (cp < reqend && isspace((int)*cp))
|
||||
+ while (cp < reqend &&
|
||||
+ isspace((unsigned char)*cp))
|
||||
cp++;
|
||||
if (cp == reqend || *cp == ',') {
|
||||
buf[0] = '\0';
|
||||
@@ -1819,15 +1820,18 @@
|
||||
cp++;
|
||||
tp = buf;
|
||||
while (cp < reqend &&
|
||||
isspace((int)*cp))
|
||||
- isspace((int)*cp))
|
||||
+ isspace((unsigned char)*cp))
|
||||
cp++;
|
||||
- while (cp < reqend && *cp !=
|
||||
- ',')
|
||||
+ while (cp < reqend && *cp != ',') {
|
||||
*tp++ = *cp++;
|
||||
+ if (tp > buf + sizeof(buf)) {
|
||||
+ msyslog(LOG_WARNING, "Attempted \"ntpdx\" exploit from IP %d.%d.%d.%d:%d (possibly spoofed)\n",
|
||||
+ (ntohl(rmt_addr->sin_addr.s_addr) >> 24) & 0xff,
|
||||
+ (ntohl(rmt_addr->sin_addr.s_addr) >> 16) & 0xff,
|
||||
+ (ntohl(rmt_addr->sin_addr.s_addr) >> 8) & 0xff,
|
||||
+ (ntohl(rmt_addr->sin_addr.s_addr) >> 0) & 0xff,
|
||||
+ ntohs(rmt_addr->sin_port)
|
||||
+);
|
||||
+ if (tp >= buf + sizeof(buf))
|
||||
+ return (0);
|
||||
+ }
|
||||
+ }
|
||||
if (cp < reqend)
|
||||
cp++;
|
||||
*tp = '\0';
|
||||
- while (isspace((int)(*(tp-1))))
|
||||
+ while (tp != buf &&
|
||||
+ isspace((unsigned char)(*(tp-1))))
|
||||
*(--tp) = '\0';
|
||||
reqpt = cp;
|
||||
*data = buf;
|
||||
|
@ -1,24 +1,44 @@
|
||||
--- ntpd/ntp_control.c.orig Sat Jul 15 23:46:05 2000
|
||||
+++ ntpd/ntp_control.c Fri Apr 6 01:05:57 2001
|
||||
@@ -1821,9 +1821,19 @@
|
||||
--- ntpd/ntp_control.c.orig Sat Jul 15 10:46:05 2000
|
||||
+++ ntpd/ntp_control.c Fri Apr 6 10:41:43 2001
|
||||
@@ -1782,7 +1782,7 @@
|
||||
* Delete leading commas and white space
|
||||
*/
|
||||
while (reqpt < reqend && (*reqpt == ',' ||
|
||||
- isspace((int)*reqpt)))
|
||||
+ isspace((unsigned char)*reqpt)))
|
||||
reqpt++;
|
||||
if (reqpt >= reqend)
|
||||
return (0);
|
||||
@@ -1805,7 +1805,8 @@
|
||||
tp++;
|
||||
}
|
||||
if ((*tp == '\0') || (*tp == '=')) {
|
||||
- while (cp < reqend && isspace((int)*cp))
|
||||
+ while (cp < reqend &&
|
||||
+ isspace((unsigned char)*cp))
|
||||
cp++;
|
||||
if (cp == reqend || *cp == ',') {
|
||||
buf[0] = '\0';
|
||||
@@ -1819,15 +1820,18 @@
|
||||
cp++;
|
||||
tp = buf;
|
||||
while (cp < reqend &&
|
||||
isspace((int)*cp))
|
||||
- isspace((int)*cp))
|
||||
+ isspace((unsigned char)*cp))
|
||||
cp++;
|
||||
- while (cp < reqend && *cp !=
|
||||
- ',')
|
||||
+ while (cp < reqend && *cp != ',') {
|
||||
*tp++ = *cp++;
|
||||
+ if (tp > buf + sizeof(buf)) {
|
||||
+ msyslog(LOG_WARNING, "Attempted \"ntpdx\" exploit from IP %d.%d.%d.%d:%d (possibly spoofed)\n",
|
||||
+ (ntohl(rmt_addr->sin_addr.s_addr) >> 24) & 0xff,
|
||||
+ (ntohl(rmt_addr->sin_addr.s_addr) >> 16) & 0xff,
|
||||
+ (ntohl(rmt_addr->sin_addr.s_addr) >> 8) & 0xff,
|
||||
+ (ntohl(rmt_addr->sin_addr.s_addr) >> 0) & 0xff,
|
||||
+ ntohs(rmt_addr->sin_port)
|
||||
+);
|
||||
+ if (tp >= buf + sizeof(buf))
|
||||
+ return (0);
|
||||
+ }
|
||||
+ }
|
||||
if (cp < reqend)
|
||||
cp++;
|
||||
*tp = '\0';
|
||||
- while (isspace((int)(*(tp-1))))
|
||||
+ while (tp != buf &&
|
||||
+ isspace((unsigned char)(*(tp-1))))
|
||||
*(--tp) = '\0';
|
||||
reqpt = cp;
|
||||
*data = buf;
|
||||
|
@ -1,24 +1,44 @@
|
||||
--- ntpd/ntp_control.c.orig Sat Jul 15 23:46:05 2000
|
||||
+++ ntpd/ntp_control.c Fri Apr 6 01:05:57 2001
|
||||
@@ -1821,9 +1821,19 @@
|
||||
--- ntpd/ntp_control.c.orig Sat Jul 15 10:46:05 2000
|
||||
+++ ntpd/ntp_control.c Fri Apr 6 10:41:43 2001
|
||||
@@ -1782,7 +1782,7 @@
|
||||
* Delete leading commas and white space
|
||||
*/
|
||||
while (reqpt < reqend && (*reqpt == ',' ||
|
||||
- isspace((int)*reqpt)))
|
||||
+ isspace((unsigned char)*reqpt)))
|
||||
reqpt++;
|
||||
if (reqpt >= reqend)
|
||||
return (0);
|
||||
@@ -1805,7 +1805,8 @@
|
||||
tp++;
|
||||
}
|
||||
if ((*tp == '\0') || (*tp == '=')) {
|
||||
- while (cp < reqend && isspace((int)*cp))
|
||||
+ while (cp < reqend &&
|
||||
+ isspace((unsigned char)*cp))
|
||||
cp++;
|
||||
if (cp == reqend || *cp == ',') {
|
||||
buf[0] = '\0';
|
||||
@@ -1819,15 +1820,18 @@
|
||||
cp++;
|
||||
tp = buf;
|
||||
while (cp < reqend &&
|
||||
isspace((int)*cp))
|
||||
- isspace((int)*cp))
|
||||
+ isspace((unsigned char)*cp))
|
||||
cp++;
|
||||
- while (cp < reqend && *cp !=
|
||||
- ',')
|
||||
+ while (cp < reqend && *cp != ',') {
|
||||
*tp++ = *cp++;
|
||||
+ if (tp > buf + sizeof(buf)) {
|
||||
+ msyslog(LOG_WARNING, "Attempted \"ntpdx\" exploit from IP %d.%d.%d.%d:%d (possibly spoofed)\n",
|
||||
+ (ntohl(rmt_addr->sin_addr.s_addr) >> 24) & 0xff,
|
||||
+ (ntohl(rmt_addr->sin_addr.s_addr) >> 16) & 0xff,
|
||||
+ (ntohl(rmt_addr->sin_addr.s_addr) >> 8) & 0xff,
|
||||
+ (ntohl(rmt_addr->sin_addr.s_addr) >> 0) & 0xff,
|
||||
+ ntohs(rmt_addr->sin_port)
|
||||
+);
|
||||
+ if (tp >= buf + sizeof(buf))
|
||||
+ return (0);
|
||||
+ }
|
||||
+ }
|
||||
if (cp < reqend)
|
||||
cp++;
|
||||
*tp = '\0';
|
||||
- while (isspace((int)(*(tp-1))))
|
||||
+ while (tp != buf &&
|
||||
+ isspace((unsigned char)(*(tp-1))))
|
||||
*(--tp) = '\0';
|
||||
reqpt = cp;
|
||||
*data = buf;
|
||||
|
Loading…
Reference in New Issue
Block a user