Return-Path: owner-freebsd-security@FreeBSD.ORG Message-Id: <200104050545.f355jVT38066@drugs.dv.isc.org> To: freebsd-security@FreeBSD.ORG From: Mark.Andrews@nominum.com Subject: ntpd: committed fix still contains buffer overrun Date: Thu, 05 Apr 2001 15:45:31 +1000 Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk The is still buffer over and under runs and the previous fix introduces a DoS. Mark Index: ntp_control.c =================================================================== RCS file: /home/ncvs/src/contrib/ntp/ntpd/ntp_control.c,v retrieving revision 1.1.1.2.2.1 diff -u -r1.1.1.2.2.1 ntp_control.c --- ntp_control.c 2001/04/04 23:09:10 1.1.1.2.2.1 +++ ntp_control.c 2001/04/05 05:35:37 @@ -1656,22 +1656,14 @@ cp++; while (cp < reqend && *cp != ',') { *tp++ = *cp++; - if (tp > buf + sizeof(buf)) { - msyslog(LOG_WARNING, "Attempted \"ntpdx\" exploit from IP %d.%d.%d.%d:%d (possibly spoofed)\n", - (ntohl(rmt_addr->sin_addr.s_addr) >> 24) & 0xff, - (ntohl(rmt_addr->sin_addr.s_addr) >> 16) & 0xff, - (ntohl(rmt_addr->sin_addr.s_addr) >> 8) & 0xff, - (ntohl(rmt_addr->sin_addr.s_addr) >> 0) & 0xff, - ntohs(rmt_addr->sin_port) -); - + if (tp > buf + sizeof(buf) - 1) return (0); - } } if (cp < reqend) cp++; *tp = '\0'; - while (isspace((int)(*(tp-1)))) + while (tp != buf && + isspace((int)(*(tp-1)))) *(--tp) = '\0'; reqpt = cp; *data = buf; -- Mark Andrews, Nominum Inc. 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews@nominum.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message