aboutsummaryrefslogtreecommitdiffstats
path: root/net/ntp-stable
diff options
context:
space:
mode:
authorjedgar <jedgar@FreeBSD.org>2001-04-06 22:46:42 +0800
committerjedgar <jedgar@FreeBSD.org>2001-04-06 22:46:42 +0800
commit51adad785feae279a56dc93e90c1f440c8a1849d (patch)
treea9ab267c664caf3a450f08b0316bded3a8969009 /net/ntp-stable
parente7c8505cc6117e0176876e24982d34daf896ddca (diff)
downloadfreebsd-ports-gnome-51adad785feae279a56dc93e90c1f440c8a1849d.tar.gz
freebsd-ports-gnome-51adad785feae279a56dc93e90c1f440c8a1849d.tar.zst
freebsd-ports-gnome-51adad785feae279a56dc93e90c1f440c8a1849d.zip
- Fix off-by-one and buffer underflow
- Prevent potential denial-of-service via syslog - int -> unsigned char fixes Approved by: Maintainer
Diffstat (limited to 'net/ntp-stable')
-rw-r--r--net/ntp-stable/files/patch-ntp_control.c46
1 files changed, 33 insertions, 13 deletions
diff --git a/net/ntp-stable/files/patch-ntp_control.c b/net/ntp-stable/files/patch-ntp_control.c
index a0faa4906d04..e93732fb37fc 100644
--- a/net/ntp-stable/files/patch-ntp_control.c
+++ b/net/ntp-stable/files/patch-ntp_control.c
@@ -1,24 +1,44 @@
---- ntpd/ntp_control.c.orig Sat Jul 15 23:46:05 2000
-+++ ntpd/ntp_control.c Fri Apr 6 01:05:57 2001
-@@ -1821,9 +1821,19 @@
+--- ntpd/ntp_control.c.orig Sat Jul 15 10:46:05 2000
++++ ntpd/ntp_control.c Fri Apr 6 10:41:43 2001
+@@ -1782,7 +1782,7 @@
+ * Delete leading commas and white space
+ */
+ while (reqpt < reqend && (*reqpt == ',' ||
+- isspace((int)*reqpt)))
++ isspace((unsigned char)*reqpt)))
+ reqpt++;
+ if (reqpt >= reqend)
+ return (0);
+@@ -1805,7 +1805,8 @@
+ tp++;
+ }
+ if ((*tp == '\0') || (*tp == '=')) {
+- while (cp < reqend && isspace((int)*cp))
++ while (cp < reqend &&
++ isspace((unsigned char)*cp))
+ cp++;
+ if (cp == reqend || *cp == ',') {
+ buf[0] = '\0';
+@@ -1819,15 +1820,18 @@
+ cp++;
+ tp = buf;
while (cp < reqend &&
- isspace((int)*cp))
+- isspace((int)*cp))
++ isspace((unsigned char)*cp))
cp++;
- while (cp < reqend && *cp !=
- ',')
+ while (cp < reqend && *cp != ',') {
*tp++ = *cp++;
-+ if (tp > buf + sizeof(buf)) {
-+ msyslog(LOG_WARNING, "Attempted \"ntpdx\" exploit from IP %d.%d.%d.%d:%d (possibly spoofed)\n",
-+ (ntohl(rmt_addr->sin_addr.s_addr) >> 24) & 0xff,
-+ (ntohl(rmt_addr->sin_addr.s_addr) >> 16) & 0xff,
-+ (ntohl(rmt_addr->sin_addr.s_addr) >> 8) & 0xff,
-+ (ntohl(rmt_addr->sin_addr.s_addr) >> 0) & 0xff,
-+ ntohs(rmt_addr->sin_port)
-+);
++ if (tp >= buf + sizeof(buf))
+ return (0);
-+ }
+ }
if (cp < reqend)
cp++;
*tp = '\0';
+- while (isspace((int)(*(tp-1))))
++ while (tp != buf &&
++ isspace((unsigned char)(*(tp-1))))
+ *(--tp) = '\0';
+ reqpt = cp;
+ *data = buf;