Return-Path: owner-freebsd-security@FreeBSD.ORG
Message-Id: <200104050545.f355jVT38066@drugs.dv.isc.org>
To: freebsd-security@FreeBSD.ORG
From: Mark.Andrews@nominum.com
Subject: ntpd: committed fix still contains buffer overrun
Date: Thu, 05 Apr 2001 15:45:31 +1000
Sender: owner-freebsd-security@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk


	The is still buffer over and under runs and the previous fix
	introduces a DoS.

	Mark

Index: ntp_control.c
===================================================================
RCS file: /home/ncvs/src/contrib/ntp/ntpd/ntp_control.c,v
retrieving revision 1.1.1.2.2.1
diff -u -r1.1.1.2.2.1 ntp_control.c
--- ntp_control.c	2001/04/04 23:09:10	1.1.1.2.2.1
+++ ntp_control.c	2001/04/05 05:35:37
@@ -1656,22 +1656,14 @@
 						cp++;
 					while (cp < reqend && *cp != ',') {
 						*tp++ = *cp++;
-						if (tp > buf + sizeof(buf)) {
-							 msyslog(LOG_WARNING, "Attempted \"ntpdx\" exploit from IP %d.%d.%d.%d:%d (possibly spoofed)\n", 
-	(ntohl(rmt_addr->sin_addr.s_addr) >> 24) & 0xff,
-	(ntohl(rmt_addr->sin_addr.s_addr) >> 16) & 0xff,
-	(ntohl(rmt_addr->sin_addr.s_addr) >> 8) & 0xff,
-	(ntohl(rmt_addr->sin_addr.s_addr) >> 0) & 0xff,
-	ntohs(rmt_addr->sin_port)
-);
-
+						if (tp > buf + sizeof(buf) - 1)
 							return (0);
-						}
 					}
 					if (cp < reqend)
 						cp++;
 					*tp = '\0';
-					while (isspace((int)(*(tp-1))))
+					while (tp != buf &&
+					       isspace((int)(*(tp-1))))
 						*(--tp) = '\0';
 					reqpt = cp;
 					*data = buf;
-- 
Mark Andrews, Nominum Inc.
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE:	+61 2 9871 4742		         INTERNET: Mark.Andrews@nominum.com

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message