bin/92839: contrib/ntp PARSE buffer overrun [patch]
Helge Oldach
freebsdntpd at oldach.net
Sun Feb 5 05:30:04 PST 2006
>Number: 92839
>Category: bin
>Synopsis: contrib/ntp PARSE buffer overrun [patch]
>Confidential: no
>Severity: serious
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sun Feb 05 13:30:03 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator: Helge Oldach
>Release: FreeBSD 5.5-PRERELEASE i386
>Organization:
>Environment:
System: FreeBSD localhost 5.5-PRERELEASE FreeBSD 5.5-PRERELEASE #619: Sun Feb 5 11:24:48 CET 2006 toor at localhost:/usr/obj/usr/src/sys/HMO i386
>Description:
contrib/ntp/libparse/clk_rawdcf.c contains a buffer overrun due to lack
of bounds checking. This leads to obscure syslogging as below, and also
to ntpd core dumps:
Feb 5 05:00:23 sep ntpd[554]: parse: convert_rawdcf: parity check FAILED for "-##-#-####-###-RAD-LS1248124P12-812P-248121-412-811-481248P^B^D^H========================================= # 57/tcp any private terminal access #PROBLEMS!============================================================== # 57/udp any private terminal access xns-mail 58/tcp #XNS Mail xns-mail 58/udp #XNS Mail # 59/tcp any private file service # 59/udp any private file service ni-mail 61/tcp #NI MAIL ni-mail 61/udp #NI MAIL acas 62/tcp #ACA Services acas 62/udp #ACA Services whois++ 63/tcp whois++ 63/udp covia 64/tcp #Communications Integrator (CI) covia 64/udp #Communications Integrator (CI) tacacs-ds 65/tcp #TACACS-Database Service tacacs-ds 65/udp #TACACS-Database Service sql*net 66/tcp #Oracle SQL*NET sql*net 66/udp #Oracle SQL*NET bootps 67/tcp dhcps #Bootstrap Protocol Server bootps 67/udp dhcps #Bootstrap Pr!
otocol Server bootpc 68/tcp dhc
>How-To-Repeat:
System with RAWDCF receiver. This is usually a simple DCF-77 receiver
connected to a serial port. In my case, per /etc/ntp.conf:
# raw DCF77 receiver
server 127.127.8.0 mode 16 prefer
>Fix:
--- contrib/ntp/libparse/clk_rawdcf.c.ctm Wed Aug 18 16:23:11 2004
+++ contrib/ntp/libparse/clk_rawdcf.c Sun Feb 5 13:53:51 2006
@@ -207,7 +207,7 @@
register unsigned char *c = dcfprm->zerobits;
register int i;
- parseprintf(DD_RAWDCF,("parse: convert_rawdcf: \"%s\"\n", buffer));
+ parseprintf(DD_RAWDCF,("parse: convert_rawdcf: \"%.*s\"\n", size, buffer));
if (size < 57)
{
@@ -225,7 +225,7 @@
* we only have two types of bytes (ones and zeros)
*/
#ifndef PARSEKERNEL
- msyslog(LOG_ERR, "parse: convert_rawdcf: BAD DATA - no conversion for \"%s\"\n", buffer);
+ msyslog(LOG_ERR, "parse: convert_rawdcf: BAD DATA - no conversion for \"%.*s\"\n", size, buffer);
#endif
return CVT_NONE;
}
@@ -298,7 +298,7 @@
* bad format - not for us
*/
#ifndef PARSEKERNEL
- msyslog(LOG_ERR, "parse: convert_rawdcf: parity check FAILED for \"%s\"\n", buffer);
+ msyslog(LOG_ERR, "parse: convert_rawdcf: parity check FAILED for \"%.*s\"\n", size, buffer);
#endif
return CVT_FAIL|CVT_BADFMT;
}
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list