bin/92839: contrib/ntp PARSE buffer overrun [patch]

Helge Oldach freebsdntpd at oldach.net
Sun Feb 5 05:30:04 PST 2006 

>Number:         92839
>Category:       bin
>Synopsis:       contrib/ntp PARSE buffer overrun [patch]
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Feb 05 13:30:03 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator:     Helge Oldach
>Release:        FreeBSD 5.5-PRERELEASE i386
>Organization:
>Environment:

System: FreeBSD localhost 5.5-PRERELEASE FreeBSD 5.5-PRERELEASE #619: Sun Feb 5 11:24:48 CET 2006 toor at localhost:/usr/obj/usr/src/sys/HMO i386

>Description:

contrib/ntp/libparse/clk_rawdcf.c contains a buffer overrun due to lack
of bounds checking. This leads to obscure syslogging as below, and also
to ntpd core dumps:

Feb  5 05:00:23 sep ntpd[554]: parse: convert_rawdcf: parity check FAILED for "-##-#-####-###-RAD-LS1248124P12-812P-248121-412-811-481248P^B^D^H========================================= #		 57/tcp	   any private terminal access #PROBLEMS!============================================================== #		 57/udp	   any private terminal access xns-mail	 58/tcp	   #XNS Mail xns-mail	 58/udp	   #XNS Mail #		 59/tcp	   any private file service #		 59/udp	   any private file service ni-mail		 61/tcp	   #NI MAIL ni-mail		 61/udp	   #NI MAIL acas		 62/tcp	   #ACA Services acas		 62/udp	   #ACA Services whois++		 63/tcp whois++		 63/udp covia		 64/tcp	   #Communications Integrator (CI) covia		 64/udp	   #Communications Integrator (CI) tacacs-ds	 65/tcp	   #TACACS-Database Service tacacs-ds	 65/udp	   #TACACS-Database Service sql*net		 66/tcp	   #Oracle SQL*NET sql*net		 66/udp	   #Oracle SQL*NET bootps		 67/tcp	   dhcps	#Bootstrap Protocol Server bootps		 67/udp	   dhcps	#Bootstrap Pr!
 otocol Server bootpc		 68/tcp	   dhc

>How-To-Repeat:

System with RAWDCF receiver. This is usually a simple DCF-77 receiver
connected to a serial port. In my case, per /etc/ntp.conf:

# raw DCF77 receiver
server 127.127.8.0 mode 16 prefer

>Fix:

--- contrib/ntp/libparse/clk_rawdcf.c.ctm	Wed Aug 18 16:23:11 2004
+++ contrib/ntp/libparse/clk_rawdcf.c	Sun Feb  5 13:53:51 2006
@@ -207,7 +207,7 @@
 	register unsigned char *c = dcfprm->zerobits;
 	register int i;
 
-	parseprintf(DD_RAWDCF,("parse: convert_rawdcf: \"%s\"\n", buffer));
+	parseprintf(DD_RAWDCF,("parse: convert_rawdcf: \"%.*s\"\n", size, buffer));
 
 	if (size < 57)
 	{
@@ -225,7 +225,7 @@
 			 * we only have two types of bytes (ones and zeros)
 			 */
 #ifndef PARSEKERNEL
-			msyslog(LOG_ERR, "parse: convert_rawdcf: BAD DATA - no conversion for \"%s\"\n", buffer);
+			msyslog(LOG_ERR, "parse: convert_rawdcf: BAD DATA - no conversion for \"%.*s\"\n", size, buffer);
 #endif
 			return CVT_NONE;
 		}
@@ -298,7 +298,7 @@
 		 * bad format - not for us
 		 */
 #ifndef PARSEKERNEL
-		msyslog(LOG_ERR, "parse: convert_rawdcf: parity check FAILED for \"%s\"\n", buffer);
+		msyslog(LOG_ERR, "parse: convert_rawdcf: parity check FAILED for \"%.*s\"\n", size, buffer);
 #endif
 		return CVT_FAIL|CVT_BADFMT;
 	}

>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list