[20092] in bugtraq
Re: ntpd =< 4.0.99k remote buffer overflow
daemon@ATHENA.MIT.EDU (Erik Fichtner)
Mon Apr 9 03:51:56 2001
Mail-Followup-To: "Ogle Ron (Rennes)" <OgleR@THMULTI.COM>,
BUGTRAQ@SECURITYFOCUS.COM, alaric@BABCOM.COM
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
protocol="application/pgp-signature"; boundary="MUnXZt0Uv08c1hBe"
Content-Disposition: inline
Message-ID: <20010406224349.V1715@obfuscation.org>
Date: Fri, 6 Apr 2001 22:43:49 -0400
Reply-To: techs@obfuscation.org
From: Erik Fichtner <techs@obfuscation.org>
X-To: "Ogle Ron (Rennes)" <OgleR@THMULTI.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20010406000614.A4715@babylon5.babcom.com>; from
alaric@BABCOM.COM on Fri, Apr 06, 2001 at 12:06:14AM -0700
--MUnXZt0Uv08c1hBe
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Fri, Apr 06, 2001 at 12:06:14AM -0700, Phil Stracchino wrote:
> On Thu, Apr 05, 2001 at 11:38:47AM +0200, Ogle Ron (Rennes) wrote:
> > There is only a patch for the NTP software from
> > http://phk.freebsd.dk/patch/ntpd.patch.
>=20
> I just tried applying this patch against ntp-4.0.99k, and it fails.
The patch does not *cleanly* apply, as the offsets in the file and the
formatting is completely different, but if you read the patch and the
source, you can apply it by hand fairly well.
However, to save time and frustration, this is a diff with very wide=20
context of the important peice as applied to 4.0.99k...
--- ntp-4.0.99k/ntpd/ntp_control.c Sat Jul 15 10:46:05 2000
+++ ntp-4.0.99k-emf-2001040501/ntpd/ntp_control.c Thu Apr 5 23:15:52
2001
@@ -1799,53 +1799,55 @@
while (!(v->flags & EOV)) {
if (!(v->flags & PADDING) && *cp =3D=3D *(v->text)) {
tp =3D v->text;
while (*tp !=3D '\0' && *tp !=3D '=3D' && cp <
reqend && *cp =3D=3D *tp) {
cp++;
tp++;
}
if ((*tp =3D=3D '\0') || (*tp =3D=3D '=3D')) {
while (cp < reqend && isspace((int)*cp))
cp++;
if (cp =3D=3D reqend || *cp =3D=3D ',') {
buf[0] =3D '\0';
*data =3D buf;
if (cp < reqend)
cp++;
reqpt =3D cp;
return v;
}
if (*cp =3D=3D '=3D') {
cp++;
tp =3D buf;
while (cp < reqend &&
isspace((int)*cp))
cp++;
- while (cp < reqend && *cp !=3D
- ',')
+ while (cp < reqend && *cp !=3D ',')=
{
*tp++ =3D *cp++;
+ /* avoid buffer overflow */
+ if (tp > buf + sizeof(buf))=
return(0);
+ }
if (cp < reqend)
cp++;
*tp =3D '\0';
while (isspace((int)(*(tp-1))))
*(--tp) =3D '\0';
reqpt =3D cp;
*data =3D buf;
return (v);
}
}
cp =3D reqpt;
}
v++;
}
return v;
}
/*
* control_unspec - response to an unspecified op-code
*/
/*ARGSUSED*/
static void
control_unspec(
struct recvbuf *rbufp,
--=20
Erik Fichtner; Unix Ronin
http://www.obfuscation.org/techs/
"The reasonable man adapts himself to the world; the unreasonable one
persists in trying to adapt the world to himself. Therefore, all progress
depends on the unreasonable." -- George Bernard Shaw
--MUnXZt0Uv08c1hBe
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (FreeBSD)
Comment: For info see http://www.gnupg.org
iEYEARECAAYFAjrOfuQACgkQDf8awdbGHo2zLACeOW9G1pNyzKnu6ZONYvoGMZN+
NoQAoL8GydpUwxBQdFaEfzcfguUZPa/8
=fDv3
-----END PGP SIGNATURE-----
--MUnXZt0Uv08c1hBe--
