Date: Sat, 15 Feb 2003 20:36:34 -0800 From: David Schultz <dschultz@uclink.Berkeley.EDU> To: Charles Sprickman <spork@inch.com> Cc: security@FreeBSD.ORG Subject: Re: chrooted non-priv ntpd Message-ID: <20030216043634.GB733@HAL9000.homeunix.com> In-Reply-To: <20030215025035.F80945@shell.inch.com> References: <20030215025035.F80945@shell.inch.com>
next in thread | previous in thread | raw e-mail | index | archive | help
[from stable@] Thus spake Charles Sprickman <spork@inch.com>: > I saw this article on DaemonNews: > > http://www.onlamp.com/lpt/a/3221 > > Is there any such clock-setting trickery planned or in progress in -stable > or -current? Pretty nifty idea given ntpd's sordid history. Without volunteering to do anything about it for lack of time, I'd like to profess my support for this idea. ntpd has problems. I recommended running the part of ntpd that talks to the network as non-root when I audited it last year. I know of at least three buffer overflows (in the input from the user who starts ntpd, not remotely exploitable), a possible bug in the crypto code that causes one of the session keys used to be predictable, two sloppy off-by-one errors (on the safe side, fortunately), and a failure to null-terminate a string that is passed to printf() when debug mode is used. Rather than actually using those brand new and terribly unportable interfaces like snprintf(3) and strncpy(3), the author tries to precompute maximum possible buffer sizes and occasionally seems to get it wrong. I have to share the following excerpt from ntpd with you, partly because it's some of the most screwed up non-IOCCC code I have ever seen, and partly because if I had to suffer through it, I figure others might as well, too. It's actually a lot worse than it looks, given that approximately 55% of the text-containing lines in the file are either #ifdef, #elif, #else, or #endif, or #if. Audit that! 285 int 286 ntpdmain( 287 int argc, 288 char *argv[] 289 ) 290 { ... 345 # ifdef DEBUG 346 if (!debug && !nofork) 347 # else /* DEBUG */ 348 if (!nofork) 349 # endif /* DEBUG */ 350 { ... 439 } 440 # endif /* NODETACH */ 441 # if defined(SYS_WINNT) && !defined(NODETACH) 442 else 443 service_main(argc, argv); 444 return 0; /* must return a value */ 445 } /* end main */ 446 /* 447 * If this runs as a service under NT, the main thread will block at 448 * StartServiceCtrlDispatcher() and another thread will be started by th e 449 * Service Control Dispatcher which will begin execution at the routine 450 * specified in that call (viz. service_main) 451 */ 452 void 453 service_main( 454 DWORD argc, 455 LPTSTR *argv 456 ) 457 { ... 490 # endif /* defined(SYS_WINNT) && !defined(NODETACH) */ ... 503 #if !defined(SYS_WINNT) && !defined(VMS) ... 518 #endif /* !SYS_WINNT && !VMS */ ... 837 } (In case you didn't catch that, notice that there are two possible places where main() can end, and they're several hundred lines apart. There's actually a third possibility, which is not shown above. I just noticed that the 'if' I excerpted from line 346 might not be the right one, but it seems to be the only one at the correct indentation. I'd have to run the code through cpp again to be sure.) P.S. Did I read correctly that Niels Provos is now with NetBSD? Did Theo scare him off? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030216043634.GB733>