Date: Thu, 5 Apr 2001 14:29:56 -0700 (PDT) From: Matt Dillon <dillon@earth.backplane.com> To: Poul-Henning Kamp <phk@critter.freebsd.dk> Cc: Jesper Skriver <jesper@skriver.dk>, cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG Subject: Re: cvs commit: src/contrib/ntp/ntpd ntp_control.c Message-ID: <200104052129.f35LTur28678@earth.backplane.com> References: <28521.986503907@critter>
next in thread | previous in thread | raw e-mail | index | archive | help
:>> Revision Changes Path :>> 1.2 +21 -1 src/contrib/ntp/ntpd/ntp_control.c :> :>ftp://ftp.netbsd.org/pub/NetBSD/misc/security/advisories/NetBSD-SA2001-004.txt.asc :> :>Say: "Jason Thorpe for changes to not overrun the end of the static buffer" :>in regard to the patch applied to FreeBSD, are they right, or ? : :There seems to be an off-by-one in my stopgap patch. I won't be able to :look at it for another 16 hours I'm afraid, everybody else are more than :welcome to jump on that and any other issues. : :-- :Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 Yah. It just looks like you need to change the 'if (tp > buf + ...)' to 'if (tp >= buf + ...)'. Else tp can be exactly at buf + sizeof(buf) and then still get the \0 tagged onto it. I traced the code back and it looks like it's more then just a potential root exploit. The packet buffer is 400+ characters, and the only size check before this code is to check that the embedded length field is <= the actual number of bytes read. That little 128 byte temporary buffer is in deep doodoo. -Matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200104052129.f35LTur28678>