From 0dff585654bef39798a52ab9d4a8311bd46cab94 Mon Sep 17 00:00:00 2001 From: itojun Date: Tue, 13 Mar 2001 00:14:39 +0000 Subject: [PATCH] cope with malformed packets better. ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:28/timed.patch --- usr.sbin/timed/timed/readmsg.c | 31 ++++++++++++++++++++++++++----- 1 file changed, 26 insertions(+), 5 deletions(-) diff --git a/usr.sbin/timed/timed/readmsg.c b/usr.sbin/timed/timed/readmsg.c index ac3f2067d9a2..6112d356d663 100644 --- a/usr.sbin/timed/timed/readmsg.c +++ b/usr.sbin/timed/timed/readmsg.c @@ -1,4 +1,4 @@ -/* $NetBSD: readmsg.c,v 1.9 2000/03/27 17:07:23 kleink Exp $ */ +/* $NetBSD: readmsg.c,v 1.10 2001/03/13 00:14:39 itojun Exp $ */ /*- * Copyright (c) 1985, 1993 The Regents of the University of California. @@ -38,12 +38,12 @@ #if 0 static char sccsid[] = "@(#)readmsg.c 8.1 (Berkeley) 6/6/93"; #else -__RCSID("$NetBSD: readmsg.c,v 1.9 2000/03/27 17:07:23 kleink Exp $"); +__RCSID("$NetBSD: readmsg.c,v 1.10 2001/03/13 00:14:39 itojun Exp $"); #endif #endif /* not lint */ #ifdef sgi -#ident "$Revision: 1.9 $" +#ident "$Revision: 1.10 $" #endif #include "globals.h" @@ -92,6 +92,7 @@ readmsg(int type, char *machfrom, struct timeval *intvl, struct tsplist *prev; register struct netinfo *ntp; register struct tsplist *ptr; + ssize_t n; if (trace) { fprintf(fd, "readmsg: looking for %s from %s, %s\n", @@ -211,11 +212,18 @@ again: continue; } length = sizeof(from); - if (recvfrom(sock, (char *)&msgin, sizeof(struct tsp), 0, - (struct sockaddr*)&from, &length) < 0) { + if ((n = recvfrom(sock, (char *)&msgin, sizeof(struct tsp), 0, + (struct sockaddr*)&from, &length)) < 0) { syslog(LOG_ERR, "recvfrom: %m"); exit(1); } + if (n < (ssize_t)sizeof(struct tsp)) { + syslog(LOG_NOTICE, + "short packet (%lu/%lu bytes) from %s", + (u_long)n, (u_long)sizeof(struct tsp), + inet_ntoa(from.sin_addr)); + continue; + } (void)gettimeofday(&from_when, (struct timezone *)0); bytehostorder(&msgin); @@ -227,6 +235,13 @@ again: continue; } + if (memchr(msgin.tsp_name, + '\0', sizeof msgin.tsp_name) == NULL) { + syslog(LOG_NOTICE, "hostname field not NUL terminated " + "in packet from %s", inet_ntoa(from.sin_addr)); + continue; + } + fromnet = NULL; for (ntp = nettab; ntp != NULL; ntp = ntp->next) if ((ntp->mask & from.sin_addr.s_addr) == @@ -442,6 +457,12 @@ struct sockaddr_in *addr; char tm[26]; time_t msgtime; + if (msg->tsp_type >= TSPTYPENUMBER) { + fprintf(fd, "bad type (%u) on packet from %s\n", + msg->tsp_type, inet_ntoa(addr->sin_addr)); + return; + } + switch (msg->tsp_type) { case TSP_LOOP: