On Fri, Apr 06, 2001 at 12:06:14AM -0700, Phil Stracchino wrote:
> On Thu, Apr 05, 2001 at 11:38:47AM +0200, Ogle Ron (Rennes) wrote:
> > There is only a patch for the NTP software from
> > http://phk.freebsd.dk/patch/ntpd.patch.
>
> I just tried applying this patch against ntp-4.0.99k, and it fails.
The patch does not *cleanly* apply, as the offsets in the file and the
formatting is completely different, but if you read the patch and the
source, you can apply it by hand fairly well.
However, to save time and frustration, this is a diff with very wide
context of the important peice as applied to 4.0.99k...
--- ntp-4.0.99k/ntpd/ntp_control.c Sat Jul 15 10:46:05 2000
+++ ntp-4.0.99k-emf-2001040501/ntpd/ntp_control.c Thu Apr 5 23:15:52
2001
@@ -1799,53 +1799,55 @@
while (!(v->flags & EOV)) {
if (!(v->flags & PADDING) && *cp == *(v->text)) {
tp = v->text;
while (*tp != '\0' && *tp != '=' && cp <
reqend && *cp == *tp) {
cp++;
tp++;
}
if ((*tp == '\0') || (*tp == '=')) {
while (cp < reqend && isspace((int)*cp))
cp++;
if (cp == reqend || *cp == ',') {
buf[0] = '\0';
*data = buf;
if (cp < reqend)
cp++;
reqpt = cp;
return v;
}
if (*cp == '=') {
cp++;
tp = buf;
while (cp < reqend &&
isspace((int)*cp))
cp++;
- while (cp < reqend && *cp !=
- ',')
+ while (cp < reqend && *cp != ',') {
*tp++ = *cp++;
+ /* avoid buffer overflow */
+ if (tp > buf + sizeof(buf)) return(0);
+ }
if (cp < reqend)
cp++;
*tp = '\0';
while (isspace((int)(*(tp-1))))
*(--tp) = '\0';
reqpt = cp;
*data = buf;
return (v);
}
}
cp = reqpt;
}
v++;
}
return v;
}
/*
* control_unspec - response to an unspecified op-code
*/
/*ARGSUSED*/
static void
control_unspec(
struct recvbuf *rbufp,
--
Erik Fichtner; Unix Ronin
http://www.obfuscation.org/techs/
"The reasonable man adapts himself to the world; the unreasonable one
persists in trying to adapt the world to himself. Therefore, all progress
depends on the unreasonable." -- George Bernard Shaw
PGP signature
