Harlan, My position on ntpdate and sntp has always been clear. Remove them both from the distribution and let other folks contribute sntp products. The standards labs in various contries do not recommend the NTP reference implementation, they recommend other shrinkwrap products. There is no need for folks to download the reference implementatino only to bring up an sntp product.
The matter of concern is an sntp product that strictly conforms to the NTPv4 specification as it applies to sntp. There is at least one contributor testing the kiss-o'-death rate limit and has apparently actually read rfc 2030. On the other hand, there are numerous examples of clients that casually violate the rate rules both at servers we operate here and at the national labs. What we should be doing is supporting those products that play by the rules and that are maintained by other players. Dave Harlan Stenn wrote: > Bill, > > ntpdate is being deprecated. > > And it is *much* better to file reports like this using bugs.ntp.org as > otherwise they tend to get lost in the wind. > > H > -- > >>>>In article <[EMAIL PROTECTED]>, Unruh <[EMAIL PROTECTED]> writes: > > > Unruh> In ntpdate.c around line 542 (4.2.4p4)is the sequence if > Unruh> (!authistrusted(sys_authkey)) { char buf[10]; > > Unruh> (void) sprintf(buf, "%lu", (unsigned long)sys_authkey); > Unruh> msyslog(LOG_ERR, "authentication key %s unknown", buf); exit(1); > Unruh> } > > Unruh> Since unsigned long does not have a definite length on all machines, > Unruh> and with the trailing zero certainly is potentially longer than 10 > Unruh> bytes, that buf is ripe for buffer overflow. It should be something > Unruh> like char buf[(sizeof(unsigned long)*12/5+2)]; And/or the sprintf > Unruh> should be an snprintf. > > > _______________________________________________ questions mailing list questions@lists.ntp.org https://lists.ntp.org/mailman/listinfo/questions