Harlan,
My position on ntpdate and sntp has always been clear. Remove them both
from the distribution and let other folks contribute sntp products. The
standards labs in various contries do not recommend the NTP reference
implementation, they recommend other shrinkwrap products. There is no
need for folks to download the reference implementatino only to bring up
an sntp product.
The matter of concern is an sntp product that strictly conforms to the
NTPv4 specification as it applies to sntp. There is at least one
contributor testing the kiss-o'-death rate limit and has apparently
actually read rfc 2030. On the other hand, there are numerous examples
of clients that casually violate the rate rules both at servers we
operate here and at the national labs. What we should be doing is
supporting those products that play by the rules and that are maintained
by other players.
Dave
Harlan Stenn wrote:
> Bill,
>
> ntpdate is being deprecated.
>
> And it is *much* better to file reports like this using bugs.ntp.org as
> otherwise they tend to get lost in the wind.
>
> H
> --
>
>>>>In article <[EMAIL PROTECTED]>, Unruh <[EMAIL PROTECTED]> writes:
>
>
> Unruh> In ntpdate.c around line 542 (4.2.4p4)is the sequence if
> Unruh> (!authistrusted(sys_authkey)) { char buf[10];
>
> Unruh> (void) sprintf(buf, "%lu", (unsigned long)sys_authkey);
> Unruh> msyslog(LOG_ERR, "authentication key %s unknown", buf); exit(1);
> Unruh> }
>
> Unruh> Since unsigned long does not have a definite length on all machines,
> Unruh> and with the trailing zero certainly is potentially longer than 10
> Unruh> bytes, that buf is ripe for buffer overflow. It should be something
> Unruh> like char buf[(sizeof(unsigned long)*12/5+2)]; And/or the sprintf
> Unruh> should be an snprintf.
>
>
>
_______________________________________________
questions mailing list
questions@lists.ntp.org
https://lists.ntp.org/mailman/listinfo/questions
