subject:"CVS commit\: \[netbsd\-4\] src\/dist\/ntp\/ntpd"

CVS commit: [netbsd-4] src/dist/ntp/ntpd

2009-12-08 Thread Soren Jacobsen

Module Name:src
Committed By:   snj
Date:   Wed Dec  9 04:53:39 UTC 2009

Modified Files:
src/dist/ntp/ntpd [netbsd-4]: ntp_request.c

Log Message:
Apply patch (requested by kardel in ticket 1369):
Fix CVE-2009-3563.


To generate a diff of this commit:
cvs rdiff -u -r1.5.4.1 -r1.5.4.2 src/dist/ntp/ntpd/ntp_request.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/dist/ntp/ntpd/ntp_request.c
diff -u src/dist/ntp/ntpd/ntp_request.c:1.5.4.1 src/dist/ntp/ntpd/ntp_request.c:1.5.4.2
--- src/dist/ntp/ntpd/ntp_request.c:1.5.4.1	Tue Aug 21 08:40:03 2007
+++ src/dist/ntp/ntpd/ntp_request.c	Wed Dec  9 04:53:39 2009
@@ -1,4 +1,4 @@
-/*	$NetBSD: ntp_request.c,v 1.5.4.1 2007/08/21 08:40:03 ghen Exp $	*/
+/*	$NetBSD: ntp_request.c,v 1.5.4.2 2009/12/09 04:53:39 snj Exp $	*/
 
 /*
  * ntp_request.c - respond to information requests
@@ -411,6 +411,7 @@
 	int mod_okay
 	)
 {
+	static u_long quiet_until;
 	struct req_pkt *inpkt;
 	struct req_pkt_tail *tailinpkt;
 	struct sockaddr_storage *srcadr;
@@ -446,8 +447,14 @@
 	|| (++ec, INFO_MBZ(inpkt-mbz_itemsize) != 0)
 	|| (++ec, rbufp-recv_length  REQ_LEN_HDR)
 		) {
-		msyslog(LOG_ERR, process_private: INFO_ERR_FMT: test %d failed, pkt from %s, ec, stoa(srcadr));
-		req_ack(srcadr, inter, inpkt, INFO_ERR_FMT);
+		NLOG(NLOG_SYSEVENT)
+			if (current_time = quiet_until) {
+msyslog(LOG_ERR,
+	process_private: drop test %d
+	 failed, pkt from %s,
+	ec, stoa(srcadr));
+quiet_until = current_time + 60;
+			}
 		return;
 	}

CVS commit: [netbsd-4] src/dist/ntp/ntpd

2009-05-25 Thread Soren Jacobsen

Module Name:src
Committed By:   snj
Date:   Tue May 26 05:17:29 UTC 2009

Modified Files:
src/dist/ntp/ntpd [netbsd-4]: ntp_crypto.c

Log Message:
Pull up following revision(s) (requested by mrg in ticket #1320):
dist/ntp/ntpd/ntp_crypto.c: revision 1.15
Fix CVE-2009-1252: Buffer overflow in ntpd crypto code. A remote
attacker can send a specially constructed request packet that would
overflow the sprintf()'ed buffer causing ntpd to crash.


To generate a diff of this commit:
cvs rdiff -u -r1.10.4.1 -r1.10.4.2 src/dist/ntp/ntpd/ntp_crypto.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/dist/ntp/ntpd/ntp_crypto.c
diff -u src/dist/ntp/ntpd/ntp_crypto.c:1.10.4.1 src/dist/ntp/ntpd/ntp_crypto.c:1.10.4.2
--- src/dist/ntp/ntpd/ntp_crypto.c:1.10.4.1	Tue Aug 21 08:40:01 2007
+++ src/dist/ntp/ntpd/ntp_crypto.c	Tue May 26 05:17:29 2009
@@ -1,4 +1,4 @@
-/*	$NetBSD: ntp_crypto.c,v 1.10.4.1 2007/08/21 08:40:01 ghen Exp $	*/
+/*	$NetBSD: ntp_crypto.c,v 1.10.4.2 2009/05/26 05:17:29 snj Exp $	*/
 
 /*
  * ntp_crypto.c - NTP version 4 public key routines
@@ -572,7 +572,7 @@
 			peer-issuer = emalloc(vallen + 1);
 			strcpy(peer-issuer, peer-subject);
 			temp32 = (fstamp  16)  0x;
-			sprintf(statstr,
+			snprintf(statstr, NTP_MAXSTRLEN,
 			flags 0x%x host %s signature %s, fstamp,
 			peer-subject, OBJ_nid2ln(temp32));
 			record_crypto_stats(peer-srcadr, statstr);
@@ -638,7 +638,8 @@
 			}
 			peer-flash = ~TEST8;
 			temp32 = cinfo-nid;
-			sprintf(statstr, cert %s 0x%x %s (%u) fs %u,
+			snprintf(statstr, NTP_MAXSTRLEN,
+			cert %s 0x%x %s (%u) fs %u,
 			cinfo-subject, cinfo-flags,
 			OBJ_nid2ln(temp32), temp32,
 			ntohl(ep-fstamp));
@@ -687,7 +688,7 @@
 			peer-crypto |= CRYPTO_FLAG_VRFY |
 			CRYPTO_FLAG_PROV;
 			peer-flash = ~TEST8;
-			sprintf(statstr, iff fs %u,
+			snprintf(statstr, NTP_MAXSTRLEN, iff fs %u,
 			ntohl(ep-fstamp));
 			record_crypto_stats(peer-srcadr, statstr);
 #ifdef DEBUG
@@ -735,7 +736,7 @@
 			peer-crypto |= CRYPTO_FLAG_VRFY |
 			CRYPTO_FLAG_PROV;
 			peer-flash = ~TEST8;
-			sprintf(statstr, gq fs %u,
+			snprintf(statstr, NTP_MAXSTRLEN, gq fs %u,
 			ntohl(ep-fstamp));
 			record_crypto_stats(peer-srcadr, statstr);
 #ifdef DEBUG
@@ -776,7 +777,7 @@
 			peer-crypto |= CRYPTO_FLAG_VRFY |
 			CRYPTO_FLAG_PROV;
 			peer-flash = ~TEST8;
-			sprintf(statstr, mv fs %u,
+			snprintf(statstr, NTP_MAXSTRLEN, mv fs %u,
 			ntohl(ep-fstamp));
 			record_crypto_stats(peer-srcadr, statstr);
 #ifdef DEBUG
@@ -830,7 +831,7 @@
 			peer-crypto = ~CRYPTO_FLAG_AUTO;
 			peer-crypto |= CRYPTO_FLAG_AGREE;
 			peer-flash = ~TEST8;
-			sprintf(statstr, cook %x ts %u fs %u,
+			snprintf(statstr, NTP_MAXSTRLEN, cook %x ts %u fs %u,
 			peer-pcookie, ntohl(ep-tstamp),
 			ntohl(ep-fstamp));
 			record_crypto_stats(peer-srcadr, statstr);
@@ -895,7 +896,7 @@
 peer-crypto = ~CRYPTO_FLAG_AUTO;
 			peer-crypto |= CRYPTO_FLAG_AGREE;
 			peer-flash = ~TEST8;
-			sprintf(statstr, cook %x ts %u fs %u,
+			snprintf(statstr, NTP_MAXSTRLEN, cook %x ts %u fs %u,
 			peer-pcookie, ntohl(ep-tstamp),
 			ntohl(ep-fstamp));
 			record_crypto_stats(peer-srcadr, statstr);
@@ -946,7 +947,7 @@
 			peer-pkeyid = bp-key;
 			peer-crypto |= CRYPTO_FLAG_AUTO;
 			peer-flash = ~TEST8;
-			sprintf(statstr,
+			snprintf(statstr, NTP_MAXSTRLEN,
 			auto seq %d key %x ts %u fs %u, bp-seq,
 			bp-key, ntohl(ep-tstamp),
 			ntohl(ep-fstamp));
@@ -989,7 +990,8 @@
 			peer-crypto |= CRYPTO_FLAG_SIGN;
 			peer-flash = ~TEST8;
 			temp32 = cinfo-nid;
-			sprintf(statstr, sign %s 0x%x %s (%u) fs %u,
+			snprintf(statstr, NTP_MAXSTRLEN,
+			sign %s 0x%x %s (%u) fs %u,
 			cinfo-issuer, cinfo-flags,
 			OBJ_nid2ln(temp32), temp32,
 			ntohl(ep-fstamp));
@@ -1073,7 +1075,8 @@
 			crypto_flags |= CRYPTO_FLAG_TAI;
 			peer-crypto |= CRYPTO_FLAG_LEAP;
 			peer-flash = ~TEST8;
-			sprintf(statstr, leap %u ts %u fs %u, vallen,
+			snprintf(statstr, NTP_MAXSTRLEN,
+			leap %u ts %u fs %u, vallen,
 			ntohl(ep-tstamp), ntohl(ep-fstamp));
 			record_crypto_stats(peer-srcadr, statstr);
 #ifdef DEBUG
@@ -1129,7 +1132,7 @@
 		 * cheerfully ignored, as the message is not sent.
 		 */
 		if (rval  XEVNT_TSP) {
-			sprintf(statstr,
+			snprintf(statstr, NTP_MAXSTRLEN,
 			error %x opcode %x ts %u fs %u, rval,
 			code, tstamp, fstamp);
 			record_crypto_stats(peer-srcadr, statstr);
@@ -1455,7 +1458,8 @@
 	 */
 	if (rval != XEVNT_OK) {
 		opcode |= CRYPTO_ERROR;
-		sprintf(statstr, error %x opcode %x, rval, opcode);
+		snprintf(statstr, NTP_MAXSTRLEN,
+		error %x opcode %x, rval, opcode);
 		record_crypto_stats(srcadr_sin, statstr);
 		report_event(rval, NULL);
 #ifdef DEBUG
@@ -1954,7 +1958,8 @@
 		if (EVP_SignFinal(ctx, tai_leap.sig, len, sign_pkey))
 			tai_leap.siglen = htonl(len);
 	}
-	sprintf(statstr, update ts %u,

CVS commit: [netbsd-4] src/dist/ntp/ntpd

CVS commit: [netbsd-4] src/dist/ntp/ntpd

2 matches

Site Navigation

Mail list logo

Footer information