Module Name:src
Committed By: snj
Date: Tue May 26 05:17:29 UTC 2009
Modified Files:
src/dist/ntp/ntpd [netbsd-4]: ntp_crypto.c
Log Message:
Pull up following revision(s) (requested by mrg in ticket #1320):
dist/ntp/ntpd/ntp_crypto.c: revision 1.15
Fix CVE-2009-1252: Buffer overflow in ntpd crypto code. A remote
attacker can send a specially constructed request packet that would
overflow the sprintf()'ed buffer causing ntpd to crash.
To generate a diff of this commit:
cvs rdiff -u -r1.10.4.1 -r1.10.4.2 src/dist/ntp/ntpd/ntp_crypto.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/dist/ntp/ntpd/ntp_crypto.c
diff -u src/dist/ntp/ntpd/ntp_crypto.c:1.10.4.1 src/dist/ntp/ntpd/ntp_crypto.c:1.10.4.2
--- src/dist/ntp/ntpd/ntp_crypto.c:1.10.4.1 Tue Aug 21 08:40:01 2007
+++ src/dist/ntp/ntpd/ntp_crypto.c Tue May 26 05:17:29 2009
@@ -1,4 +1,4 @@
-/* $NetBSD: ntp_crypto.c,v 1.10.4.1 2007/08/21 08:40:01 ghen Exp $ */
+/* $NetBSD: ntp_crypto.c,v 1.10.4.2 2009/05/26 05:17:29 snj Exp $ */
/*
* ntp_crypto.c - NTP version 4 public key routines
@@ -572,7 +572,7 @@
peer-issuer = emalloc(vallen + 1);
strcpy(peer-issuer, peer-subject);
temp32 = (fstamp 16) 0x;
- sprintf(statstr,
+ snprintf(statstr, NTP_MAXSTRLEN,
flags 0x%x host %s signature %s, fstamp,
peer-subject, OBJ_nid2ln(temp32));
record_crypto_stats(peer-srcadr, statstr);
@@ -638,7 +638,8 @@
}
peer-flash = ~TEST8;
temp32 = cinfo-nid;
- sprintf(statstr, cert %s 0x%x %s (%u) fs %u,
+ snprintf(statstr, NTP_MAXSTRLEN,
+ cert %s 0x%x %s (%u) fs %u,
cinfo-subject, cinfo-flags,
OBJ_nid2ln(temp32), temp32,
ntohl(ep-fstamp));
@@ -687,7 +688,7 @@
peer-crypto |= CRYPTO_FLAG_VRFY |
CRYPTO_FLAG_PROV;
peer-flash = ~TEST8;
- sprintf(statstr, iff fs %u,
+ snprintf(statstr, NTP_MAXSTRLEN, iff fs %u,
ntohl(ep-fstamp));
record_crypto_stats(peer-srcadr, statstr);
#ifdef DEBUG
@@ -735,7 +736,7 @@
peer-crypto |= CRYPTO_FLAG_VRFY |
CRYPTO_FLAG_PROV;
peer-flash = ~TEST8;
- sprintf(statstr, gq fs %u,
+ snprintf(statstr, NTP_MAXSTRLEN, gq fs %u,
ntohl(ep-fstamp));
record_crypto_stats(peer-srcadr, statstr);
#ifdef DEBUG
@@ -776,7 +777,7 @@
peer-crypto |= CRYPTO_FLAG_VRFY |
CRYPTO_FLAG_PROV;
peer-flash = ~TEST8;
- sprintf(statstr, mv fs %u,
+ snprintf(statstr, NTP_MAXSTRLEN, mv fs %u,
ntohl(ep-fstamp));
record_crypto_stats(peer-srcadr, statstr);
#ifdef DEBUG
@@ -830,7 +831,7 @@
peer-crypto = ~CRYPTO_FLAG_AUTO;
peer-crypto |= CRYPTO_FLAG_AGREE;
peer-flash = ~TEST8;
- sprintf(statstr, cook %x ts %u fs %u,
+ snprintf(statstr, NTP_MAXSTRLEN, cook %x ts %u fs %u,
peer-pcookie, ntohl(ep-tstamp),
ntohl(ep-fstamp));
record_crypto_stats(peer-srcadr, statstr);
@@ -895,7 +896,7 @@
peer-crypto = ~CRYPTO_FLAG_AUTO;
peer-crypto |= CRYPTO_FLAG_AGREE;
peer-flash = ~TEST8;
- sprintf(statstr, cook %x ts %u fs %u,
+ snprintf(statstr, NTP_MAXSTRLEN, cook %x ts %u fs %u,
peer-pcookie, ntohl(ep-tstamp),
ntohl(ep-fstamp));
record_crypto_stats(peer-srcadr, statstr);
@@ -946,7 +947,7 @@
peer-pkeyid = bp-key;
peer-crypto |= CRYPTO_FLAG_AUTO;
peer-flash = ~TEST8;
- sprintf(statstr,
+ snprintf(statstr, NTP_MAXSTRLEN,
auto seq %d key %x ts %u fs %u, bp-seq,
bp-key, ntohl(ep-tstamp),
ntohl(ep-fstamp));
@@ -989,7 +990,8 @@
peer-crypto |= CRYPTO_FLAG_SIGN;
peer-flash = ~TEST8;
temp32 = cinfo-nid;
- sprintf(statstr, sign %s 0x%x %s (%u) fs %u,
+ snprintf(statstr, NTP_MAXSTRLEN,
+ sign %s 0x%x %s (%u) fs %u,
cinfo-issuer, cinfo-flags,
OBJ_nid2ln(temp32), temp32,
ntohl(ep-fstamp));
@@ -1073,7 +1075,8 @@
crypto_flags |= CRYPTO_FLAG_TAI;
peer-crypto |= CRYPTO_FLAG_LEAP;
peer-flash = ~TEST8;
- sprintf(statstr, leap %u ts %u fs %u, vallen,
+ snprintf(statstr, NTP_MAXSTRLEN,
+ leap %u ts %u fs %u, vallen,
ntohl(ep-tstamp), ntohl(ep-fstamp));
record_crypto_stats(peer-srcadr, statstr);
#ifdef DEBUG
@@ -1129,7 +1132,7 @@
* cheerfully ignored, as the message is not sent.
*/
if (rval XEVNT_TSP) {
- sprintf(statstr,
+ snprintf(statstr, NTP_MAXSTRLEN,
error %x opcode %x ts %u fs %u, rval,
code, tstamp, fstamp);
record_crypto_stats(peer-srcadr, statstr);
@@ -1455,7 +1458,8 @@
*/
if (rval != XEVNT_OK) {
opcode |= CRYPTO_ERROR;
- sprintf(statstr, error %x opcode %x, rval, opcode);
+ snprintf(statstr, NTP_MAXSTRLEN,
+ error %x opcode %x, rval, opcode);
record_crypto_stats(srcadr_sin, statstr);
report_event(rval, NULL);
#ifdef DEBUG
@@ -1954,7 +1958,8 @@
if (EVP_SignFinal(ctx, tai_leap.sig, len, sign_pkey))
tai_leap.siglen = htonl(len);
}
- sprintf(statstr, update ts %u,