Many files:

  * configure.in: 4.0.99m-rc1b
  * ntpd/refclock_true.c (true_debug): Bump some buffer sizes to
  reduce/eliminate chance of buffer overflow.  Use snprintf()
  instead of sprintf().  Do a better job of opening the debug file.
  * ntpd/ntp_control.c (ctl_getitem): Count overflow packets as bad
  and return a BADFMT.
  * ntpd/ntp_config.c (save_resolve): call fdopen() with the correct
  mode.
  From: Bela Lubkin <belal@sco.com>

bk: 3b2176ccj2xbb_oMrLwSzKvugZ9POg

diff --git a/ChangeLog b/ChangeLog
index c4246522e6ad2e005347df8771aaef28b7061dc8..70741991704d5f438e2da9c15b61bf0dd1cefad1 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,16 @@
+2001-06-08  Harlan Stenn  <stenn@whimsy.udel.edu>
+
+       * configure.in: 4.0.99m-rc1b
+
+       * ntpd/refclock_true.c (true_debug): Bump some buffer sizes to
+       reduce/eliminate chance of buffer overflow.  Use snprintf()
+       instead of sprintf().  Do a better job of opening the debug file.
+       * ntpd/ntp_control.c (ctl_getitem): Count overflow packets as bad
+       and return a BADFMT.
+       * ntpd/ntp_config.c (save_resolve): call fdopen() with the correct
+       mode.
+       From: Bela Lubkin <belal@sco.com>
+
 2001-06-03  Harlan Stenn  <stenn@whimsy.udel.edu>
 
        * include/ntp.h (RES_ALLFLAGS): Add RES_DEMOBILIZE.

diff --git a/configure b/configure
index 291c86f63935e1f8ed2a4c19f63ae06171ea40f3..dbe181d382b9c3426a058fd4fe22ce3fce8e53d3 100755 (executable)
--- a/configure
+++ b/configure
@@ -1377,7 +1377,7 @@ fi
 
 # Define the identity of the package.
 PACKAGE=ntp
-VERSION=4.0.99m-rc1a
+VERSION=4.0.99m-rc1b
 
 cat >>confdefs.h <<EOF
 #define PACKAGE "$PACKAGE"

diff --git a/configure.in b/configure.in
index 9d1d0013aa7f7aa4e82dbcd6a959f8fed854705c..053de2c2a3f5393ed0d2bbca957ab2e5facd772a 100644 (file)
--- a/configure.in
+++ b/configure.in
@@ -5,7 +5,7 @@ AC_CANONICAL_SYSTEM
 AC_DEFINE_UNQUOTED(STR_SYSTEM, "$target")
 AM_CONFIG_HEADER(config.h)
 AC_ARG_PROGRAM
-AM_INIT_AUTOMAKE(ntp, 4.0.99m-rc1a)
+AM_INIT_AUTOMAKE(ntp, 4.0.99m-rc1b)
 AC_PREREQ(2.49)
 
 ac_cv_var_oncore_ok=no

diff --git a/ntpd/ntp_config.c b/ntpd/ntp_config.c
index 4ea304da2060a98b3289bccad4c8e25a6f71cf91..3f0e72db55edabe32027747c073e8cf2c8817c7a 100644 (file)
--- a/ntpd/ntp_config.c
+++ b/ntpd/ntp_config.c
@@ -2054,7 +2054,7 @@ save_resolve(
 
                        res_fp = NULL;
                        if ((fd = mkstemp(res_file)) != -1)
-                               res_fp = fdopen(fd, "w");
+                               res_fp = fdopen(fd, "r+");
                }
 #else
                (void) mktemp(res_file);

diff --git a/ntpd/ntp_control.c b/ntpd/ntp_control.c
index c807d53830170bf37b7172db39ebabd308e78300..570e2f90f781d8a877fc2ec3efb338924a5c08ab 100644 (file)
--- a/ntpd/ntp_control.c
+++ b/ntpd/ntp_control.c
@@ -1867,6 +1867,8 @@ ctl_getitem(
                                        while (cp < reqend && *cp != ',') {
                                                *tp++ = *cp++;
                                                if (tp >= buf + sizeof(buf)) {
+                                                       ctl_error(CERR_BADFMT);
+                                                       numctlbadpkts++;
                                                        msyslog(LOG_WARNING,
                "Possible 'ntpdx' exploit from %s:%d (possibly spoofed)\n",
                inet_ntoa(rmt_addr->sin_addr), ntohs(rmt_addr->sin_port)

diff --git a/ntpd/refclock_true.c b/ntpd/refclock_true.c
index 19945028634a0a1454ab827e4ac7f8978d7a1904..dcc362d30096f40ce459fe1af7c11e016189dbc3 100644 (file)
--- a/ntpd/refclock_true.c
+++ b/ntpd/refclock_true.c
@@ -212,11 +212,12 @@ true_debug(struct peer *peer, const char *fmt, ...)
        if (want_debugging != now_debugging)
        {
                if (want_debugging) {
-                   char filename[20];
+                   char filename[40];
+                   int fd;
 
-                   sprintf(filename, "/tmp/true%d.debug", up->unit);
-                   up->debug = fopen(filename, "w");
-                   if (up->debug) {
+                   snprintf(filename, sizeof(filename), "/tmp/true%d.debug", up->unit);
+                   fd = open(filename, O_CREAT | O_WRONLY | O_EXCL, 0600);
+                   if (fd >= 0 && (up->debug = fdopen(fd, "r+"))) {
 #ifdef HAVE_SETVBUF
                            static char buf[BUFSIZ];
                            setvbuf(up->debug, buf, _IOLBF, BUFSIZ);
@@ -248,13 +249,13 @@ true_start(
 {
        register struct true_unit *up;
        struct refclockproc *pp;
-       char device[20];
+       char device[40];
        int fd;
 
        /*
         * Open serial port
         */
-       (void)sprintf(device, DEVICE, unit);
+       (void)snprintf(device, sizeof(device), DEVICE, unit);
        if (!(fd = refclock_open(device, SPEED232, LDISC_CLK)))
            return (0);