From: Dave Hart Date: Mon, 26 Oct 2009 20:49:30 +0000 (+0000) Subject: CIDs 94-99 make it more clearly impossible for sock_hash() to return X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2e7428c9d5ffa0835e90fa9e0c49e9e6ed2dbc6d;p=thirdparty%2Fntp.git CIDs 94-99 make it more clearly impossible for sock_hash() to return a negative number. CID 105, 106 ensure ntpdc arrays are not overrun even if callers misbehave. CID 113 use va_end() in refclock_true.c true_debug(). bk: 4ae60b5aZ8vhrZE18J75aB-x2FwFlw --- diff --git a/ChangeLog b/ChangeLog index 2211842e46..59fb2301ce 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,10 @@ * [Bug 1354] libtool error building after bootstrap with Autoconf 2.64. * Allow NTP_VPATH_HACK configure test to handle newer gmake versions. +* CIDs 94-99 make it more clearly impossible for sock_hash() to return + a negative number. +* CID 105, 106 ensure ntpdc arrays are not overrun even if callers + misbehave. +* CID 113 use va_end() in refclock_true.c true_debug(). (4.2.5p237-RC) 2009/10/26 Released by Harlan Stenn * [Bug 610] NMEA support for using PPSAPI on a different device. * [Bug 1238] use only fudge time2 to offset NMEA serial timestamp. diff --git a/include/ntpd.h b/include/ntpd.h index 30d6d838be..86e0d84433 100644 --- a/include/ntpd.h +++ b/include/ntpd.h @@ -245,7 +245,7 @@ extern void record_crypto_stats (sockaddr_u *, const char *); #ifdef DEBUG extern void record_timing_stats (const char *); #endif -extern int sock_hash (sockaddr_u *); +extern u_short sock_hash (sockaddr_u *); extern char * fstostr(time_t); /* NTP timescale seconds */ extern double old_drift; extern int drift_file_sw; diff --git a/libntp/ntp_rfc2553.c b/libntp/ntp_rfc2553.c index cd0db85032..03af593cf7 100644 --- a/libntp/ntp_rfc2553.c +++ b/libntp/ntp_rfc2553.c @@ -69,7 +69,9 @@ #include #include +#ifdef HAVE_SYS_SOCKET_H #include +#endif #include #ifdef HAVE_NETINET_IN_H #include diff --git a/ntpd/ntp_monitor.c b/ntpd/ntp_monitor.c index 41d1748e1e..05dca322e1 100644 --- a/ntpd/ntp_monitor.c +++ b/ntpd/ntp_monitor.c @@ -54,9 +54,9 @@ /* * Hashing stuff */ -#define MON_HASH_SIZE 128 -#define MON_HASH_MASK (MON_HASH_SIZE-1) -#define MON_HASH(addr) sock_hash(addr) +#define MON_HASH_SIZE NTP_HASH_SIZE +#define MON_HASH_MASK NTP_HASH_MASK +#define MON_HASH(addr) NTP_HASH_ADDR(addr) /* * Pointers to the hash table, the MRU list and the count table. Memory @@ -212,8 +212,8 @@ ntp_monitor( { register struct pkt *pkt; register struct mon_data *md; - sockaddr_u addr; - register int hash; + sockaddr_u addr; + register u_int hash; register int mode; int interval; @@ -388,7 +388,7 @@ remove_from_hash( struct mon_data *md ) { - register int hash; + register u_int hash; register struct mon_data *md_prev; hash = MON_HASH(&md->rmtadr); diff --git a/ntpd/ntp_peer.c b/ntpd/ntp_peer.c index 18ba4844d8..78d58ca65e 100644 --- a/ntpd/ntp_peer.c +++ b/ntpd/ntp_peer.c @@ -220,7 +220,7 @@ findpeer( ) { register struct peer *peer; - int hash; + u_int hash; findpeer_calls++; hash = NTP_HASH_ADDR(srcadr); @@ -270,7 +270,7 @@ findpeerbyassoc( ) { register struct peer *peer; - int hash; + u_int hash; assocpeer_calls++; @@ -717,7 +717,7 @@ newpeer( ) { struct peer *peer; - int i; + u_int hash; char tbuf[80]; #ifdef OPENSSL @@ -889,12 +889,12 @@ newpeer( /* * Put the new peer in the hash tables. */ - i = NTP_HASH_ADDR(&peer->srcadr); - LINK_SLIST(peer_hash[i], peer, next); - peer_hash_count[i]++; - i = peer->associd & NTP_HASH_MASK; - LINK_SLIST(assoc_hash[i], peer, ass_next); - assoc_hash_count[i]++; + hash = NTP_HASH_ADDR(&peer->srcadr); + LINK_SLIST(peer_hash[hash], peer, next); + peer_hash_count[hash]++; + hash = peer->associd & NTP_HASH_MASK; + LINK_SLIST(assoc_hash[hash], peer, ass_next); + assoc_hash_count[hash]++; snprintf(tbuf, sizeof(tbuf), "assoc %d", peer->associd); report_event(PEVNT_MOBIL, peer, tbuf); DPRINTF(1, ("newpeer: %s->%s mode %d vers %d poll %d %d flags 0x%x 0x%x ttl %d key %08x\n", diff --git a/ntpd/ntp_util.c b/ntpd/ntp_util.c index cb25828b86..bf3725c017 100644 --- a/ntpd/ntp_util.c +++ b/ntpd/ntp_util.c @@ -1051,15 +1051,15 @@ rereadkeys(void) /* * sock_hash - hash a sockaddr_u structure */ -int +u_short sock_hash( sockaddr_u *addr ) { - int hashVal; - int i; - int len; - char *ch; + u_int hashVal; + u_int j; + size_t len; + u_char *pch; hashVal = 0; len = 0; @@ -1068,33 +1068,30 @@ sock_hash( * fields in sockaddr_in6 that might be filled in by recvfrom(), * so just use the family, port and address. */ - ch = (char *)&AF(addr); - hashVal = 37 * hashVal + (int)*ch; + pch = (u_char *)&AF(addr); + hashVal = 37 * hashVal + *pch; if (sizeof(AF(addr)) > 1) { - ch++; - hashVal = 37 * hashVal + (int)*ch; + pch++; + hashVal = 37 * hashVal + *pch; } switch(AF(addr)) { case AF_INET: - ch = (char *)&SOCK_ADDR4(addr); + pch = (u_char *)&SOCK_ADDR4(addr); len = sizeof(SOCK_ADDR4(addr)); break; case AF_INET6: - ch = (char *)&SOCK_ADDR6(addr); + pch = (u_char *)&SOCK_ADDR6(addr); len = sizeof(SOCK_ADDR6(addr)); break; } - for (i = 0; i < len ; i++) - hashVal = 37 * hashVal + (int)*(ch + i); + for (j = 0; j < len ; j++) + hashVal = 37 * hashVal + pch[j]; -#define MON_HASH_SIZE 128 /* duplicated from ntp_monitor.c */ + hashVal = hashVal & NTP_HASH_MASK; - hashVal = hashVal % MON_HASH_SIZE; - if (hashVal < 0) - hashVal += MON_HASH_SIZE; - return hashVal; + return (u_short)hashVal; } diff --git a/ntpd/refclock_true.c b/ntpd/refclock_true.c index 3abe56e4e3..717748152f 100644 --- a/ntpd/refclock_true.c +++ b/ntpd/refclock_true.c @@ -235,6 +235,7 @@ true_debug(struct peer *peer, const char *fmt, ...) fprintf(up->debug, "true%d: ", up->unit); vfprintf(up->debug, fmt, ap); } + va_end(ap); } #endif /*STDC*/ diff --git a/ntpdc/ntpdc_ops.c b/ntpdc/ntpdc_ops.c index 20627615de..62b44ed71e 100644 --- a/ntpdc/ntpdc_ops.c +++ b/ntpdc/ntpdc_ops.c @@ -697,6 +697,7 @@ showpeer( struct info_peer *pp; /* 4 is the maximum number of peers which will fit in a packet */ struct info_peer_list *pl, plist[min(MAXARGS, 4)]; + int qitemlim; int qitems; int items; int itemsize; @@ -709,7 +710,8 @@ again: else sendsize = v4sizeof(struct info_peer_list); - for (qitems = 0, pl = plist; qitems < min(pcmd->nargs, 4); qitems++) { + qitemlim = min(pcmd->nargs, COUNTOF(plist)); + for (qitems = 0, pl = plist; qitems < qitemlim; qitems++) { if (IS_IPV4(&pcmd->argval[qitems].netnum)) { pl->addr = NSRCADR(&pcmd->argval[qitems].netnum); if (impl_ver == IMPL_XNTPD) @@ -769,6 +771,7 @@ peerstats( /* 4 is the maximum number of peers which will fit in a packet */ struct info_peer_list *pl, plist[min(MAXARGS, 4)]; sockaddr_u src, dst; + int qitemlim; int qitems; int items; int itemsize; @@ -781,8 +784,10 @@ again: else sendsize = v4sizeof(struct info_peer_list); - memset((char *)plist, 0, sizeof(struct info_peer_list) * min(MAXARGS, 4)); - for (qitems = 0, pl = plist; qitems < min(pcmd->nargs, 4); qitems++) { + memset(plist, 0, sizeof(plist)); + + qitemlim = min(pcmd->nargs, COUNTOF(plist)); + for (qitems = 0, pl = plist; qitems < qitemlim; qitems++) { if (IS_IPV4(&pcmd->argval[qitems].netnum)) { pl->addr = NSRCADR(&pcmd->argval[qitems].netnum); if (impl_ver == IMPL_XNTPD) @@ -1498,6 +1503,7 @@ unconfig( { /* 8 is the maximum number of peers which will fit in a packet */ struct conf_unpeer *pl, plist[min(MAXARGS, 8)]; + int qitemlim; int qitems; int items; int itemsize; @@ -1511,7 +1517,8 @@ again: else sendsize = v4sizeof(struct conf_unpeer); - for (qitems = 0, pl = plist; qitems < min(pcmd->nargs, 8); qitems++) { + qitemlim = min(pcmd->nargs, COUNTOF(plist)); + for (qitems = 0, pl = plist; qitems < qitemlim; qitems++) { if (IS_IPV4(&pcmd->argval[0].netnum)) { pl->peeraddr = NSRCADR(&pcmd->argval[qitems].netnum); if (impl_ver == IMPL_XNTPD) @@ -1579,7 +1586,6 @@ doset( int req ) { - /* 8 is the maximum number of peers which will fit in a packet */ struct conf_sys_flags sys; int items; int itemsize; @@ -2157,6 +2163,7 @@ preset( { /* 8 is the maximum number of peers which will fit in a packet */ struct conf_unpeer *pl, plist[min(MAXARGS, 8)]; + int qitemlim; int qitems; int items; int itemsize; @@ -2170,7 +2177,8 @@ again: else sendsize = v4sizeof(struct conf_unpeer); - for (qitems = 0, pl = plist; qitems < min(pcmd->nargs, 8); qitems++) { + qitemlim = min(pcmd->nargs, COUNTOF(plist)); + for (qitems = 0, pl = plist; qitems < qitemlim; qitems++) { if (IS_IPV4(&pcmd->argval[qitems].netnum)) { pl->peeraddr = NSRCADR(&pcmd->argval[qitems].netnum); if (impl_ver == IMPL_XNTPD) @@ -2659,7 +2667,7 @@ clockstat( struct info_clock *cl; /* 8 is the maximum number of clocks which will fit in a packet */ u_long clist[min(MAXARGS, 8)]; - int qitemc; + int qitemlim; int qitems; int items; int itemsize; @@ -2667,9 +2675,8 @@ clockstat( l_fp ts; struct clktype *clk; - qitemc = min(pcmd->nargs, COUNTOF(clist)); - - for (qitems = 0; qitems < qitemc; qitems++) + qitemlim = min(pcmd->nargs, COUNTOF(clist)); + for (qitems = 0; qitems < qitemlim; qitems++) clist[qitems] = NSRCADR(&pcmd->argval[qitems].netnum); again: @@ -2834,6 +2841,7 @@ clkbug( /* 8 is the maximum number of clocks which will fit in a packet */ u_long clist[min(MAXARGS, 8)]; u_int32 ltemp; + int qitemlim; int qitems; int items; int itemsize; @@ -2841,7 +2849,8 @@ clkbug( int needsp; l_fp ts; - for (qitems = 0; qitems < min(pcmd->nargs, 8); qitems++) + qitemlim = min(pcmd->nargs, COUNTOF(clist)); + for (qitems = 0; qitems < qitemlim; qitems++) clist[qitems] = NSRCADR(&pcmd->argval[qitems].netnum); again: @@ -2855,13 +2864,13 @@ again: } if (res != 0) - return; + return; if (!checkitems(items, fp)) - return; + return; if (!checkitemsize(itemsize, sizeof(struct info_clkbug))) - return; + return; while (items-- > 0) { (void) fprintf(fp, "clock address: %s\n",