From: Harlan Stenn Date: Sat, 31 Aug 2019 23:56:58 +0000 (+0000) Subject: [Bug 3610] process_control() should bail earlier on short packets. stenn@ X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=392bd998f9cbb747c9c1566694fc612c94fbcefe;p=thirdparty%2Fntp.git [Bug 3610] process_control() should bail earlier on short packets. stenn@ bk: 5d6b094axCclawopUzI7_YAnJghpFg --- diff --git a/ChangeLog b/ChangeLog index 64f404a51..1491eaad2 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,7 @@ --- +* [Bug 3610] process_control() should bail earlier on short packets. stenn@ + - Reported by Philippe Antoine * [Bug 3608] libparse fails to compile on S11.4SRU13 and later - removed ffs() and fls() prototypes as per Brian Utterback * [Bug 3604] Wrong param byte order passing into record_raw_stats() in diff --git a/ntpd/ntp_control.c b/ntpd/ntp_control.c index 824505474..cb476320b 100644 --- a/ntpd/ntp_control.c +++ b/ntpd/ntp_control.c @@ -1189,15 +1189,21 @@ process_control( pkt = (struct ntp_control *)&rbufp->recv_pkt; /* - * If the length is less than required for the header, or - * it is a response or a fragment, ignore this. + * If the length is less than required for the header, + * ignore it. */ - if (rbufp->recv_length < (int)CTL_HEADER_LEN - || (CTL_RESPONSE | CTL_MORE | CTL_ERROR) & pkt->r_m_e_op + if (rbufp->recv_length < (int)CTL_HEADER_LEN) { + DPRINTF(1, ("Short control packet\n")); + numctltooshort++; + return; + } + + /* + * If this packet is a response or a fragment, ignore it. + */ + if ( (CTL_RESPONSE | CTL_MORE | CTL_ERROR) & pkt->r_m_e_op || pkt->offset != 0) { DPRINTF(1, ("invalid format in control packet\n")); - if (rbufp->recv_length < (int)CTL_HEADER_LEN) - numctltooshort++; if (CTL_RESPONSE & pkt->r_m_e_op) numctlinputresp++; if (CTL_MORE & pkt->r_m_e_op) @@ -1208,6 +1214,7 @@ process_control( numctlbadoffset++; return; } + res_version = PKT_VERSION(pkt->li_vn_mode); if (res_version > NTP_VERSION || res_version < NTP_OLDVERSION) { DPRINTF(1, ("unknown version %d in control packet\n",