From: Juergen Perlinger Date: Sun, 21 Feb 2016 14:09:37 +0000 (+0100) Subject: [Bug 3009] Crafted addpeer with hmode > 7 causes OOB error X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ce65c90e91f4d0938ec15869f454f55b06cff6fe;p=thirdparty%2Fntp.git [Bug 3009] Crafted addpeer with hmode > 7 causes OOB error bk: 56c9c5218oFfAM2Htz-Zz0kGVqWFow --- diff --git a/ChangeLog b/ChangeLog index c70fe8fc5..48df16559 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,8 @@ * [Bug 2994] Systems with HAVE_SIGNALED_IO fail to compile. perlinger@ntp.org * [Bug 2995] Fixes to compile on Windows +* [Bug 3009] Crafted addpeer with hmode > 7 causes OOB error. perlinger@ntp.org + - added more stringent checks on packet content --- (4.2.8p6) 2016/01/20 Released by Harlan Stenn diff --git a/ntpd/ntp_request.c b/ntpd/ntp_request.c index ba968e2c8..3c537b054 100644 --- a/ntpd/ntp_request.c +++ b/ntpd/ntp_request.c @@ -1342,11 +1342,38 @@ do_conf( peeraddr.sa.sa_len = SOCKLEN(&peeraddr); #endif - /* XXX W2DO? minpoll/maxpoll arguments ??? */ + /* check mode value: 0 <= hmode <= 6 + * + * There's no good global define for that limit, and + * using a magic define is as good (or bad, actually) as + * a magic number. So we use the highest possible peer + * mode, and that is MODE_BCLIENT. + * + * [Bug 3009] claims that a problem occurs for hmode > 7, + * but the code in ntp_peer.c indicates trouble for any + * hmode > 6 ( --> MODE_BCLIENT). + */ + if (temp_cp.hmode > MODE_BCLIENT) { + req_ack(srcadr, inter, inpkt, INFO_ERR_FMT); + return; + } + + /* Any more checks on the values? Unchecked at this + * point: + * - version + * - ttl + * - keyid + * + * - minpoll/maxpoll, but they are treated properly + * for all cases internally. Checking not necessary. + */ + + /* finally create the peer */ if (peer_config(&peeraddr, NULL, NULL, temp_cp.hmode, temp_cp.version, temp_cp.minpoll, temp_cp.maxpoll, fl, temp_cp.ttl, temp_cp.keyid, - NULL) == 0) { + NULL) == 0) + { req_ack(srcadr, inter, inpkt, INFO_ERR_NODATA); return; }