NetBSD-Bugs archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
bin/42464: timed interoperability has been broken since 2001
>Number: 42464
>Category: bin
>Synopsis: timed interoperability has been broken since 2001
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: bin-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Thu Dec 17 06:05:00 +0000 2009
>Originator: Timothy McIntosh
>Release: 5.0
>Organization:
Green Dome Software
>Environment:
NetBSD hoth.astro.net 5.0 NetBSD 5.0 (GENERIC32_IP2x) #0: Mon Apr 27 06:08:08
UTC 2009
builds%b1.netbsd.org@localhost:/home/builds/ab/netbsd-5-0-RELEASE/sgimips/200904260229Z-obj/home/builds/ab/netbsd-5-0-RELEASE/src/sys/arch/sgimips/compile/GENERIC32_IP2x
sgimips
>Description:
timed interoperability has been broken since the patch described in FreeBSD
SA-01:28 was implemented in 2001:
http://security.freebsd.org/patches/SA-01:28/timed.patch
http://security.freebsd.org/advisories/FreeBSD-SA-01:28.timed.asc
This patch erroneously forces all TSP packets to be maximally sized. This is
in violation of the time synchronization protocol definition, which defines the
Machine Name field as a zero-terminated string from 1 to 256 ASCII characters
in length (including the terminating NUL character).
http://docs.freebsd.org/44doc/smm/12.timed/paper.pdf
Not all timed implementations send maximally-sized messages, as this
implementation does. One such system is Tru64 UNIX version 4.0F, where
MAXHOSTNAMELEN is defined as 64. The current timed implementation fails to
communicate with such a system, producing messages such as the following in the
system log:
Dec 16 22:52:38 hoth timed[364]: short packet (76/268 bytes) from 10.0.1.213
Note: In the 4.3BSD TSP definition, the tsp_name field was 32 characters in
size:
http://www.eecs.berkeley.edu/Pubs/TechRpts/1985/CSD-85-250.pdf
>How-To-Repeat:
Attempt to use timed with a system that does not send maximally-sized TSP
messages.
>Fix:
I have applied the following patch locally to the timed on my Mac OS X 10.5.8
(Darwin 9.8.0) system, and confirms that it resolves the interoperability
issue. The NetBSD 5 timed code is essentially the same, so the same approach
would apply there, but I have not ported the patch as of this time:
diff -ur remote_cmds-13.0.2/timed.tproj/timed.tproj/globals.h
remote_cmds-13.0.2-patched/timed.tproj/timed.tproj/globals.h
--- remote_cmds-13.0.2/timed.tproj/timed.tproj/globals.h 1999-05-01
22:57:34.000000000 -0500
+++ remote_cmds-13.0.2-patched/timed.tproj/timed.tproj/globals.h
2009-12-15 01:33:17.000000000 -0600
@@ -70,6 +70,7 @@
#include <errno.h>
#include <limits.h>
#include <netdb.h>
+#include <stddef.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
diff -ur remote_cmds-13.0.2/timed.tproj/timed.tproj/readmsg.c
remote_cmds-13.0.2-patched/timed.tproj/timed.tproj/readmsg.c
--- remote_cmds-13.0.2/timed.tproj/timed.tproj/readmsg.c 2006-02-07
00:23:04.000000000 -0600
+++ remote_cmds-13.0.2-patched/timed.tproj/timed.tproj/readmsg.c
2009-12-15 01:37:12.000000000 -0600
@@ -231,15 +231,16 @@
continue;
}
length = sizeof(from);
+ bzero(&msgin, sizeof msgin);
if ((n = recvfrom(sock, (char *)&msgin, sizeof(struct tsp), 0,
(struct sockaddr*)&from, &length)) < 0) {
syslog(LOG_ERR, "recvfrom: %m");
exit(1);
}
- if (n < (ssize_t)sizeof(struct tsp)) {
+ if (n <= (ssize_t)offsetof(struct tsp, tsp_name)) {
syslog(LOG_NOTICE,
"short packet (%u/%u bytes) from %s",
- n, sizeof(struct tsp),
+ n, offsetof(struct tsp, tsp_name)+1,
inet_ntoa(from.sin_addr));
continue;
}
Home |
Main Index |
Thread Index |
Old Index