[src/netbsd-1-5]: src/usr.sbin/timed/timed Pull up revision 1.10 (requested b...

[he <he%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/3a5d536c178f
branches:  netbsd-1-5
changeset: 491282:3a5d536c178f
user:      he <he%NetBSD.org@localhost>
date:      Sat Apr 21 20:20:27 2001 +0000

description:
Pull up revision 1.10 (requested by soda):
  Fix remote denial-of-service problem related to mishandling
  of malformed messages.

diffstat:

 usr.sbin/timed/timed/readmsg.c |  31 ++++++++++++++++++++++++++-----
 1 files changed, 26 insertions(+), 5 deletions(-)

diffs (80 lines):

diff -r 76c19cbea097 -r 3a5d536c178f usr.sbin/timed/timed/readmsg.c
--- a/usr.sbin/timed/timed/readmsg.c    Sat Apr 21 19:53:51 2001 +0000
+++ b/usr.sbin/timed/timed/readmsg.c    Sat Apr 21 20:20:27 2001 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: readmsg.c,v 1.9 2000/03/27 17:07:23 kleink Exp $       */
+/*     $NetBSD: readmsg.c,v 1.9.4.1 2001/04/21 20:20:27 he Exp $       */
 
 /*-
  * Copyright (c) 1985, 1993 The Regents of the University of California.
@@ -38,12 +38,12 @@
 #if 0
 static char sccsid[] = "@(#)readmsg.c  8.1 (Berkeley) 6/6/93";
 #else
-__RCSID("$NetBSD: readmsg.c,v 1.9 2000/03/27 17:07:23 kleink Exp $");
+__RCSID("$NetBSD: readmsg.c,v 1.9.4.1 2001/04/21 20:20:27 he Exp $");
 #endif
 #endif /* not lint */
 
 #ifdef sgi
-#ident "$Revision: 1.9 $"
+#ident "$Revision: 1.9.4.1 $"
 #endif
 
 #include "globals.h"
@@ -92,6 +92,7 @@
        struct tsplist *prev;
        register struct netinfo *ntp;
        register struct tsplist *ptr;
+       ssize_t n;
 
        if (trace) {
                fprintf(fd, "readmsg: looking for %s from %s, %s\n",
@@ -211,11 +212,18 @@
                        continue;
                }
                length = sizeof(from);
-               if (recvfrom(sock, (char *)&msgin, sizeof(struct tsp), 0,
-                            (struct sockaddr*)&from, &length) < 0) {
+               if ((n = recvfrom(sock, (char *)&msgin, sizeof(struct tsp), 0,
+                            (struct sockaddr*)&from, &length)) < 0) {
                        syslog(LOG_ERR, "recvfrom: %m");
                        exit(1);
                }
+               if (n < (ssize_t)sizeof(struct tsp)) {
+                       syslog(LOG_NOTICE,
+                           "short packet (%lu/%lu bytes) from %s",
+                             (u_long)n, (u_long)sizeof(struct tsp),
+                             inet_ntoa(from.sin_addr));
+                       continue;
+               }
                (void)gettimeofday(&from_when, (struct timezone *)0);
                bytehostorder(&msgin);
 
@@ -227,6 +235,13 @@
                        continue;
                }
 
+               if (memchr(msgin.tsp_name,
+                   '\0', sizeof msgin.tsp_name) == NULL) {
+                       syslog(LOG_NOTICE, "hostname field not NUL terminated "
+                           "in packet from %s", inet_ntoa(from.sin_addr));
+                       continue;
+               }
+
                fromnet = NULL;
                for (ntp = nettab; ntp != NULL; ntp = ntp->next)
                        if ((ntp->mask & from.sin_addr.s_addr) ==
@@ -442,6 +457,12 @@
        char tm[26];
        time_t msgtime;
 
+       if (msg->tsp_type >= TSPTYPENUMBER) {
+               fprintf(fd, "bad type (%u) on packet from %s\n",
+                 msg->tsp_type, inet_ntoa(addr->sin_addr));
+               return;
+       }
+
        switch (msg->tsp_type) {
 
        case TSP_LOOP: