Security fixes: check for short packets and bad types; from FreeBSD.

millert@ ok.

1 files changed, 16 insertions, 3 deletions

diff --git a/usr.sbin/timed/timed/readmsg.c b/usr.sbin/timed/timed/readmsg.c
index 868e018ad94..95381e7aa0a 100644
--- a/usr.sbin/timed/timed/readmsg.c
+++ b/usr.sbin/timed/timed/readmsg.c
@@ -36,7 +36,7 @@ static char sccsid[] = "@(#)readmsg.c	5.1 (Berkeley) 5/11/93";
 #endif /* not lint */
 
 #ifdef sgi
-#ident "$Revision: 1.3 $"
+#ident "$Revision: 1.4 $"
 #endif
 
 #include "globals.h"
@@ -85,6 +85,7 @@ readmsg(int type, char *machfrom, struct timeval *intvl,
 	struct tsplist *prev;
 	register struct netinfo *ntp;
 	register struct tsplist *ptr;
+	ssize_t n;
 
 	if (trace) {
 		fprintf(fd, "readmsg: looking for %s from %s, %s\n",
@@ -203,11 +204,17 @@ again:
 			continue;
 		}
 		length = sizeof(from);
-		if (recvfrom(sock, (char *)&msgin, sizeof(struct tsp), 0,
-			     (struct sockaddr*)&from, &length) < 0) {
+		if ((n = recvfrom(sock, (char *)&msgin, sizeof(struct tsp), 0,
+			     (struct sockaddr*)&from, &length)) < 0) {
 			syslog(LOG_ERR, "recvfrom: %m");
 			exit(1);
 		}
+		if (n < sizeof(struct tsp)) {
+			syslog(LOG_NOTICE, "short packet (%u/%u bytes) from %s",
+			    n, sizeof(struct tsp), inet_ntoa(from.sin_addr));
+			continue;
+		}
+
 		(void)gettimeofday(&from_when, (struct timezone *)0);
 		bytehostorder(&msgin);
 
@@ -441,6 +448,12 @@ struct sockaddr_in *addr;
 {
 	char tm[26];
 	time_t msgtime;
+	
+	if (msg->tsp_type > TSPTYPENUMBER) {
+		fprintf(fd, "bad type (%u) on packet from %s\n",
+		    msg->tsp_type, inet_ntoa(addr->sin_addr));
+		return;
+	}
 
 	switch (msg->tsp_type) {