From 55698119c6396e2f048d7202573eae00b353e1c1 Mon Sep 17 00:00:00 2001 From: "Federico G. Schwindt" Date: Sat, 31 Mar 2001 19:39:00 +0000 Subject: Security fixes: check for short packets and bad types; from FreeBSD. millert@ ok. --- usr.sbin/timed/timed/readmsg.c | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) (limited to 'usr.sbin/timed') diff --git a/usr.sbin/timed/timed/readmsg.c b/usr.sbin/timed/timed/readmsg.c index 868e018ad94..95381e7aa0a 100644 --- a/usr.sbin/timed/timed/readmsg.c +++ b/usr.sbin/timed/timed/readmsg.c @@ -36,7 +36,7 @@ static char sccsid[] = "@(#)readmsg.c 5.1 (Berkeley) 5/11/93"; #endif /* not lint */ #ifdef sgi -#ident "$Revision: 1.3 $" +#ident "$Revision: 1.4 $" #endif #include "globals.h" @@ -85,6 +85,7 @@ readmsg(int type, char *machfrom, struct timeval *intvl, struct tsplist *prev; register struct netinfo *ntp; register struct tsplist *ptr; + ssize_t n; if (trace) { fprintf(fd, "readmsg: looking for %s from %s, %s\n", @@ -203,11 +204,17 @@ again: continue; } length = sizeof(from); - if (recvfrom(sock, (char *)&msgin, sizeof(struct tsp), 0, - (struct sockaddr*)&from, &length) < 0) { + if ((n = recvfrom(sock, (char *)&msgin, sizeof(struct tsp), 0, + (struct sockaddr*)&from, &length)) < 0) { syslog(LOG_ERR, "recvfrom: %m"); exit(1); } + if (n < sizeof(struct tsp)) { + syslog(LOG_NOTICE, "short packet (%u/%u bytes) from %s", + n, sizeof(struct tsp), inet_ntoa(from.sin_addr)); + continue; + } + (void)gettimeofday(&from_when, (struct timezone *)0); bytehostorder(&msgin); @@ -441,6 +448,12 @@ struct sockaddr_in *addr; { char tm[26]; time_t msgtime; + + if (msg->tsp_type > TSPTYPENUMBER) { + fprintf(fd, "bad type (%u) on packet from %s\n", + msg->tsp_type, inet_ntoa(addr->sin_addr)); + return; + } switch (msg->tsp_type) { -- cgit v1.2.3