doc/share/security/patches/SA-01:28/timed.patch

Index: readmsg.c
===================================================================
RCS file: /mnt/ncvs/src/usr.sbin/timed/timed/readmsg.c,v
retrieving revision 1.5
retrieving revision 1.7
diff -u -r1.5 -r1.7
--- readmsg.c	1999/08/28 01:20:18	1.5
+++ readmsg.c	2001/01/01 18:43:21	1.7
@@ -88,6 +88,7 @@
 	struct tsplist *prev;
 	register struct netinfo *ntp;
 	register struct tsplist *ptr;
+	ssize_t n;
 
 	if (trace) {
 		fprintf(fd, "readmsg: looking for %s from %s, %s\n",
@@ -206,11 +207,18 @@
 			continue;
 		}
 		length = sizeof(from);
-		if (recvfrom(sock, (char *)&msgin, sizeof(struct tsp), 0,
-			     (struct sockaddr*)&from, &length) < 0) {
+		if ((n = recvfrom(sock, (char *)&msgin, sizeof(struct tsp), 0,
+			     (struct sockaddr*)&from, &length)) < 0) {
 			syslog(LOG_ERR, "recvfrom: %m");
 			exit(1);
 		}
+		if (n < (ssize_t)sizeof(struct tsp)) {
+			syslog(LOG_NOTICE,
+			    "short packet (%u/%u bytes) from %s",
+			      n, sizeof(struct tsp),
+			      inet_ntoa(from.sin_addr));
+			continue;
+		}
 		(void)gettimeofday(&from_when, (struct timezone *)0);
 		bytehostorder(&msgin);
 
@@ -222,6 +230,13 @@
 			continue;
 		}
 
+		if (memchr(msgin.tsp_name,
+		    '\0', sizeof msgin.tsp_name) == NULL) {
+			syslog(LOG_NOTICE, "hostname field not NUL terminated "
+			    "in packet from %s", inet_ntoa(from.sin_addr));
+			continue;
+		}
+
 		fromnet = NULL;
 		for (ntp = nettab; ntp != NULL; ntp = ntp->next)
 			if ((ntp->mask & from.sin_addr.s_addr) ==
@@ -436,6 +451,13 @@
 {
 	char tm[26];
 	time_t tsp_time_sec;
+
+	if (msg->tsp_type >= TSPTYPENUMBER) {
+		fprintf(fd, "bad type (%u) on packet from %s\n",
+		  msg->tsp_type, inet_ntoa(addr->sin_addr));
+		return;
+	}
+
 	switch (msg->tsp_type) {
 
 	case TSP_LOOP: