ntp:slove fuzz test problem
reason:slove fuzz test problem
This commit is contained in:
Choice
Gitee
parent
3a37f9872d
commit
09595bfb06
@ -0,0 +1,83 @@
|
||||
From 21cb57ce25f11df0890946e3173fe0c25d932809 Mon Sep 17 00:00:00 2001
|
||||
From: wangli <wangli221@huawei.com>
|
||||
Date: Wed, 15 Apr 2020 07:03:00 +0800
|
||||
Subject: [PATCH] Use-of-uninitialized-value in receive function
|
||||
|
||||
---
|
||||
ntpd/ntp_proto.c | 43 ++++++++++++++++++++++++++++---------------
|
||||
1 file changed, 28 insertions(+), 15 deletions(-)
|
||||
|
||||
diff --git a/ntpd/ntp_proto.c b/ntpd/ntp_proto.c
|
||||
index eb66351..baffe1b 100644
|
||||
--- a/ntpd/ntp_proto.c
|
||||
+++ b/ntpd/ntp_proto.c
|
||||
@@ -640,31 +640,20 @@ receive(
|
||||
*/
|
||||
/*
|
||||
* Bogus port check is before anything, since it probably
|
||||
- * reveals a clogging attack.
|
||||
+ * reveals a clogging attack. Likewise the mimimum packet size
|
||||
+ * of 2 bytes (for mode 6/7) must be checked first.
|
||||
*/
|
||||
sys_received++;
|
||||
- if (0 == SRCPORT(&rbufp->recv_srcadr)) {
|
||||
+ if (0 == SRCPORT(&rbufp->recv_srcadr) || rbufp->recv_length < 2) {
|
||||
sys_badlength++;
|
||||
- return; /* bogus port */
|
||||
+ return; /* bogus port / length */
|
||||
}
|
||||
restrictions(&rbufp->recv_srcadr, &r4a);
|
||||
restrict_mask = r4a.rflags;
|
||||
|
||||
pkt = &rbufp->recv_pkt;
|
||||
hisversion = PKT_VERSION(pkt->li_vn_mode);
|
||||
- hisleap = PKT_LEAP(pkt->li_vn_mode);
|
||||
hismode = (int)PKT_MODE(pkt->li_vn_mode);
|
||||
- hisstratum = PKT_TO_STRATUM(pkt->stratum);
|
||||
- DPRINTF(1, ("receive: at %ld %s<-%s ippeerlimit %d mode %d iflags %s restrict %s org %#010x.%08x xmt %#010x.%08x\n",
|
||||
- current_time, stoa(&rbufp->dstadr->sin),
|
||||
- stoa(&rbufp->recv_srcadr), r4a.ippeerlimit, hismode,
|
||||
- build_iflags(rbufp->dstadr->flags),
|
||||
- build_rflags(restrict_mask),
|
||||
- ntohl(pkt->org.l_ui), ntohl(pkt->org.l_uf),
|
||||
- ntohl(pkt->xmt.l_ui), ntohl(pkt->xmt.l_uf)));
|
||||
-
|
||||
- /* See basic mode and broadcast checks, below */
|
||||
- INSIST(0 != hisstratum);
|
||||
|
||||
if (restrict_mask & RES_IGNORE) {
|
||||
DPRINTF(2, ("receive: drop: RES_IGNORE\n"));
|
||||
@@ -696,6 +685,30 @@ receive(
|
||||
return; /* no time serve */
|
||||
}
|
||||
|
||||
+
|
||||
+ /* If we arrive here, we should have a standard NTP packet. We
|
||||
+ * check that the minimum size is available and fetch some more
|
||||
+ * items from the packet once we can be sure they are indeed
|
||||
+ * there.
|
||||
+ */
|
||||
+ if (rbufp->recv_length < LEN_PKT_NOMAC) {
|
||||
+ sys_badlength++;
|
||||
+ return; /* bogus length */
|
||||
+ }
|
||||
+
|
||||
+ hisleap = PKT_LEAP(pkt->li_vn_mode);
|
||||
+ hisstratum = PKT_TO_STRATUM(pkt->stratum);
|
||||
+ INSIST(0 != hisstratum); /* paranoia check PKT_TO_STRATUM result */
|
||||
+
|
||||
+ DPRINTF(1, ("receive: at %ld %s<-%s ippeerlimit %d mode %d iflags %s "
|
||||
+ "restrict %s org %#010x.%08x xmt %#010x.%08x\n",
|
||||
+ current_time, stoa(&rbufp->dstadr->sin),
|
||||
+ stoa(&rbufp->recv_srcadr), r4a.ippeerlimit, hismode,
|
||||
+ build_iflags(rbufp->dstadr->flags),
|
||||
+ build_rflags(restrict_mask),
|
||||
+ ntohl(pkt->org.l_ui), ntohl(pkt->org.l_uf),
|
||||
+ ntohl(pkt->xmt.l_ui), ntohl(pkt->xmt.l_uf)));
|
||||
+
|
||||
/*
|
||||
* This is for testing. If restricted drop ten percent of
|
||||
* surviving packets.
|
||||
--
|
||||
2.23.0
|
||||
|
||||
@ -0,0 +1,50 @@
|
||||
From 4cd04668f0e28927b7efb39e0699719813f66f51 Mon Sep 17 00:00:00 2001
|
||||
From: wangli <wangli221@huawei.com>
|
||||
Date: Wed, 15 Apr 2020 06:40:22 +0800
|
||||
Subject: [PATCH] process_control() should bail earlier on short packets
|
||||
|
||||
---
|
||||
ntpd/ntp_control.c | 19 +-
|
||||
1 files changed, 21 insertions(+), 28 deletions(-)
|
||||
create mode 100644 ntpd/ntp_control.c.orig
|
||||
|
||||
diff --git a/ntpd/ntp_control.c b/ntpd/ntp_control.c
|
||||
index 48cd908..5984c8c 100644
|
||||
--- a/ntpd/ntp_control.c
|
||||
+++ b/ntpd/ntp_control.c
|
||||
@@ -1187,15 +1187,21 @@ process_control(
|
||||
pkt = (struct ntp_control *)&rbufp->recv_pkt;
|
||||
|
||||
/*
|
||||
- * If the length is less than required for the header, or
|
||||
- * it is a response or a fragment, ignore this.
|
||||
+ * If the length is less than required for the header,
|
||||
+ * ignore it.
|
||||
*/
|
||||
- if (rbufp->recv_length < (int)CTL_HEADER_LEN
|
||||
- || (CTL_RESPONSE | CTL_MORE | CTL_ERROR) & pkt->r_m_e_op
|
||||
+ if (rbufp->recv_length < (int)CTL_HEADER_LEN) {
|
||||
+ DPRINTF(1, ("Short control packet\n"));
|
||||
+ numctltooshort++;
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
+ /*
|
||||
+ * If this packet is a response or a fragment, ignore it.
|
||||
+ */
|
||||
+ if ( (CTL_RESPONSE | CTL_MORE | CTL_ERROR) & pkt->r_m_e_op
|
||||
|| pkt->offset != 0) {
|
||||
DPRINTF(1, ("invalid format in control packet\n"));
|
||||
- if (rbufp->recv_length < (int)CTL_HEADER_LEN)
|
||||
- numctltooshort++;
|
||||
if (CTL_RESPONSE & pkt->r_m_e_op)
|
||||
numctlinputresp++;
|
||||
if (CTL_MORE & pkt->r_m_e_op)
|
||||
@@ -1206,6 +1212,7 @@ process_control(
|
||||
numctlbadoffset++;
|
||||
return;
|
||||
}
|
||||
+
|
||||
res_version = PKT_VERSION(pkt->li_vn_mode);
|
||||
if (res_version > NTP_VERSION || res_version < NTP_OLDVERSION) {
|
||||
DPRINTF(1, ("unknown version %d in control packet\n",
|
||||
Loading…
x
Reference in New Issue
Block a user