ntp:slove fuzz test problem
reason:slove fuzz test problem
This commit is contained in:
Choice
Gitee
parent
3a37f9872d
commit
09595bfb06
@ -0,0 +1,83 @@
|
|||||||
|
From 21cb57ce25f11df0890946e3173fe0c25d932809 Mon Sep 17 00:00:00 2001
|
||||||
|
From: wangli <wangli221@huawei.com>
|
||||||
|
Date: Wed, 15 Apr 2020 07:03:00 +0800
|
||||||
|
Subject: [PATCH] Use-of-uninitialized-value in receive function
|
||||||
|
|
||||||
|
---
|
||||||
|
ntpd/ntp_proto.c | 43 ++++++++++++++++++++++++++++---------------
|
||||||
|
1 file changed, 28 insertions(+), 15 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/ntpd/ntp_proto.c b/ntpd/ntp_proto.c
|
||||||
|
index eb66351..baffe1b 100644
|
||||||
|
--- a/ntpd/ntp_proto.c
|
||||||
|
+++ b/ntpd/ntp_proto.c
|
||||||
|
@@ -640,31 +640,20 @@ receive(
|
||||||
|
*/
|
||||||
|
/*
|
||||||
|
* Bogus port check is before anything, since it probably
|
||||||
|
- * reveals a clogging attack.
|
||||||
|
+ * reveals a clogging attack. Likewise the mimimum packet size
|
||||||
|
+ * of 2 bytes (for mode 6/7) must be checked first.
|
||||||
|
*/
|
||||||
|
sys_received++;
|
||||||
|
- if (0 == SRCPORT(&rbufp->recv_srcadr)) {
|
||||||
|
+ if (0 == SRCPORT(&rbufp->recv_srcadr) || rbufp->recv_length < 2) {
|
||||||
|
sys_badlength++;
|
||||||
|
- return; /* bogus port */
|
||||||
|
+ return; /* bogus port / length */
|
||||||
|
}
|
||||||
|
restrictions(&rbufp->recv_srcadr, &r4a);
|
||||||
|
restrict_mask = r4a.rflags;
|
||||||
|
|
||||||
|
pkt = &rbufp->recv_pkt;
|
||||||
|
hisversion = PKT_VERSION(pkt->li_vn_mode);
|
||||||
|
- hisleap = PKT_LEAP(pkt->li_vn_mode);
|
||||||
|
hismode = (int)PKT_MODE(pkt->li_vn_mode);
|
||||||
|
- hisstratum = PKT_TO_STRATUM(pkt->stratum);
|
||||||
|
- DPRINTF(1, ("receive: at %ld %s<-%s ippeerlimit %d mode %d iflags %s restrict %s org %#010x.%08x xmt %#010x.%08x\n",
|
||||||
|
- current_time, stoa(&rbufp->dstadr->sin),
|
||||||
|
- stoa(&rbufp->recv_srcadr), r4a.ippeerlimit, hismode,
|
||||||
|
- build_iflags(rbufp->dstadr->flags),
|
||||||
|
- build_rflags(restrict_mask),
|
||||||
|
- ntohl(pkt->org.l_ui), ntohl(pkt->org.l_uf),
|
||||||
|
- ntohl(pkt->xmt.l_ui), ntohl(pkt->xmt.l_uf)));
|
||||||
|
-
|
||||||
|
- /* See basic mode and broadcast checks, below */
|
||||||
|
- INSIST(0 != hisstratum);
|
||||||
|
|
||||||
|
if (restrict_mask & RES_IGNORE) {
|
||||||
|
DPRINTF(2, ("receive: drop: RES_IGNORE\n"));
|
||||||
|
@@ -696,6 +685,30 @@ receive(
|
||||||
|
return; /* no time serve */
|
||||||
|
}
|
||||||
|
|
||||||
|
+
|
||||||
|
+ /* If we arrive here, we should have a standard NTP packet. We
|
||||||
|
+ * check that the minimum size is available and fetch some more
|
||||||
|
+ * items from the packet once we can be sure they are indeed
|
||||||
|
+ * there.
|
||||||
|
+ */
|
||||||
|
+ if (rbufp->recv_length < LEN_PKT_NOMAC) {
|
||||||
|
+ sys_badlength++;
|
||||||
|
+ return; /* bogus length */
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ hisleap = PKT_LEAP(pkt->li_vn_mode);
|
||||||
|
+ hisstratum = PKT_TO_STRATUM(pkt->stratum);
|
||||||
|
+ INSIST(0 != hisstratum); /* paranoia check PKT_TO_STRATUM result */
|
||||||
|
+
|
||||||
|
+ DPRINTF(1, ("receive: at %ld %s<-%s ippeerlimit %d mode %d iflags %s "
|
||||||
|
+ "restrict %s org %#010x.%08x xmt %#010x.%08x\n",
|
||||||
|
+ current_time, stoa(&rbufp->dstadr->sin),
|
||||||
|
+ stoa(&rbufp->recv_srcadr), r4a.ippeerlimit, hismode,
|
||||||
|
+ build_iflags(rbufp->dstadr->flags),
|
||||||
|
+ build_rflags(restrict_mask),
|
||||||
|
+ ntohl(pkt->org.l_ui), ntohl(pkt->org.l_uf),
|
||||||
|
+ ntohl(pkt->xmt.l_ui), ntohl(pkt->xmt.l_uf)));
|
||||||
|
+
|
||||||
|
/*
|
||||||
|
* This is for testing. If restricted drop ten percent of
|
||||||
|
* surviving packets.
|
||||||
|
--
|
||||||
|
2.23.0
|
||||||
|
|
||||||
@ -0,0 +1,50 @@
|
|||||||
|
From 4cd04668f0e28927b7efb39e0699719813f66f51 Mon Sep 17 00:00:00 2001
|
||||||
|
From: wangli <wangli221@huawei.com>
|
||||||
|
Date: Wed, 15 Apr 2020 06:40:22 +0800
|
||||||
|
Subject: [PATCH] process_control() should bail earlier on short packets
|
||||||
|
|
||||||
|
---
|
||||||
|
ntpd/ntp_control.c | 19 +-
|
||||||
|
1 files changed, 21 insertions(+), 28 deletions(-)
|
||||||
|
create mode 100644 ntpd/ntp_control.c.orig
|
||||||
|
|
||||||
|
diff --git a/ntpd/ntp_control.c b/ntpd/ntp_control.c
|
||||||
|
index 48cd908..5984c8c 100644
|
||||||
|
--- a/ntpd/ntp_control.c
|
||||||
|
+++ b/ntpd/ntp_control.c
|
||||||
|
@@ -1187,15 +1187,21 @@ process_control(
|
||||||
|
pkt = (struct ntp_control *)&rbufp->recv_pkt;
|
||||||
|
|
||||||
|
/*
|
||||||
|
- * If the length is less than required for the header, or
|
||||||
|
- * it is a response or a fragment, ignore this.
|
||||||
|
+ * If the length is less than required for the header,
|
||||||
|
+ * ignore it.
|
||||||
|
*/
|
||||||
|
- if (rbufp->recv_length < (int)CTL_HEADER_LEN
|
||||||
|
- || (CTL_RESPONSE | CTL_MORE | CTL_ERROR) & pkt->r_m_e_op
|
||||||
|
+ if (rbufp->recv_length < (int)CTL_HEADER_LEN) {
|
||||||
|
+ DPRINTF(1, ("Short control packet\n"));
|
||||||
|
+ numctltooshort++;
|
||||||
|
+ return;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ /*
|
||||||
|
+ * If this packet is a response or a fragment, ignore it.
|
||||||
|
+ */
|
||||||
|
+ if ( (CTL_RESPONSE | CTL_MORE | CTL_ERROR) & pkt->r_m_e_op
|
||||||
|
|| pkt->offset != 0) {
|
||||||
|
DPRINTF(1, ("invalid format in control packet\n"));
|
||||||
|
- if (rbufp->recv_length < (int)CTL_HEADER_LEN)
|
||||||
|
- numctltooshort++;
|
||||||
|
if (CTL_RESPONSE & pkt->r_m_e_op)
|
||||||
|
numctlinputresp++;
|
||||||
|
if (CTL_MORE & pkt->r_m_e_op)
|
||||||
|
@@ -1206,6 +1212,7 @@ process_control(
|
||||||
|
numctlbadoffset++;
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
+
|
||||||
|
res_version = PKT_VERSION(pkt->li_vn_mode);
|
||||||
|
if (res_version > NTP_VERSION || res_version < NTP_OLDVERSION) {
|
||||||
|
DPRINTF(1, ("unknown version %d in control packet\n",
|
||||||
Loading…
x
Reference in New Issue
Block a user