packages/ntp
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2023-26555

Browse Source
This commit is contained in:
chengyechun 2023-07-12 10:02:02 +08:00
parent 7bcb98c062
commit 4651c38e62
2 changed files with 110 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

102
backport-CVE-2023-26555-fix-out-write-bounds-in-praecis_parse.patch Normal file
View File

@ -0,0 +1,102 @@
From 1e6893546c526c0961930b6b60a6aba42692dba9 Mon Sep 17 00:00:00 2001
From: Harlan Stenn <stenn@ntp.org>
Date: Sat, 13 May 2023 05:23:33 UTC
Subject: [PATCH] refclock_palisade:fix an out-of-bounds write in praecis_parse
Conflict:NA
Reference:https://www.eecis.udel.edu/~ntp/ntp_spool//ntp4/ntp-4.2.8p15-3806-3807.patch
---
ntpd/refclock_palisade.c | 50 ++++++++++++++++++++++++++++++++++------
1 file changed, 43 insertions(+), 7 deletions(-)
diff --git a/ntpd/refclock_palisade.c b/ntpd/refclock_palisade.c
index cb68255..66bfbc8 100644
--- a/ntpd/refclock_palisade.c
+++ b/ntpd/refclock_palisade.c
@@ -1225,9 +1225,9 @@ palisade_poll (
return; /* using synchronous packet input */
if(up->type == CLK_PRAECIS) {
- if(write(peer->procptr->io.fd,"SPSTAT\r\n",8) < 0)
+ if (write(peer->procptr->io.fd,"SPSTAT\r\n",8) < 0) {
msyslog(LOG_ERR, "Palisade(%d) write: %m:",unit);
- else {
+ } else {
praecis_msg = 1;
return;
}
@@ -1249,20 +1249,53 @@ praecis_parse (
pp = peer->procptr;
- memcpy(buf+p,rbufp->recv_space.X_recv_buffer, rbufp->recv_length);
+ if (p + rbufp->recv_length >= sizeof buf) {
+ struct palisade_unit *up;
+ up = pp->unitptr;
+
+ /*
+ * We COULD see if there is a \r\n in the incoming
+ * buffer before it overflows, and then process the
+ * current line.
+ *
+ * Similarly, if we already have a hunk of data that
+ * we're now flushing, that will cause the line of
+ * data we're in the process of collecting to be garbage.
+ *
+ * Since we now check for this overflow and log when it
+ * happens, we're now in a better place to easily see
+ * what's going on and perhaps better choices can be made.
+ */
+
+ /* Do we need to log the size of the overflow? */
+ msyslog(LOG_ERR, "Palisade(%d) praecis_parse(): input buffer overflow",
+ up->unit);
+
+ p = 0;
+ praecis_msg = 0;
+
+ refclock_report(peer, CEVNT_BADREPLY);
+
+ return;
+ }
+
+ memcpy(buf+p, rbufp->recv_buffer, rbufp->recv_length);
p += rbufp->recv_length;
- if(buf[p-2] == '\r' && buf[p-1] == '\n') {
+ if ( p >= 2
+ && buf[p-2] == '\r'
+ && buf[p-1] == '\n') {
buf[p-2] = '\0';
record_clock_stats(&peer->srcadr, buf);
p = 0;
praecis_msg = 0;
- if (HW_poll(pp) < 0)
+ if (HW_poll(pp) < 0) {
refclock_report(peer, CEVNT_FAULT);
-
+ }
}
+ return;
}
static void
@@ -1407,7 +1440,10 @@ HW_poll (
/* Edge trigger */
if (up->type == CLK_ACUTIME)
- write (pp->io.fd, "", 1);
+ if (write (pp->io.fd, "", 1) != 1)
+ msyslog(LOG_WARNING,
+ "Palisade(%d) HW_poll: failed to send trigger: %m",
+ up->unit);
if (ioctl(pp->io.fd, TIOCMSET, &x) < 0) {
#ifdef DEBUG
--
2.33.0

9
ntp.spec
View File

@ -2,7 +2,7 @@
Name: ntp
Version: 4.2.8p15
Release: 8
Release: 9
Summary: A protocol designed to synchronize the clocks of computers over a network
License: MIT and BSD and BSD with advertising
URL: https://www.ntp.org/
@ -28,6 +28,7 @@ Patch5: Do-not-use-PTHREAD_STACK_MIN-on-glibc.patch
Patch6: fix-MD5-manpage.patch
Patch7: backport-CVE-2023-26551-CVE-2023-26552-CVE-2023-26553-CVE-2023-26554.patch
Patch8: backport-add-NULL-pointer-check-when-ntpd-deletes-the-last-interface.patch
Patch9: backport-CVE-2023-26555-fix-out-write-bounds-in-praecis_parse.patch
BuildRequires: libcap-devel openssl-devel libedit-devel libevent-devel pps-tools-devel
BuildRequires: autogen autogen-libopts-devel systemd gcc perl-generators perl-HTML-Parser
@ -211,6 +212,12 @@ make check
%{_mandir}/man8/*.8*
%changelog
* Wed Jul 12 2023 chengyechun <chengyechun1@huawei.com> - 4.2.8p15-9
- Type:CVE
- ID:CVE-2023-26555
- SUG:NA
- DESC:fix out write bounds in praecis_parse
* Wed Jun 21 2023 liubo <liubo335@huawei.com> - 4.2.8p15-8
- Type:bugfix
- ID: