OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: David Schultz (dschultz_at_uclink.Berkeley.EDU)
Date: Sat Feb 15 2003 - 22:36:34 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    [from stable]

    Thus spake Charles Sprickman <sporkinch.com>:
    > I saw this article on DaemonNews:
    >
    > http://www.onlamp.com/lpt/a/3221
    >
    > Is there any such clock-setting trickery planned or in progress in -stable
    > or -current? Pretty nifty idea given ntpd's sordid history.

    Without volunteering to do anything about it for lack of time, I'd
    like to profess my support for this idea. ntpd has problems. I
    recommended running the part of ntpd that talks to the network as
    non-root when I audited it last year.

    I know of at least three buffer overflows (in the input from the
    user who starts ntpd, not remotely exploitable), a possible bug in
    the crypto code that causes one of the session keys used to be
    predictable, two sloppy off-by-one errors (on the safe side,
    fortunately), and a failure to null-terminate a string that is
    passed to printf() when debug mode is used. Rather than actually
    using those brand new and terribly unportable interfaces like
    snprintf(3) and strncpy(3), the author tries to precompute maximum
    possible buffer sizes and occasionally seems to get it wrong.

    I have to share the following excerpt from ntpd with you, partly
    because it's some of the most screwed up non-IOCCC code I have
    ever seen, and partly because if I had to suffer through it, I
    figure others might as well, too. It's actually a lot worse than
    it looks, given that approximately 55% of the text-containing
    lines in the file are either #ifdef, #elif, #else, or #endif, or
    #if. Audit that!

       285 int
       286 ntpdmain(
       287 int argc,
       288 char *argv[]
       289 )
       290 {
    ...
       345 # ifdef DEBUG
       346 if (!debug && !nofork)
       347 # else /* DEBUG */
       348 if (!nofork)
       349 # endif /* DEBUG */
       350 {
    ...
       439 }
       440 # endif /* NODETACH */
       441 # if defined(SYS_WINNT) && !defined(NODETACH)
       442 else
       443 service_main(argc, argv);
       444 return 0; /* must return a value */
       445 } /* end main */

       446 /*
       447 * If this runs as a service under NT, the main thread will block at
       448 * StartServiceCtrlDispatcher() and another thread will be started by th
    e
       449 * Service Control Dispatcher which will begin execution at the routine
       450 * specified in that call (viz. service_main)
       451 */
       452 void
       453 service_main(
       454 DWORD argc,
       455 LPTSTR *argv
       456 )
       457 {
    ...
       490 # endif /* defined(SYS_WINNT) && !defined(NODETACH) */
    ...
       503 #if !defined(SYS_WINNT) && !defined(VMS)
    ...
       518 #endif /* !SYS_WINNT && !VMS */
    ...
       837 }

    (In case you didn't catch that, notice that there are two possible
    places where main() can end, and they're several hundred lines
    apart. There's actually a third possibility, which is not shown
    above. I just noticed that the 'if' I excerpted from line 346
    might not be the right one, but it seems to be the only one at the
    correct indentation. I'd have to run the code through cpp again
    to be sure.)

    P.S. Did I read correctly that Niels Provos is now with NetBSD?
            Did Theo scare him off?

    To Unsubscribe: send mail to majordomoFreeBSD.org
    with "unsubscribe freebsd-security" in the body of the message