[from stable]

Thus spake Charles Sprickman <sporkinch.com>:
> I saw this article on DaemonNews:
>
> http://www.onlamp.com/lpt/a/3221
>
> Is there any such clock-setting trickery planned or in progress in -stable
> or -current? Pretty nifty idea given ntpd's sordid history.

Without volunteering to do anything about it for lack of time, I'd
like to profess my support for this idea. ntpd has problems. I
recommended running the part of ntpd that talks to the network as
non-root when I audited it last year.

I know of at least three buffer overflows (in the input from the
user who starts ntpd, not remotely exploitable), a possible bug in
the crypto code that causes one of the session keys used to be
predictable, two sloppy off-by-one errors (on the safe side,
fortunately), and a failure to null-terminate a string that is
passed to printf() when debug mode is used. Rather than actually
using those brand new and terribly unportable interfaces like
snprintf(3) and strncpy(3), the author tries to precompute maximum
possible buffer sizes and occasionally seems to get it wrong.

I have to share the following excerpt from ntpd with you, partly
because it's some of the most screwed up non-IOCCC code I have
ever seen, and partly because if I had to suffer through it, I
figure others might as well, too. It's actually a lot worse than
it looks, given that approximately 55% of the text-containing
lines in the file are either #ifdef, #elif, #else, or #endif, or
#if. Audit that!

   285 int
   286 ntpdmain(
   287 int argc,
   288 char *argv[]
   289 )
   290 {
...
   345 # ifdef DEBUG
   346 if (!debug && !nofork)
   347 # else /* DEBUG */
   348 if (!nofork)
   349 # endif /* DEBUG */
   350 {
...
   439 }
   440 # endif /* NODETACH */
   441 # if defined(SYS_WINNT) && !defined(NODETACH)
   442 else
   443 service_main(argc, argv);
   444 return 0; /* must return a value */
   445 } /* end main */

   446 /*
   447 * If this runs as a service under NT, the main thread will block at
   448 * StartServiceCtrlDispatcher() and another thread will be started by th
e
   449 * Service Control Dispatcher which will begin execution at the routine
   450 * specified in that call (viz. service_main)
   451 */
   452 void
   453 service_main(
   454 DWORD argc,
   455 LPTSTR *argv
   456 )
   457 {
...
   490 # endif /* defined(SYS_WINNT) && !defined(NODETACH) */
...
   503 #if !defined(SYS_WINNT) && !defined(VMS)
...
   518 #endif /* !SYS_WINNT && !VMS */
...
   837 }

(In case you didn't catch that, notice that there are two possible
places where main() can end, and they're several hundred lines
apart. There's actually a third possibility, which is not shown
above. I just noticed that the 'if' I excerpted from line 346
might not be the right one, but it seems to be the only one at the
correct indentation. I'd have to run the code through cpp again
to be sure.)

P.S. Did I read correctly that Niels Provos is now with NetBSD?
        Did Theo scare him off?

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]