!5 ntp:slove fuzz test problem

Merge pull request !5 from Choice/master
2020-04-17 20:22:16 +08:00 · 2020-04-17 20:22:16 +08:00 · 4b06fb46c2
commit 4b06fb46c2
parent 3a37f9872d 335671e998
3 changed files with 137 additions and 1 deletions
--- a/backport-Use-of-uninitialized-value-in-receive-function.patch
+++ b/backport-Use-of-uninitialized-value-in-receive-function.patch
@ -0,0 +1,80 @@
+Subject: [PATCH] Use-of-uninitialized-value in receive function
+
+---
+ ntpd/ntp_proto.c | 43 ++++++++++++++++++++++++++++---------------
+ 1 file changed, 28 insertions(+), 15 deletions(-)
+
+diff --git a/ntpd/ntp_proto.c b/ntpd/ntp_proto.c
+index eb66351..baffe1b 100644
+--- a/ntpd/ntp_proto.c
+++ b/ntpd/ntp_proto.c
+@@ -640,31 +640,20 @@ receive(
+ 	 */
+ 	/*
+ 	 * Bogus port check is before anything, since it probably
+-	 * reveals a clogging attack.
+	 * reveals a clogging attack. Likewise the mimimum packet size
+	 * of 2 bytes (for mode 6/7) must be checked first.
+ 	 */
+ 	sys_received++;
+-	if (0 == SRCPORT(&rbufp->recv_srcadr)) {
+	if (0 == SRCPORT(&rbufp->recv_srcadr) || rbufp->recv_length < 2) {
+ 		sys_badlength++;
+-		return;				/* bogus port */
+		return;				/* bogus port / length */
+ 	}
+ 	restrictions(&rbufp->recv_srcadr, &r4a);
+ 	restrict_mask = r4a.rflags;
+ 
+ 	pkt = &rbufp->recv_pkt;
+ 	hisversion = PKT_VERSION(pkt->li_vn_mode);
+-	hisleap = PKT_LEAP(pkt->li_vn_mode);
+ 	hismode = (int)PKT_MODE(pkt->li_vn_mode);
+-	hisstratum = PKT_TO_STRATUM(pkt->stratum);
+-	DPRINTF(1, ("receive: at %ld %s<-%s ippeerlimit %d mode %d iflags %s restrict %s org %#010x.%08x xmt %#010x.%08x\n",
+-		    current_time, stoa(&rbufp->dstadr->sin),
+-		    stoa(&rbufp->recv_srcadr), r4a.ippeerlimit, hismode,
+-		    build_iflags(rbufp->dstadr->flags),
+-		    build_rflags(restrict_mask),
+-		    ntohl(pkt->org.l_ui), ntohl(pkt->org.l_uf),
+-		    ntohl(pkt->xmt.l_ui), ntohl(pkt->xmt.l_uf)));
+-
+-	/* See basic mode and broadcast checks, below */
+-	INSIST(0 != hisstratum);
+ 
+ 	if (restrict_mask & RES_IGNORE) {
+ 		DPRINTF(2, ("receive: drop: RES_IGNORE\n"));
+@@ -696,6 +685,30 @@ receive(
+ 		return;				/* no time serve */
+ 	}
+ 
+
+	/* If we arrive here, we should have a standard NTP packet. We
+	 * check that the minimum size is available and fetch some more
+	 * items from the packet once we can be sure they are indeed
+	 * there.
+	 */
+	if (rbufp->recv_length < LEN_PKT_NOMAC) {
+		sys_badlength++;
+		return;				/* bogus length */
+	}
+
+	hisleap = PKT_LEAP(pkt->li_vn_mode);
+	hisstratum = PKT_TO_STRATUM(pkt->stratum);
+	INSIST(0 != hisstratum); /* paranoia check PKT_TO_STRATUM result */
+
+	DPRINTF(1, ("receive: at %ld %s<-%s ippeerlimit %d mode %d iflags %s "
+		    "restrict %s org %#010x.%08x xmt %#010x.%08x\n",
+		    current_time, stoa(&rbufp->dstadr->sin),
+		    stoa(&rbufp->recv_srcadr), r4a.ippeerlimit, hismode,
+		    build_iflags(rbufp->dstadr->flags),
+		    build_rflags(restrict_mask),
+		    ntohl(pkt->org.l_ui), ntohl(pkt->org.l_uf),
+		    ntohl(pkt->xmt.l_ui), ntohl(pkt->xmt.l_uf)));
+
+ 	/*
+ 	 * This is for testing. If restricted drop ten percent of
+ 	 * surviving packets.
+-- 
+2.23.0
+
--- a/backport-process_control-should-bail-earlier-on-short-packets.patch
+++ b/backport-process_control-should-bail-earlier-on-short-packets.patch
@ -0,0 +1,47 @@
+Subject: [PATCH] process_control() should bail earlier on short packets
+
+---
+ ntpd/ntp_control.c      |   19 +-
+ 1 files changed, 21 insertions(+), 28 deletions(-)
+ create mode 100644 ntpd/ntp_control.c.orig
+
+diff --git a/ntpd/ntp_control.c b/ntpd/ntp_control.c
+index 48cd908..5984c8c 100644
+--- a/ntpd/ntp_control.c
+++ b/ntpd/ntp_control.c
+@@ -1187,15 +1187,21 @@ process_control(
+ 	pkt = (struct ntp_control *)&rbufp->recv_pkt;
+ 
+ 	/*
+-	 * If the length is less than required for the header, or
+-	 * it is a response or a fragment, ignore this.
+	 * If the length is less than required for the header,
+	 * ignore it.
+ 	 */
+-	if (rbufp->recv_length < (int)CTL_HEADER_LEN
+-	    || (CTL_RESPONSE | CTL_MORE | CTL_ERROR) & pkt->r_m_e_op
+	if (rbufp->recv_length < (int)CTL_HEADER_LEN) {
+		DPRINTF(1, ("Short control packet\n"));
+		numctltooshort++;
+		return;
+	}
+
+	/*
+	 * If this packet is a response or a fragment, ignore it.
+	 */
+	if ( (CTL_RESPONSE | CTL_MORE | CTL_ERROR) & pkt->r_m_e_op
+ 	    || pkt->offset != 0) {
+ 		DPRINTF(1, ("invalid format in control packet\n"));
+-		if (rbufp->recv_length < (int)CTL_HEADER_LEN)
+-			numctltooshort++;
+ 		if (CTL_RESPONSE & pkt->r_m_e_op)
+ 			numctlinputresp++;
+ 		if (CTL_MORE & pkt->r_m_e_op)
+@@ -1206,6 +1212,7 @@ process_control(
+ 			numctlbadoffset++;
+ 		return;
+ 	}
+
+ 	res_version = PKT_VERSION(pkt->li_vn_mode);
+ 	if (res_version > NTP_VERSION || res_version < NTP_OLDVERSION) {
+ 		DPRINTF(1, ("unknown version %d in control packet\n",
--- a/ntp.spec
+++ b/ntp.spec
@ -2,7 +2,7 @@

 Name:                  ntp
 Version:               4.2.8p13
-Release:               5
+Release:               6
 Summary:               A protocol designed to synchronize the clocks of computers over a network
 License:               MIT and BSD and BSD with advertising
 URL:                   https://www.ntp.org/
@ -28,6 +28,9 @@ Patch9001:             bugfix-fix-autokey-condition-error.patch
 Patch9002:             bugfix-fix-ifindex-length.patch
 Patch9003:             revert-ntpd-fix-autokey-condition-error.patch

+Patch6001:             backport-Use-of-uninitialized-value-in-receive-function.patch
+Patch6002:             backport-process_control-should-bail-earlier-on-short-packets.patch
+
 BuildRequires:	       libcap-devel openssl-devel libedit-devel libevent-devel pps-tools-devel
 BuildRequires:         autogen autogen-libopts-devel systemd gcc perl-generators perl-HTML-Parser
 Requires(pre):         shadow-utils
@ -209,6 +212,12 @@ make check
 %{_mandir}/man8/*.8*

 %changelog
+* Tue Apr 14 2020 wangli<wangli221@huawei.com> - 4.2.8p13-6
+- Type:security
+- ID:NA
+- SUG:NA
+- DESC: solve fuzz test problem 
+
 * Thu Mar 12 2020 openEuler Buildteam <buildteam@openeuler.org> - 4.2.8p13-5
 - Type:bugfix
 - Id:NA