[Git][NTPsec/ntpsec][master] 2 commits: ntp_control.h: Comment on draft RFC for control packets.

Gary E. Miller gitlab at mg.gitlab.com
Thu Oct 18 03:55:45 UTC 2018 

Gary E. Miller pushed to branch master at NTPsec / ntpsec


Commits:
0fc8bd99 by Gary E. Miller at 2018-10-18T03:37:51Z
ntp_control.h: Comment on draft RFC for control packets.

No functional change.

- - - - -
2ccb87ab by Gary E. Miller at 2018-10-18T03:55:06Z
ntp_control: Check for count too big in control packet.

- - - - -


2 changed files:

- include/ntp_control.h
- ntpd/ntp_control.c


Changes:

=====================================
include/ntp_control.h
=====================================
@@ -1,5 +1,9 @@
 /*
  * ntp_control.h - definitions related to NTP mode 6 control messages
+ *
+ * mode 6 messages are defined in:
+ * https://datatracker.ietf.org/doc/draft-ietf-ntp-mode-6-cmds/
+ *
  */
 #ifndef GUARD_NTP_CONTROL_H
 #define GUARD_NTP_CONTROL_H
@@ -19,8 +23,9 @@ struct ntp_control {
 	uint16_t status;		/* status word for association */
 	uint16_t associd;		/* association ID (associd_t) */
 	uint16_t offset;		/* offset of this batch of data */
-	uint16_t count;			/* count of data in this packet */
-	uint8_t data[480 + MAX_MAC_LEN]; /* data + auth */
+        /* the draft RFC says 0 <= count <= 468 */
+	uint16_t count;			/* byte count of data in this packet */
+	uint8_t data[480 + MAX_MAC_LEN]; /* data + padding + auth */
 } __attribute__((aligned(32)));
 
 /*


=====================================
ntpd/ntp_control.c
=====================================
@@ -849,6 +849,13 @@ process_control(
 		return;
 	}
 
+	if (CTL_MAX_DATA_LEN < req_count) {
+                /* count to big */
+		ctl_error(CERR_BADFMT);
+		numctlbadpkts++;
+		return;
+	}
+
 	properlen = req_count + (int)CTL_HEADER_LEN;
 	/* round up proper len to a 8 octet boundary */
 
@@ -2539,7 +2546,7 @@ ctl_getitem(
 
 	/* Scan the string in the packet until we hit comma or
 	 * EoB. Register position of first '=' on the fly. */
-	for (tp = NULL, cp = reqpt; cp != reqend; ++cp) {
+	for (tp = NULL, cp = reqpt; cp < reqend; ++cp) {
 		if (*cp == '=' && tp == NULL)
 			tp = cp;
 		if (*cp == ',')



View it on GitLab: https://gitlab.com/NTPsec/ntpsec/compare/55b0f3f96216faccf8176dc0b6d235b189e6945e...2ccb87ab78d7ca962f8a903499a4e50a379c56dd

-- 
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/compare/55b0f3f96216faccf8176dc0b6d235b189e6945e...2ccb87ab78d7ca962f8a903499a4e50a379c56dd
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20181018/d27adde1/attachment-0001.html>

More information about the vc mailing list