From a24c8f001fade8b136cb03781951d474b5e4456d Mon Sep 17 00:00:00 2001 From: Thomas Guyot-Sionnest Date: Tue, 2 Sep 2008 03:42:16 +0000 Subject: Fix possible segfault in check_ntp_peer with deliberately invalid packets git-svn-id: https://nagiosplug.svn.sourceforge.net/svnroot/nagiosplug/nagiosplug/trunk@2052 f882894a-f735-0410-b71e-b25c423dba1c diff --git a/NEWS b/NEWS index cb68df6..ab597d4 100644 --- a/NEWS +++ b/NEWS @@ -11,7 +11,8 @@ This file documents the major additions and syntax changes between releases. check_icmp now supports packet size modification check_http -e now accepts a comma-delimited list of expected status codes libtap now included with this distribution for easier testing. Run ./configure with --enable-libtap - check_ntp_peer/check_ntp_time used to show port in --help but ignored the argument - now implemented. + check_ntp_peer/check_ntp_time used to show port in --help but ignored the argument - now implemented + Fix possible segfault in check_ntp_peer with deliberately invalid packets 1.4.12 27th May 2008 Added ./check_nt -v INSTANCES to count number of instances (Alessandro Ren) diff --git a/plugins/check_ntp_peer.c b/plugins/check_ntp_peer.c index 72cec63..6a4401c 100644 --- a/plugins/check_ntp_peer.c +++ b/plugins/check_ntp_peer.c @@ -299,6 +299,9 @@ int ntp_request(const char *host, double *offset, int *offset_result, double *ji if(read(conn, &req, SIZEOF_NTPCM(req)) == -1) die(STATE_CRITICAL, "NTP CRITICAL: No response from NTP server\n"); DBG(print_ntp_control_message(&req)); + /* discard obviously invalid packets */ + if (ntohs(req.count) > MAX_CM_SIZE) + die(STATE_CRITICAL, "NTP CRITICAL: Invalid paclet received from NTP server\n"); if (LI(req.flags) == LI_ALARM) li_alarm = 1; /* Each peer identifier is 4 bytes in the data section, which * we represent as a ntp_assoc_status_pair datatype. -- cgit v0.10-9-g596f