[ntp:questions] ntpdate.c unsafe buffer write
Harlan Stenn
stenn at ntp.org
Thu Feb 7 23:29:58 UTC 2008
Bill,
ntpdate is being deprecated.
And it is *much* better to file reports like this using bugs.ntp.org as
otherwise they tend to get lost in the wind.
H
--
>>> In article <4FIqj.1315$FO1.16 at edtnps82>, Unruh <unruh-spam at physics.ubc.ca> writes:
Unruh> In ntpdate.c around line 542 (4.2.4p4)is the sequence if
Unruh> (!authistrusted(sys_authkey)) { char buf[10];
Unruh> (void) sprintf(buf, "%lu", (unsigned long)sys_authkey);
Unruh> msyslog(LOG_ERR, "authentication key %s unknown", buf); exit(1);
Unruh> }
Unruh> Since unsigned long does not have a definite length on all machines,
Unruh> and with the trailing zero certainly is potentially longer than 10
Unruh> bytes, that buf is ripe for buffer overflow. It should be something
Unruh> like char buf[(sizeof(unsigned long)*12/5+2)]; And/or the sprintf
Unruh> should be an snprintf.
--
Harlan Stenn <stenn at ntp.org>
http://ntpforum.isc.org - be a member!
More information about the questions
mailing list