[ntp:questions] ntpdate.c unsafe buffer write

Harlan Stenn stenn at ntp.org
Thu Feb 7 23:29:58 UTC 2008


ntpdate is being deprecated.

And it is *much* better to file reports like this using bugs.ntp.org as
otherwise they tend to get lost in the wind.

>>> In article <4FIqj.1315$FO1.16 at edtnps82>, Unruh <unruh-spam at physics.ubc.ca> writes:

Unruh> In ntpdate.c around line 542 (4.2.4p4)is the sequence if
Unruh> (!authistrusted(sys_authkey)) { char buf[10];

Unruh>          (void) sprintf(buf, "%lu", (unsigned long)sys_authkey);
Unruh> msyslog(LOG_ERR, "authentication key %s unknown", buf); exit(1);
Unruh> }

Unruh> Since unsigned long does not have a definite length on all machines,
Unruh> and with the trailing zero certainly is potentially longer than 10
Unruh> bytes, that buf is ripe for buffer overflow.  It should be something
Unruh> like char buf[(sizeof(unsigned long)*12/5+2)]; And/or the sprintf
Unruh> should be an snprintf.

Harlan Stenn <stenn at ntp.org>
http://ntpforum.isc.org  - be a member!

More information about the questions mailing list