[ntp:questions] ntpdate.c unsafe buffer write

Unruh unruh-spam at physics.ubc.ca
Fri Feb 8 02:13:37 UTC 2008

Harlan Stenn <stenn at ntp.org> writes:


>ntpdate is being deprecated.

Maybe, but it should still not have bugs if it is actually still part of
the distro.

>And it is *much* better to file reports like this using bugs.ntp.org as
>otherwise they tend to get lost in the wind.

OK. Will do.

>>>> In article <4FIqj.1315$FO1.16 at edtnps82>, Unruh <unruh-spam at physics.ubc.ca> writes:

>Unruh> In ntpdate.c around line 542 (4.2.4p4)is the sequence if
>Unruh> (!authistrusted(sys_authkey)) { char buf[10];

>Unruh>          (void) sprintf(buf, "%lu", (unsigned long)sys_authkey);
>Unruh> msyslog(LOG_ERR, "authentication key %s unknown", buf); exit(1);
>Unruh> }

>Unruh> Since unsigned long does not have a definite length on all machines,
>Unruh> and with the trailing zero certainly is potentially longer than 10
>Unruh> bytes, that buf is ripe for buffer overflow.  It should be something
>Unruh> like char buf[(sizeof(unsigned long)*12/5+2)]; And/or the sprintf
>Unruh> should be an snprintf.

>Harlan Stenn <stenn at ntp.org>
>http://ntpforum.isc.org  - be a member!

More information about the questions mailing list