[ntp:questions] ntpdate.c unsafe buffer write

David L. Mills mills at udel.edu
Fri Feb 8 16:32:57 UTC 2008


My position on ntpdate and sntp has always been clear. Remove them both 
from the distribution and let other folks contribute sntp products. The 
standards labs in various contries do not recommend the NTP reference 
implementation, they recommend other shrinkwrap products. There is no 
need for folks to download the reference implementatino only to bring up 
an sntp product.

The matter of concern is an sntp product that strictly conforms to the 
NTPv4 specification as it applies to sntp. There is at least one 
contributor testing the kiss-o'-death rate limit and has apparently 
actually read rfc 2030. On the other hand, there are numerous examples 
of clients that casually violate the rate rules both at servers we 
operate here and at the national labs. What we should be doing is 
supporting those products that play by the rules and that are maintained 
by other players.


Harlan Stenn wrote:
> Bill,
> ntpdate is being deprecated.
> And it is *much* better to file reports like this using bugs.ntp.org as
> otherwise they tend to get lost in the wind.
> H
> --
>>>>In article <4FIqj.1315$FO1.16 at edtnps82>, Unruh <unruh-spam at physics.ubc.ca> writes:
> Unruh> In ntpdate.c around line 542 (4.2.4p4)is the sequence if
> Unruh> (!authistrusted(sys_authkey)) { char buf[10];
> Unruh>          (void) sprintf(buf, "%lu", (unsigned long)sys_authkey);
> Unruh> msyslog(LOG_ERR, "authentication key %s unknown", buf); exit(1);
> Unruh> }
> Unruh> Since unsigned long does not have a definite length on all machines,
> Unruh> and with the trailing zero certainly is potentially longer than 10
> Unruh> bytes, that buf is ripe for buffer overflow.  It should be something
> Unruh> like char buf[(sizeof(unsigned long)*12/5+2)]; And/or the sprintf
> Unruh> should be an snprintf.

More information about the questions mailing list