[ntp:questions] ntpdate.c unsafe buffer write

Ulrich Windl Ulrich.Windl at RZ.Uni-Regensburg.DE
Thu Feb 28 09:45:00 UTC 2008

Unruh <unruh-spam at physics.ubc.ca> writes:

> In ntpdate.c around line 542 (4.2.4p4)is the sequence
> if (!authistrusted(sys_authkey)) {
>          char buf[10];
>          (void) sprintf(buf, "%lu", (unsigned long)sys_authkey);
>          msyslog(LOG_ERR, "authentication key %s unknown", buf);

Is that too simple?
          msyslog(LOG_ERR, "authentication key %lu unknown",
                  (unsigned long)sys_authkey);

>          exit(1);
> }
> Since unsigned long does not have a definite length on all machines, and with the trailing
> zero certainly is potentially longer than 10 bytes, that buf is ripe for
> buffer overflow. 
> It should be something like
>    char buf[(sizeof(unsigned long)*12/5+2)];
> And/or the sprintf should be an snprintf.

More information about the questions mailing list