[ntp:questions] ntpdate.c unsafe buffer write
Ulrich Windl
Ulrich.Windl at RZ.Uni-Regensburg.DE
Thu Feb 28 09:45:00 UTC 2008
Unruh <unruh-spam at physics.ubc.ca> writes:
> In ntpdate.c around line 542 (4.2.4p4)is the sequence
> if (!authistrusted(sys_authkey)) {
> char buf[10];
>
> (void) sprintf(buf, "%lu", (unsigned long)sys_authkey);
> msyslog(LOG_ERR, "authentication key %s unknown", buf);
Is that too simple?
msyslog(LOG_ERR, "authentication key %lu unknown",
(unsigned long)sys_authkey);
> exit(1);
> }
>
> Since unsigned long does not have a definite length on all machines, and with the trailing
> zero certainly is potentially longer than 10 bytes, that buf is ripe for
> buffer overflow.
> It should be something like
> char buf[(sizeof(unsigned long)*12/5+2)];
> And/or the sprintf should be an snprintf.
More information about the questions
mailing list