[ntp:bugs] [Bug 3059] New: Potential buffer overrun from oversized hash

bugzilla-daemon at ntp.org bugzilla-daemon at ntp.org
Tue May 31 03:27:34 UTC 2016


             Bug #: 3059
           Summary: Potential buffer overrun from oversized hash
           Product: ntp
           Version: 4.2.8
          Platform: All
        OS/Version: All
            Status: CONFIRMED
          Severity: normal
          Priority: P5
         Component: ntpd
        AssignedTo: stenn at ntp.org
        ReportedBy: brian.utterback at oracle.com
                CC: bugs at ntp.org
    Classification: Unclassified

In ntp_proto.c the function authencrypt is called to add the MAC to the end of
the packet. If AUTOKEY is defined then the xpkt structure is large enough to
accommodate any size MAC, but if AUTOKEY is not defined only 24 bytes are
reserved for the MAC. 

The problem is that the size of the MAC returned depends on the algorithm used.
There is no limitation on the algorithm specified in the ntp.keys file, it will
accept any algorithm openssl provides. 

Thus we find this lovely sequence of code in ntp_proto.c:

        authlen = authencrypt(xkeyid, (u_int32 *)&xpkt, sendlen);
        sendlen += authlen;
        if (sendlen > sizeof(xpkt)) {
                msyslog(LOG_ERR, "peer_xmit: buffer overflow %zu", sendlen);
                exit (-1);

In other words, it detects and prints a message *after* the buffer has been

Configure bugmail: http://bugs.ntp.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

More information about the bugs-announce mailing list