[ntp:hackers] MD5auth_setkey bug in copying message digest

Victor Jesus Angus shurvic at yahoo.com
Mon Jul 6 01:07:06 UTC 2009


Hello,

I'm implementing a small autokey client that specifically works using IFF and found a bug in the reference implementation libntp/authkeys.c:MD5auth_setkey. When copying the key to sk->k.MD5_key, it uses strncpy which causes the destination to be truncated when a NULL is found which causes to generate a wrong MAC. My proposed fix is to use memcpy.

NTP version: 4.2.5p158 (this is still true in p185)
Platform: Linux (CentOS release 4.6)

Here's an example:
session_key() generated this digest
    ac8d eaeb dc0a e500 90f8 beb5 1985 08c5
but in MD5auth_setkey(), an incomplete digest was stored
    ac8d eaeb dc0a e500 0000 0000 0000 0000

Proposed fix:

diff --git a/libntp/authkeys.c b/libntp/authkeys.c
index 1c95444..dc8b280 100644
--- a/libntp/authkeys.c
+++ b/libntp/authkeys.c
@@ -314,8 +314,7 @@ MD5auth_setkey(
        sk = key_hash[KEYHASH(keyno)];
        while (sk != 0) {
                if (keyno == sk->keyid) {
-                       strncpy((char *)sk->k.MD5_key, (const char *)key,
-                           sizeof(sk->k.MD5_key));
+                       memcpy(sk->k.MD5_key, key, len);
                        if ((sk->keylen = len) > sizeof(sk->k.MD5_key))
                            sk->keylen = sizeof(sk->k.MD5_key);

@@ -341,8 +340,7 @@ MD5auth_setkey(
        authfreekeys = sk->next;
        authnumfreekeys--;

-       strncpy((char *)sk->k.MD5_key, (const char *)key,
-               sizeof(sk->k.MD5_key));
+       memcpy(sk->k.MD5_key, key, len);
        if ((sk->keylen = len) > sizeof(sk->k.MD5_key))
            sk->keylen = sizeof(sk->k.MD5_key);


Thanks. 

Victor


      


More information about the hackers mailing list