[ntp:questions] ntpdate.c unsafe buffer write

Unruh unruh-spam at physics.ubc.ca
Thu Feb 7 19:06:40 UTC 2008


In ntpdate.c around line 542 (4.2.4p4)is the sequence
if (!authistrusted(sys_authkey)) {
         char buf[10];

         (void) sprintf(buf, "%lu", (unsigned long)sys_authkey);
         msyslog(LOG_ERR, "authentication key %s unknown", buf);
         exit(1);
}

Since unsigned long does not have a definite length on all machines, and with the trailing
zero certainly is potentially longer than 10 bytes, that buf is ripe for
buffer overflow. 
It should be something like
   char buf[(sizeof(unsigned long)*12/5+2)];
And/or the sprintf should be an snprintf.





More information about the questions mailing list