[ntp:security] [Bug 2669] buffer overflow: configure()

bugzilla-daemon at ntp.org bugzilla-daemon at ntp.org
Mon Dec 22 22:27:54 UTC 2014


http://bugs.ntp.org/show_bug.cgi?id=2669

sai <pianoboysai at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |pianoboysai at gmail.com

--- Comment #7 from sai <pianoboysai at gmail.com> 2014-12-22 22:27:54 UTC ---
Hi, I saw the "ntp_control.c" source , in function "process_control", there are
length checking code like this:
"

...
req_data = rbufp->recv_length - CTL_HEADER_LEN;
if (req_data < req_count || rbufp->recv_length & 0x3) {
    ctl_error(CERR_BADFMT);
    numctldatatooshort++;
    return;
}


properlen = req_count + CTL_HEADER_LEN;
/* round up proper len to a 8 octet boundary */

properlen = (properlen + 7) & ~7;
maclen = rbufp->recv_length - properlen;
if ((rbufp->recv_length & 3) == 0 &&
    maclen >= MIN_MAC_LEN && maclen <= MAX_MAC_LEN && sys_authenticate) {
    ...// need to go to this
}

/*
 * Set up translate pointers
 */
reqpt = (char *)pkt->data;
reqend = reqpt + req_count;


...
"

since rbufp->recv_length is always less than 1000("#define RX_BUFF_SIZE 1000"
in recvbuff.h), and maclen should be between 4 and 24, so the maximum of
properlen is 996(1000-4),  that means (req_count+CTL_HEADER_LEN) could not
greater than 996. CTL_HEADER_LEN is 12, so req_count can't be greater than
984(996-12), in "configure" function, the remote_config.buffer is 1024 bytes. 

I don't know how to make it overflow (except someone modifies the RX_BUFF_SIZE
in recvbuff.h), does anyone reproduce this bug and explain it? 
Thanks

-- 
Configure bugmail: http://bugs.ntp.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.


More information about the security mailing list