[ntp:security] [Bug 2909] Slow memory leak in CRYPTO_ASSOC

bugzilla-daemon at ntp.org bugzilla-daemon at ntp.org
Tue Dec 29 09:25:16 UTC 2015


http://bugs.ntp.org/show_bug.cgi?id=2909

Sathish <sathishcold at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |sathishcold at gmail.com

--- Comment #10 from Sathish <sathishcold at gmail.com> 2015-12-29 09:25:16 UTC ---
(In reply to comment #0)

can you please give the script "ntp_mem_leak.py" . am not able to find the
script. i have to test this mem leak



> The bug:
> ------------------------------------------------------------
> ntpd processes symmetric active NTPv4 packets with multiple
> extensions. This can cause memory leak as shown below:
> int crypto_recv(...)
> {
> ...
>   // loop to process (multiple) extensions
>         while ((has_mac = rbufp->recv_length - authlen) > (int)MAX_MAC_LEN) {
> ...
>                 case CRYPTO_ASSOC:
>                         /*
>                          * If our state machine is running when this
>                          * message arrives, the other fellow might have
>                          * restarted. However, this could be an
>                          * intruder, so just clamp the poll interval and
>                          * find out for ourselves. Otherwise, pass the
>                          * extension field to the transmit side.
>                          */
>                         if (peer->crypto & CRYPTO_FLAG_CERT) {
>                                 rval = XEVNT_ERR;
>                                 break;
>                         }
>                         if (peer->cmmd) {
>                                 if (peer->assoc != associd) {
>                                         rval = XEVNT_ERR;
>                                         break;
>                                 }
>                         }
>                         fp = emalloc(len);
>                         memcpy(fp, ep, len);
>                         fp->associd = htonl(peer->associd);
>                         peer->cmmd = fp;
> ...
> }
> Here when processing an extension with an ASSOC Autokey message
> in it, ntpd allocates and copies memory for the incoming extension
> and assigns it to peer->cmmd. However, when mulitple ASSOC messages
> are present in a symmetric active NTPv4 packet, memory pointed by
> peer->cmmd was not freed prior to the peer->cmmd = fp assignment.
> This causes a memory leak, which could lead to a DoS.
> PoC:
> ------------------------------------------------------------
> This PoC tries to cause memory leak in ntpd.
> Target setup and conditions:
> - Target ntpd has Autokey (crypto) enabled.
> - Host running this script and the target host must not go through
>   Network Address Translation.
> - Run this script repeatly with watch -n 1 python ntp_mem_leak.py <target_ip>
> - Note that since ntpd limits maximum extension size to 2048 bytes, it
>   can take a long time (days) to exhaust ntpd memory.

-- 
Configure bugmail: http://bugs.ntp.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.


More information about the security mailing list