[ntp:security] Insufficient fixes in crypto_recv() ?

Sebastian Krahmer krahmer at suse.de
Mon Jan 5 11:12:10 UTC 2015


Hi

I was reviewing your patches for the recent buffer overflow issue
via RSA decrypting inside crypto_recv().

I wonder that other switch cases handling network input have not
been checked for similar issues?

For example the 

case CRYPTO_CERT | CRYPTO_RESP:
[...]
         if ((xinfo = cert_install(ep, peer)) == NULL) {
                      rval = XEVNT_CRT;
                      break;
         }

case which in turn then calls inside cert_install():

        if ((cp = cert_parse((u_char *)ep->pkt, (long)ntohl(ep->vallen),
            (tstamp_t)ntohl(ep->fstamp))) == NULL)
                return (NULL);

right away. That looks very much like a OOB read with a len value provided
by the network packet? ep->pkt is whats just been received and it looks
like theres no sanitation before.

So this then calls into internal openssl functions, providing hazardous
len values resulting in a crash of ntpd (OOB read will eventually SIGSEGV).
Is this a single-packet DoS?

regards
Sebastian


-- 

~ perl self.pl
~ $_='print"\$_=\47$_\47;eval"';eval
~ krahmer at suse.de - SuSE Security Team



More information about the security mailing list