[ntp:security] [Bug 3380] NTP-01-005 NTP: Off-by-one in Oncore GPS Receiver (Pentest report 01.2017)

bugzilla-daemon at ntp.org bugzilla-daemon at ntp.org
Sat Feb 11 05:41:39 UTC 2017


http://bugs.ntp.org/show_bug.cgi?id=3380

Harlan Stenn <stenn at ntp.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |gerv at gerv.net
              Flags|                            |blocking4.2.8+

--- Comment #1 from Harlan Stenn <stenn at ntp.org> 2017-02-11 05:41:39 UTC ---
In oncore_receive() there is a line:

 if (rcvbuf+rcvptr+i > &rcvbuf[sizeof rcvbuf])

The highlighted length check above incorrectly sets the boundaries for the
received buffer by limiting to sizeof(rcvbuf). In this context, an alternative
sizeof(rcvbuf) - 1 would be correct because the size is used as an index. This
creates an off-by-one buffer overflow. Since rcvbuf is directly followed by
another buffer, this issue is deemed nearly impossible to exploit. Still, it
should be viewed as a coding error and resolved accordingly.

-- 
Configure bugmail: http://bugs.ntp.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.


More information about the security mailing list