[ntp:hackers] MD5auth_setkey bug in copying message digest

tglassey tglassey at glassey.com
Mon Jul 6 15:49:54 UTC 2009


Dave Hart wrote:
> On Mon, Jul 6, 2009 at 1:07 AM, Victor Jesus Angus wrote:
>   
>> Hello,
>>
>> I'm implementing a small autokey client that specifically works using IFF
>> and found a bug in the reference implementation
>> libntp/authkeys.c:MD5auth_setkey. When copying the key to sk->k.MD5_key,
>> it uses strncpy which causes the destination to be truncated when a NULL is
>> found which causes to generate a wrong MAC. My proposed fix is to use
>> memcpy.
>>     
>
> Hi Victor,
>
> Please file a bug report at http://bugs.ntp.org/ and attach a proposed
> patch using the website's Add Attachment link.  Do not be surprised if
> your browser warns you about the https certificate, it is issued by
> cacert.org, which many browsers do not trust by default.
>   
So why not just publish this cert so it can be loaded into the cache for 
people using that server.
>   
>> -                       strncpy((char *)sk->k.MD5_key, (const char *)key,
>> -                           sizeof(sk->k.MD5_key));
>> +                       memcpy(sk->k.MD5_key, key, len);
>>                        if ((sk->keylen = len) > sizeof(sk->k.MD5_key))
>>                            sk->keylen = sizeof(sk->k.MD5_key);
>>     
>
> Before submitting your patch, I suggest you change it to more clearly
> protect against buffer overrun by moving the memcpy() after sk->keylen
> is set and using sk->keylen as the number of bytes to copy for
> memcpy(), in both snippets.
>   
I agree this fix is OK but a better solution would be un-bundling the 
auth code from the time management and transfer code so that other auth 
front-end's could more easily be used...
> Cheers,
> Dave Hart
> _______________________________________________
> hackers mailing list
> hackers at lists.ntp.org
> https://lists.ntp.org/mailman/listinfo/hackers
> ------------------------------------------------------------------------
>
>
> No virus found in this incoming message.
> Checked by AVG - www.avg.com 
> Version: 8.5.375 / Virus Database: 270.13.5/2220 - Release Date: 07/05/09 17:54:00
>
>   



More information about the hackers mailing list