[ntp:questions] ntpdate.c unsafe buffer write
Unruh
unruh-spam at physics.ubc.ca
Fri Feb 8 02:13:37 UTC 2008
Harlan Stenn <stenn at ntp.org> writes:
>Bill,
>ntpdate is being deprecated.
Maybe, but it should still not have bugs if it is actually still part of
the distro.
>And it is *much* better to file reports like this using bugs.ntp.org as
>otherwise they tend to get lost in the wind.
OK. Will do.
>H
>--
>>>> In article <4FIqj.1315$FO1.16 at edtnps82>, Unruh <unruh-spam at physics.ubc.ca> writes:
>Unruh> In ntpdate.c around line 542 (4.2.4p4)is the sequence if
>Unruh> (!authistrusted(sys_authkey)) { char buf[10];
>Unruh> (void) sprintf(buf, "%lu", (unsigned long)sys_authkey);
>Unruh> msyslog(LOG_ERR, "authentication key %s unknown", buf); exit(1);
>Unruh> }
>Unruh> Since unsigned long does not have a definite length on all machines,
>Unruh> and with the trailing zero certainly is potentially longer than 10
>Unruh> bytes, that buf is ripe for buffer overflow. It should be something
>Unruh> like char buf[(sizeof(unsigned long)*12/5+2)]; And/or the sprintf
>Unruh> should be an snprintf.
>--
>Harlan Stenn <stenn at ntp.org>
>http://ntpforum.isc.org - be a member!
More information about the questions
mailing list