File: Fix-Out-of-bounds-read-in-nts_client_process_response_core.patch

package info (click to toggle)
ntpsec 1.2.3%2Bdfsg1-8
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid, trixie
  • size: 10,960 kB
  • sloc: ansic: 62,004; python: 32,017; sh: 1,553; yacc: 1,293; makefile: 190; javascript: 138
file content (64 lines) | stat: -rw-r--r-- 2,193 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
 
From caf0eb5df3c6ddbfc2941389bff0f9146835c021 Mon Sep 17 00:00:00 2001
From: Artem Nasonov <anasonov@astralinux.ru>
Date: Wed, 29 Jan 2025 14:55:49 +0300
Subject: [PATCH] Fix Out-of-bounds read in nts_client_process_response_core

---
 ntpd/nts_client.c | 21 +++++++++++++++------
 1 file changed, 15 insertions(+), 6 deletions(-)

diff --git a/ntpd/nts_client.c b/ntpd/nts_client.c
index 541102249e..454f655f8a 100644
--- a/ntpd/nts_client.c
+++ b/ntpd/nts_client.c
@@ -626,6 +626,10 @@ bool nts_client_process_response_core(uint8_t *buff, int transferred, struct pee
 		char server[MAX_SERVER];
 
 		type = ke_next_record(&buf, &length);
+		if(buf.left < length){
+			msyslog(LOG_ERR, "NTSc: length cannot be more than buf.left: %d", length);
+			return false;
+		}
 		if (NTS_CRITICAL & type) {
 			critical = true;
 			type &= ~NTS_CRITICAL;
@@ -634,25 +638,30 @@ bool nts_client_process_response_core(uint8_t *buff, int transferred, struct pee
 			msyslog(LOG_ERR, "NTSc: Record: T=%d, L=%d, C=%d", type, length, critical);
 		switch (type) {
 		    case nts_error:
-			data = next_uint16(&buf);
-			if (sizeof(data) != length)
+			if (sizeof(data) != length) {
 				msyslog(LOG_ERR, "NTSc: wrong length on error: %d", length);
+				return false;
+			}
+			data = next_uint16(&buf);
 			msyslog(LOG_ERR, "NTSc: error: %d", data);
 			return false;
 		    case nts_next_protocol_negotiation:
+			if (sizeof(data) != length) {
+				msyslog(LOG_ERR, "NTSc: NPN-Wrong length: %d", length);
+				return false;
+			}
 			data = next_uint16(&buf);
-			if ((sizeof(data) != length) || (data != nts_protocol_NTP)) {
-				msyslog(LOG_ERR, "NTSc: NPN-Wrong length or bad data: %d, %d",
-					length, data);
+			if (data != nts_protocol_NTP) {
+				msyslog(LOG_ERR, "NTSc: NPN-Bad data: %d", data);
 				return false;
 			}
 			break;
 		    case nts_algorithm_negotiation:
-			data = next_uint16(&buf);
 			if (sizeof(data) != length) {
 				msyslog(LOG_ERR, "NTSc: AN-Wrong length: %d", length);
 				return false;
 			}
+			data = next_uint16(&buf);
 			keylength = nts_get_key_length(data);
 			if (0 == keylength) {
 				msyslog(LOG_ERR, "NTSc: AN-Unsupported AEAN type: %d", data);
-- 
GitLab