2014-12-12 11:05:58+00:00, stenn@psp-fb1.ntp.org +1 -0
[Sec 2667] buffer overflow in crypto_recv()
+* [Sec 2667] buffer overflow in crypto_recv().
* [Bug 2686] refclock_gpsdjson needs strtoll(), which is not always present.
(4.2.7p484-RC) 2014/12/11 Released by Harlan Stenn <stenn@ntp.org>
(4.2.7p483) 2014/12/08 Released by Harlan Stenn <stenn@ntp.org>
==== ntpd/ntp_crypto.c ====
2014-12-12 11:06:03+00:00, stenn@psp-fb1.ntp.org +12 -3
[Sec 2667] buffer overflow in crypto_recv()
--- 1.168/ntpd/ntp_crypto.c 2014-11-15 04:41:02 +00:00
+++ 1.169/ntpd/ntp_crypto.c 2014-12-12 11:06:03 +00:00
@@ -820,15 +820,24 @@ crypto_recv(
* errors.
*/
if (vallen == (u_int)EVP_PKEY_size(host_pkey)) {
+ u_int32 *cookiebuf = malloc(
+ RSA_size(host_pkey->pkey.rsa));
+ if (!cookiebuf) {
+ rval = XEVNT_CKY;
+ break;
+ }
+
if (RSA_private_decrypt(vallen,
(u_char *)ep->pkt,
- (u_char *)&temp32,
+ (u_char *)cookiebuf,
host_pkey->pkey.rsa,
- RSA_PKCS1_OAEP_PADDING) <= 0) {
+ RSA_PKCS1_OAEP_PADDING) != 4) {
rval = XEVNT_CKY;
+ free(cookiebuf);
break;
} else {
- cookie = ntohl(temp32);
+ cookie = ntohl(*cookiebuf);
+ free(cookiebuf);
}
} else {
rval = XEVNT_CKY;