NTP - Network Time Protocol

#### ChangeSet ####

2014-12-12 11:06:53+00:00, stenn@psp-fb1.ntp.org [Sec 2667] buffer overflow in crypto_recv()

==== ChangeLog ====

2014-12-12 11:05:58+00:00, stenn@psp-fb1.ntp.org +1 -0 [Sec 2667] buffer overflow in crypto_recv()
--- 1.1579/ChangeLog 2014-12-12 08:49:31 +00:00
+++ 1.1580/ChangeLog 2014-12-12 11:05:58 +00:00
@@ -1,3 +1,4 @@
+* [Sec 2667] buffer overflow in crypto_recv().
* [Bug 2686] refclock_gpsdjson needs strtoll(), which is not always present. (4.2.7p484-RC) 2014/12/11 Released by Harlan Stenn <stenn@ntp.org> (4.2.7p483) 2014/12/08 Released by Harlan Stenn <stenn@ntp.org>

==== ntpd/ntp_crypto.c ====

2014-12-12 11:06:03+00:00, stenn@psp-fb1.ntp.org +12 -3 [Sec 2667] buffer overflow in crypto_recv()
--- 1.168/ntpd/ntp_crypto.c 2014-11-15 04:41:02 +00:00
+++ 1.169/ntpd/ntp_crypto.c 2014-12-12 11:06:03 +00:00
@@ -820,15 +820,24 @@ crypto_recv( * errors. */ if (vallen == (u_int)EVP_PKEY_size(host_pkey)) {
+ u_int32 *cookiebuf = malloc( + RSA_size(host_pkey->pkey.rsa)); + if (!cookiebuf) { + rval = XEVNT_CKY; + break; + } +
if (RSA_private_decrypt(vallen, (u_char *)ep->pkt,
- (u_char *)&temp32,
+ (u_char *)cookiebuf,
host_pkey->pkey.rsa,
- RSA_PKCS1_OAEP_PADDING) <= 0) {
+ RSA_PKCS1_OAEP_PADDING) != 4) {
rval = XEVNT_CKY;
+ free(cookiebuf);
break; } else {
- cookie = ntohl(temp32);
+ cookie = ntohl(*cookiebuf); + free(cookiebuf);
} } else { rval = XEVNT_CKY;