[ntpsec commit] Fix authkeys memory management bugs

[Daniel Franke]

Module:    ntpsec
Branch:    master
Commit:    de33052c06da10354643f50718b42f2c54e14a97
Changeset: http://git.ntpsec.org/ntpsec/commit/?id=de33052c06da10354643f50718b42f2c54e14a97

Author:    Daniel Fox Franke <dfoxfranke at gmail.com>
Date:      Tue Oct 20 19:44:47 2015 -0400

Fix authkeys memory management bugs

This resolves two different issues discovered by Yves Younan and
Aleksander Nikolich of Cisco Talos and assigned tracking IDs
TALOS-CAN-0054 and TALOS-CAN-0065.

---

 libntp/authkeys.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/libntp/authkeys.c b/libntp/authkeys.c
index e373f77..8b931bb 100644
--- a/libntp/authkeys.c
+++ b/libntp/authkeys.c
@@ -301,6 +301,7 @@ freesymkey(
 	if (sk->secret != NULL) {
 		memset(sk->secret, '\0', sk->secretsize);
 		free(sk->secret);
+                sk->secret = NULL;
 	}
 	UNLINK_SLIST(unlinked, *bucket, sk, hlink, symkey);
 	DEBUG_ENSURE(sk == unlinked);
@@ -535,6 +536,8 @@ MD5auth_setkey(
 			sk->type = (u_short)keytype;
 			secretsize = len;
 			sk->secretsize = (u_short)secretsize;
+                        free(sk->secret);
+                        sk->secret = emalloc(secretsize);
 			memcpy(sk->secret, key, secretsize);
 			if (cache_keyid == keyno) {
 				cache_flags = 0;
@@ -588,6 +591,7 @@ auth_delkeys(void)
 			if (sk->secret != NULL) {
 				memset(sk->secret, '\0', sk->secretsize);
 				free(sk->secret);
+				sk->secret = NULL;
 			}
 			sk->secretsize = 0;
 			sk->lifetime = 0;