[Git][NTPsec/ntpsec][master] Out of bounds read in nts_ke_process_receive() in nts_server.c

Hal Murray (@hal.murray) gitlab at mg.gitlab.com
Sun Nov 24 22:15:15 UTC 2024 


Hal Murray pushed to branch master at NTPsec / ntpsec


Commits:
5cffe91b by Mikhail Khachayants at 2024-11-24T22:50:57+02:00
Out of bounds read in nts_ke_process_receive() in nts_server.c

- - - - -


1 changed file:

- ntpd/nts_server.c


Changes:

=====================================
ntpd/nts_server.c
=====================================
@@ -540,20 +540,29 @@ bool nts_ke_process_receive(struct BufCtl_t *buf, int *aead) {
 			msyslog(LOG_INFO, "NTSs: Record: T=%d, L=%d, C=%d", type, length, critical);
 		switch (type) {
 		    case nts_error:
-			data = next_uint16(buf);
-			if (sizeof(data) != length)
+			if (sizeof(data) != length) {
 				msyslog(LOG_ERR, "NTSs: wrong length on error: %d", length);
+				return false;
+			}
+			data = next_uint16(buf);
 			msyslog(LOG_ERR, "NTSs: error: %d", data);
 			return false;
 		    case nts_next_protocol_negotiation:
+			if (sizeof(data) != length) {
+				msyslog(LOG_ERR, "NTSs: NPN-Wrong length: %d", length);
+				return false;
+			}
 			data = next_uint16(buf);
-			if ((sizeof(data) != length) || (data != nts_protocol_NTP)) {
-				msyslog(LOG_ERR, "NTSs: NPN-Wrong length or bad data: %d, %d",
-					length, data);
+			if (data != nts_protocol_NTP) {
+				msyslog(LOG_ERR, "NTSs: NPN-Bad data: %d", data);
 				return false;
 			}
 			break;
 		    case nts_algorithm_negotiation:
+			if (buf->left < length || length % sizeof(uint16_t) > 0) {
+				msyslog(LOG_ERR, "NTSs: AN-Wrong length: %d", length);
+				return false;
+			}
 			for (int i=0; i<length; i+=sizeof(uint16_t)) {
 				data = next_uint16(buf);
 				if (0 == nts_get_key_length(data)) {



View it on GitLab: https://gitlab.com/NTPsec/ntpsec/-/commit/5cffe91b8ba66742263316bd9e034b73e900fd3c

-- 
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/-/commit/5cffe91b8ba66742263316bd9e034b73e900fd3c
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20241124/74d238b7/attachment-0001.htm>

More information about the vc mailing list