From gitlab at mg.gitlab.com Fri May 2 05:53:08 2025 From: gitlab at mg.gitlab.com (Hal Murray (@hal.murray)) Date: Fri, 02 May 2025 05:53:08 +0000 Subject: [Git][NTPsec/ntpsec][master] 3 commits: Add length checks to fix fuzzer 393742176 Message-ID: <68145dc4b343e_2cd41c0238b@gitlab-sidekiq-low-urgency-cpu-bound-v2-6cf5c676c6-s7ldt.mail> Hal Murray pushed to branch master at NTPsec / ntpsec Commits: 0a36941e by Hal Murray at 2025-05-01T22:32:56-07:00 Add length checks to fix fuzzer 393742176 Also fix nonce length checking. - - - - - 2b9fa5f2 by Hal Murray at 2025-05-01T22:35:46-07:00 Remove unneeded zeroing -- let fuzzer find bugs The zeroing shouldn't be necessary. It might be masking a real bug. - - - - - 8937bef3 by Hal Murray at 2025-05-01T22:43:26-07:00 Turn off default bit on sys_var_list (mode6) sys_var_list returns a list of all the variables you can ask for. It adds lots of clutter to rv 0 This area needs cleanup. I think I added the DEF bit to all slots when I cleaned up this area a while ago. - - - - - 3 changed files: - ntpd/ntp_control.c - ntpd/nts_extens.c - ntpd/nts_server.c Changes: ===================================== ntpd/ntp_control.c ===================================== @@ -313,7 +313,7 @@ static const struct var sys_var[] = { Var_strP("version", RO|DEF, ntpd_version), Var_dbl("clk_wander", RO|DEF|ToPPM|DBL6, loop_data.clock_stability), - Var_special("sys_var_list", RO|DEF, vs_varlist), + Var_special("sys_var_list", RO, vs_varlist), Var_uint("tai", RO|DEF, sys_tai), Var_time("leapsec", RO|DEF|N_LEAP, lsig.ttime), Var_time("expire", RO|DEF|N_LEAP, lsig.etime), ===================================== ntpd/nts_extens.c ===================================== @@ -397,14 +397,18 @@ bool extens_client_recv(struct peer *peer, uint8_t *pkt, int lng) { break; case NTS_AEEF: adlength = buf.next-NTP_EX_HDR_LNG-pkt; /* backup over header */ + if (NTP_EX_U16_LNG*2 > length) + return false; /* garbage packet */ noncelen = next_uint16(&buf); outlen = next_uint16(&buf); if (noncelen&3 || outlen&3) - return false; /* else round up */ + return false; /* else round up */ nonce = buf.next; ciphertext = nonce+noncelen; plaintext = ciphertext+CMAC_LENGTH; - outlen = buf.left-NONCE_LENGTH-CMAC_LENGTH; + if (noncelen+CMAC_LENGTH > length) + return false; /* garbage packet */ + outlen = buf.left-noncelen-CMAC_LENGTH; // printf("ECRa: %lu, %d\n", (long unsigned)outlen, noncelen); ok = AES_SIV_Decrypt(wire_ctx, plaintext, &outlen, @@ -416,8 +420,8 @@ bool extens_client_recv(struct peer *peer, uint8_t *pkt, int lng) { if (!ok) return false; /* setup to process encrypted headers */ - buf.next += NONCE_LENGTH+CMAC_LENGTH; - buf.left -= NONCE_LENGTH+CMAC_LENGTH; + buf.next += noncelen+CMAC_LENGTH; + buf.left -= noncelen+CMAC_LENGTH; sawAEEF = true; break; default: ===================================== ntpd/nts_server.c ===================================== @@ -381,10 +381,10 @@ bool nts_ke_request(SSL *ssl) { * Our cookies can be 104, 136, or 168 for AES_SIV_CMAC_xxx * 8*168 fits comfortably into 2K. */ - uint8_t buff[2048] = {0}; - uint8_t c2s[NTS_MAX_KEYLEN] = {0}, s2c[NTS_MAX_KEYLEN] = {0}; + uint8_t buff[2048]; + uint8_t c2s[NTS_MAX_KEYLEN], s2c[NTS_MAX_KEYLEN]; int aead = NO_AEAD, keylen; - struct BufCtl_t buf = {0, 0}; + struct BufCtl_t buf; int bytes_read, bytes_written; int used; View it on GitLab: https://gitlab.com/NTPsec/ntpsec/-/compare/3c42d068b51a4c859e0299fadd6f3970572c4da6...8937bef325b7cf04020499502bd6227f623bc87a -- View it on GitLab: https://gitlab.com/NTPsec/ntpsec/-/compare/3c42d068b51a4c859e0299fadd6f3970572c4da6...8937bef325b7cf04020499502bd6227f623bc87a You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at mg.gitlab.com Sat May 31 23:04:59 2025 From: gitlab at mg.gitlab.com (Hal Murray (@hal.murray)) Date: Sat, 31 May 2025 23:04:59 +0000 Subject: [Git][NTPsec/ntpsec][master] Reduce ntpdig to single MAC per packet sent Message-ID: <683b8b1ba03e2_2cd68bc73878@gitlab-sidekiq-low-urgency-cpu-bound-v2-6f686bd9b-x4ggv.mail> Hal Murray pushed to branch master at NTPsec / ntpsec Commits: b8f66ec4 by James Browning at 2025-05-31T16:01:36-07:00 Reduce ntpdig to single MAC per packet sent - - - - - 1 changed file: - ntpclients/ntpdig.py Changes: ===================================== ntpclients/ntpdig.py ===================================== @@ -102,10 +102,10 @@ def queryhost(server, concurrent, timeout=5, port=123, bindaddr=None): request = ntp.packet.SyncPacket() request.transmit_timestamp = ntp.packet.SyncPacket.posix_to_ntp( time.time()) - packet = request.flatten() needgap = (len(iptuples) > 1) and (gap > 0) firstloop = True for (family, socktype, proto, canonname, sockaddr) in iptuples: + packet = request.flatten() if needgap and not firstloop: time.sleep(gap) if firstloop: View it on GitLab: https://gitlab.com/NTPsec/ntpsec/-/commit/b8f66ec4189188f63c00faf1fc625af541292c84 -- View it on GitLab: https://gitlab.com/NTPsec/ntpsec/-/commit/b8f66ec4189188f63c00faf1fc625af541292c84 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: