[Git][NTPsec/ntpsec][master] 3 commits: Add length checks to fix fuzzer 393742176
Hal Murray (@hal.murray)
gitlab at mg.gitlab.com
Fri May 2 05:53:08 UTC 2025
Hal Murray pushed to branch master at NTPsec / ntpsec
Commits:
0a36941e by Hal Murray at 2025-05-01T22:32:56-07:00
Add length checks to fix fuzzer 393742176
Also fix nonce length checking.
- - - - -
2b9fa5f2 by Hal Murray at 2025-05-01T22:35:46-07:00
Remove unneeded zeroing -- let fuzzer find bugs
The zeroing shouldn't be necessary.
It might be masking a real bug.
- - - - -
8937bef3 by Hal Murray at 2025-05-01T22:43:26-07:00
Turn off default bit on sys_var_list (mode6)
sys_var_list returns a list of all the variables you can ask for.
It adds lots of clutter to rv 0
This area needs cleanup. I think I added the DEF bit to all
slots when I cleaned up this area a while ago.
- - - - -
3 changed files:
- ntpd/ntp_control.c
- ntpd/nts_extens.c
- ntpd/nts_server.c
Changes:
=====================================
ntpd/ntp_control.c
=====================================
@@ -313,7 +313,7 @@ static const struct var sys_var[] = {
Var_strP("version", RO|DEF, ntpd_version),
Var_dbl("clk_wander", RO|DEF|ToPPM|DBL6, loop_data.clock_stability),
- Var_special("sys_var_list", RO|DEF, vs_varlist),
+ Var_special("sys_var_list", RO, vs_varlist),
Var_uint("tai", RO|DEF, sys_tai),
Var_time("leapsec", RO|DEF|N_LEAP, lsig.ttime),
Var_time("expire", RO|DEF|N_LEAP, lsig.etime),
=====================================
ntpd/nts_extens.c
=====================================
@@ -397,14 +397,18 @@ bool extens_client_recv(struct peer *peer, uint8_t *pkt, int lng) {
break;
case NTS_AEEF:
adlength = buf.next-NTP_EX_HDR_LNG-pkt; /* backup over header */
+ if (NTP_EX_U16_LNG*2 > length)
+ return false; /* garbage packet */
noncelen = next_uint16(&buf);
outlen = next_uint16(&buf);
if (noncelen&3 || outlen&3)
- return false; /* else round up */
+ return false; /* else round up */
nonce = buf.next;
ciphertext = nonce+noncelen;
plaintext = ciphertext+CMAC_LENGTH;
- outlen = buf.left-NONCE_LENGTH-CMAC_LENGTH;
+ if (noncelen+CMAC_LENGTH > length)
+ return false; /* garbage packet */
+ outlen = buf.left-noncelen-CMAC_LENGTH;
// printf("ECRa: %lu, %d\n", (long unsigned)outlen, noncelen);
ok = AES_SIV_Decrypt(wire_ctx,
plaintext, &outlen,
@@ -416,8 +420,8 @@ bool extens_client_recv(struct peer *peer, uint8_t *pkt, int lng) {
if (!ok)
return false;
/* setup to process encrypted headers */
- buf.next += NONCE_LENGTH+CMAC_LENGTH;
- buf.left -= NONCE_LENGTH+CMAC_LENGTH;
+ buf.next += noncelen+CMAC_LENGTH;
+ buf.left -= noncelen+CMAC_LENGTH;
sawAEEF = true;
break;
default:
=====================================
ntpd/nts_server.c
=====================================
@@ -381,10 +381,10 @@ bool nts_ke_request(SSL *ssl) {
* Our cookies can be 104, 136, or 168 for AES_SIV_CMAC_xxx
* 8*168 fits comfortably into 2K.
*/
- uint8_t buff[2048] = {0};
- uint8_t c2s[NTS_MAX_KEYLEN] = {0}, s2c[NTS_MAX_KEYLEN] = {0};
+ uint8_t buff[2048];
+ uint8_t c2s[NTS_MAX_KEYLEN], s2c[NTS_MAX_KEYLEN];
int aead = NO_AEAD, keylen;
- struct BufCtl_t buf = {0, 0};
+ struct BufCtl_t buf;
int bytes_read, bytes_written;
int used;
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/-/compare/3c42d068b51a4c859e0299fadd6f3970572c4da6...8937bef325b7cf04020499502bd6227f623bc87a
--
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/-/compare/3c42d068b51a4c859e0299fadd6f3970572c4da6...8937bef325b7cf04020499502bd6227f623bc87a
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20250502/60b5cd66/attachment-0001.htm>
More information about the vc
mailing list