[TALOS-CAN-0054] memory corruption

 - make sure there's *always* a new buffer for storing the key again

bk: 560c1162ypMAvozNo7Au1Ltnt-DZ7Q

diff --git a/libntp/authkeys.c b/libntp/authkeys.c
index 86166ff22036e782cb3fc0830a3417e2ab25ddb5..667ca298b96fa38d9a7cc6ad43f267ebd151ad67 100644 (file)
--- a/libntp/authkeys.c
+++ b/libntp/authkeys.c
@@ -534,9 +534,12 @@ MD5auth_setkey(
        bucket = &key_hash[KEYHASH(keyno)];
        for (sk = *bucket; sk != NULL; sk = sk->hlink) {
                if (keyno == sk->keyid) {
-                       /* TALOS-CAN-0054: make sure we have a buffer! */
-                       if (NULL == sk->secret)
-                               sk->secret = emalloc(len);
+                       /* TALOS-CAN-0054: make sure we have a new buffer! */
+                       if (NULL != sk->secret) {
+                               memset(sk->secret, 0, sk->secretsize);
+                               free(sk->secret);
+                       }
+                       sk->secret = emalloc(len);
                        sk->type = (u_short)keytype;
                        secretsize = len;
                        sk->secretsize = (u_short)secretsize;
@@ -596,11 +599,12 @@ auth_delkeys(void)
                }
 
                /*
-                * Don't lose info as to which keys are trusted.
+                * Don't lose info as to which keys are trusted. Make
+                * sure there are no dangling pointers!
                 */
                if (KEY_TRUSTED & sk->flags) {
                        if (sk->secret != NULL) {
-                               memset(sk->secret, '\0', sk->secretsize);
+                               memset(sk->secret, 0, sk->secretsize);
                                free(sk->secret);
                                sk->secret = NULL; /* TALOS-CAN-0054 */
                        }