[Bug 3059] Potential buffer overrun from oversized hash

bk: 57cbe7401Of1QcIHroNhjbGos1SNPA

diff --git a/ChangeLog b/ChangeLog
index cadee06f7ff94bb67fbf337396ae9f1c3bf04437..f211d2d1453a23bbb978ac95abae0c2a0ef9650f 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,4 +1,6 @@
 ---
+* [Bug 3059] Potential buffer overrun from oversized hash <perlinger@ntp.org>
+  - applied patch by Brian Utterback <brian.utterback@oracle.com>
 * [Bug 3095] Compatibility with openssl 1.1 <perlinger@ntp.org>
   - applied patches by Kurt Roeckx <kurt@roeckx.be> to source
   - added shim layer for SSL API calls with issues (both directions)

diff --git a/libntp/a_md5encrypt.c b/libntp/a_md5encrypt.c
index 0ff036f0ed47d0eba0bd2224862182512ffb0c82..7edcd2e305834a3995f42c499d3431b93b11347f 100644 (file)
--- a/libntp/a_md5encrypt.c
+++ b/libntp/a_md5encrypt.c
@@ -46,6 +46,9 @@ MD5authencrypt(
        EVP_DigestUpdate(ctx, (u_char *)pkt, length);
        EVP_DigestFinal(ctx, digest, &len);
        EVP_MD_CTX_free(ctx);
+       /* If the MAC is longer than the MAX then truncate it. */
+       if (len > MAX_MAC_LEN - 4)
+           len = MAX_MAC_LEN - 4;
        memmove((u_char *)pkt + length + 4, digest, len);
        return (len + 4);
 }
@@ -86,12 +89,15 @@ MD5authdecrypt(
        EVP_DigestUpdate(ctx, (u_char *)pkt, length);
        EVP_DigestFinal(ctx, digest, &len);
        EVP_MD_CTX_free(ctx);
+       /* If the MAC is longer than the MAX then truncate it. */
+       if (len > MAX_MAC_LEN - 4)
+           len = MAX_MAC_LEN - 4;
        if (size != (size_t)len + 4) {
                msyslog(LOG_ERR,
                    "MAC decrypt: MAC length error");
                return (0);
        }
-       return !isc_tsmemcmp(digest, (const char *)pkt + length + 4, len);
+       return !isc_tsmemcmp(digest, (u_char *)pkt + length + 4, len);
 }
 
 /*