nts: fix handling of long server negotiation record

Recent change in handling of the NTPv4 server negotiation record (commit
754097944be2) increased the length of the instance name buffer to make
room for the trailing dot. This allowed a record with body truncated in
the processing buffer to be accepted and caused an over-read of 1 byte
in the memcpy() call saving the name to the instance buffer.

Modify the client to accept only records that fit in the processing
buffer.

Fixes: 754097944be2 ("nts: handle negotiated server as FQDN")

diff --git a/nts_ke_client.c b/nts_ke_client.c
index 877d1c81dbc7a3210ab17fe3fcff99f6f317a369..89dc6fede4a783040997385971c22fe72406bf9b 100644 (file)
--- a/nts_ke_client.c
+++ b/nts_ke_client.c
@@ -141,6 +141,12 @@ process_response(NKC_Instance inst)
     if (!NKSN_GetRecord(inst->session, &critical, &type, &length, &data, sizeof (data)))
       break;
 
+    if (length > sizeof (data)) {
+      DEBUG_LOG("Record too long type=%d length=%d", type, length);
+      error = 1;
+      break;
+    }
+
     switch (type) {
       case NKE_RECORD_NEXT_PROTOCOL:
         if (!critical || length != 2 || ntohs(data[0]) != NKE_NEXT_PROTOCOL_NTPV4) {