[Sec 2671] vallen in extension fields are not validated

bk: 5492d353ncauuWt_PONxaDhC5Qv_SA

diff --git a/ChangeLog b/ChangeLog
index 3e4b51827742397f66d5c8e4dadff9bb4a581add..825c7481f2598673bcb822b8dc5ad1b50bfdaf19 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -3,6 +3,7 @@
 * [Sec 2668] buffer overflow in ctl_putdata().
 * [Sec 2669] buffer overflow in configure().
 * [Sec 2670] Missing return; from error clause.
+* [Sec 2671] vallen in extension fields are not validated.
 * [Sec 2672] On some OSes ::1 can be spoofed, bypassing source IP ACLs.
 (4.2.7p486-RC) 2014/12/18 Released by Harlan Stenn <stenn@ntp.org>
 * [Bug 2687] RefClock 26/hpgps doesn't work at default line speed

diff --git a/ntpd/ntp_proto.c b/ntpd/ntp_proto.c
index e658b640554beb4b5f81c00bcacd835e7cfd3b76..091fcf527ff84fd5630d08225d169ef536f33403 100644 (file)
--- a/ntpd/ntp_proto.c
+++ b/ntpd/ntp_proto.c
@@ -486,7 +486,7 @@ receive(
         */
        authlen = LEN_PKT_NOMAC;
        has_mac = rbufp->recv_length - authlen;
-       while (has_mac != 0) {
+       while (has_mac > 0) {
                u_int32 len;
 #ifdef AUTOKEY
                u_int32 hostlen;
@@ -540,6 +540,14 @@ receive(
                }
        }
 
+       /*
+        * If has_mac is < 0 we had a malformed packet.
+        */
+       if (has_mac < 0) {
+               sys_badlength++;
+               return;         /* bad length */
+       }
+
        /*
         * If authentication required, a MAC must be present.
         */