[TALOS-CAN-0054] memory corruption in password store

bk: 560afee95dUAWHvDs84F2ljXeZfaXQ

diff --git a/ChangeLog b/ChangeLog
index 30944996f826becb2e2c323791fb458b611948f1..f2342eb21e9b3a5592d4b82961477d78db1ebd76 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,6 @@
 ---
 * [TALOS-CAN-0052] crash by loop counter underrun. perlinger@ntp.org
+* [TALOS-CAN-0054] memory corruption in password store. perlinger@ntp.org
 * [Bug 2595] ntpdate man page quirks.  Hal Murray, Harlan Stenn.
 * [Bug 2625] Deprecate flag1 in local refclock.  Hal Murray, Harlan Stenn.
 * [Bug 2817] Stop locking ntpd into memory by default under Linux.  H.Stenn.

diff --git a/libntp/authkeys.c b/libntp/authkeys.c
index 68771ffb339f3d9d05f601956a1bc82c37fa65bd..86166ff22036e782cb3fc0830a3417e2ab25ddb5 100644 (file)
--- a/libntp/authkeys.c
+++ b/libntp/authkeys.c
@@ -534,6 +534,9 @@ MD5auth_setkey(
        bucket = &key_hash[KEYHASH(keyno)];
        for (sk = *bucket; sk != NULL; sk = sk->hlink) {
                if (keyno == sk->keyid) {
+                       /* TALOS-CAN-0054: make sure we have a buffer! */
+                       if (NULL == sk->secret)
+                               sk->secret = emalloc(len);
                        sk->type = (u_short)keytype;
                        secretsize = len;
                        sk->secretsize = (u_short)secretsize;
@@ -599,6 +602,7 @@ auth_delkeys(void)
                        if (sk->secret != NULL) {
                                memset(sk->secret, '\0', sk->secretsize);
                                free(sk->secret);
+                               sk->secret = NULL; /* TALOS-CAN-0054 */
                        }
                        sk->secretsize = 0;
                        sk->lifetime = 0;