From: Juergen Perlinger <perlinger@ntp.org>
Date: Wed, 30 Sep 2015 16:44:18 +0000 (+0200)
Subject: [TALOS-CAN-0054] memory corruption
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=28be683ef4749c507c24b8cca8e6cadfad0a67cf;p=thirdparty%2Fntp.git

[TALOS-CAN-0054] memory corruption
 - make sure there's *always* a new buffer for storing the key again

bk: 560c1162ypMAvozNo7Au1Ltnt-DZ7Q
---

diff --git a/libntp/authkeys.c b/libntp/authkeys.c
index 86166ff22..667ca298b 100644
--- a/libntp/authkeys.c
+++ b/libntp/authkeys.c
@@ -534,9 +534,12 @@ MD5auth_setkey(
 	bucket = &key_hash[KEYHASH(keyno)];
 	for (sk = *bucket; sk != NULL; sk = sk->hlink) {
 		if (keyno == sk->keyid) {
-			/* TALOS-CAN-0054: make sure we have a buffer! */
-			if (NULL == sk->secret)
-				sk->secret = emalloc(len);
+			/* TALOS-CAN-0054: make sure we have a new buffer! */
+			if (NULL != sk->secret) {
+				memset(sk->secret, 0, sk->secretsize);
+				free(sk->secret);
+			}
+			sk->secret = emalloc(len);
 			sk->type = (u_short)keytype;
 			secretsize = len;
 			sk->secretsize = (u_short)secretsize;
@@ -596,11 +599,12 @@ auth_delkeys(void)
 		}
 
 		/*
-		 * Don't lose info as to which keys are trusted.
+		 * Don't lose info as to which keys are trusted. Make
+		 * sure there are no dangling pointers!
 		 */
 		if (KEY_TRUSTED & sk->flags) {
 			if (sk->secret != NULL) {
-				memset(sk->secret, '\0', sk->secretsize);
+				memset(sk->secret, 0, sk->secretsize);
 				free(sk->secret);
 				sk->secret = NULL; /* TALOS-CAN-0054 */
 			}