From: Miroslav Lichvar <mlichvar@redhat.com>
Date: Wed, 7 Jan 2015 12:58:11 +0000 (+0100)
Subject: ntp: fix length check of NTPv4 extension fields
X-Git-Tag: 2.0-pre1~16
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=35e11ffe602466da2591f238901eba8101bfe56c;p=thirdparty%2Fchrony.git

ntp: fix length check of NTPv4 extension fields

Don't allow extension fields shorter than 16 bytes.
---

diff --git a/ntp_core.c b/ntp_core.c
index 8615bc82..74559815 100644
--- a/ntp_core.c
+++ b/ntp_core.c
@@ -1040,7 +1040,8 @@ check_packet_auth(NTP_Packet *pkt, int length, int *has_auth, uint32_t *key_id)
        16-bit length of the whole field aligned to 32 bits and data. */
     if (remainder >= NTP_MIN_EXTENSION_LENGTH) {
       ext_length = ntohs(*(uint16_t *)(data + i + 2));
-      if (ext_length % 4 == 0 && ext_length <= remainder) {
+      if (ext_length >= NTP_MIN_EXTENSION_LENGTH &&
+          ext_length <= remainder && ext_length % 4 == 0) {
         i += ext_length;
         continue;
       }