From: Juergen Perlinger <perlinger@ntp.org>
Date: Sun, 4 Sep 2016 09:20:00 +0000 (+0200)
Subject: [Bug 3059] Potential buffer overrun from oversized hash
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6bce5d3b5df67325c5620b593fdf7e670179f77d;p=thirdparty%2Fntp.git

[Bug 3059] Potential buffer overrun from oversized hash

bk: 57cbe7401Of1QcIHroNhjbGos1SNPA
---

diff --git a/ChangeLog b/ChangeLog
index cadee06f7..f211d2d14 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,4 +1,6 @@
 ---
+* [Bug 3059] Potential buffer overrun from oversized hash <perlinger@ntp.org>
+  - applied patch by Brian Utterback <brian.utterback@oracle.com>
 * [Bug 3095] Compatibility with openssl 1.1 <perlinger@ntp.org>
   - applied patches by Kurt Roeckx <kurt@roeckx.be> to source
   - added shim layer for SSL API calls with issues (both directions)
diff --git a/libntp/a_md5encrypt.c b/libntp/a_md5encrypt.c
index 0ff036f0e..7edcd2e30 100644
--- a/libntp/a_md5encrypt.c
+++ b/libntp/a_md5encrypt.c
@@ -46,6 +46,9 @@ MD5authencrypt(
 	EVP_DigestUpdate(ctx, (u_char *)pkt, length);
 	EVP_DigestFinal(ctx, digest, &len);
 	EVP_MD_CTX_free(ctx);
+	/* If the MAC is longer than the MAX then truncate it. */
+	if (len > MAX_MAC_LEN - 4)
+	    len = MAX_MAC_LEN - 4;
 	memmove((u_char *)pkt + length + 4, digest, len);
 	return (len + 4);
 }
@@ -86,12 +89,15 @@ MD5authdecrypt(
 	EVP_DigestUpdate(ctx, (u_char *)pkt, length);
 	EVP_DigestFinal(ctx, digest, &len);
 	EVP_MD_CTX_free(ctx);
+	/* If the MAC is longer than the MAX then truncate it. */
+	if (len > MAX_MAC_LEN - 4)
+	    len = MAX_MAC_LEN - 4;
 	if (size != (size_t)len + 4) {
 		msyslog(LOG_ERR,
 		    "MAC decrypt: MAC length error");
 		return (0);
 	}
-	return !isc_tsmemcmp(digest, (const char *)pkt + length + 4, len);
+	return !isc_tsmemcmp(digest, (u_char *)pkt + length + 4, len);
 }
 
 /*