From: Miroslav Lichvar <mlichvar@redhat.com>
Date: Tue, 27 Apr 2021 09:18:04 +0000 (+0200)
Subject: nts: fix handling of long server negotiation record
X-Git-Tag: 4.1~20
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7925ed39b81f394083e939c96d18a652f977d315;p=thirdparty%2Fchrony.git

nts: fix handling of long server negotiation record

Recent change in handling of the NTPv4 server negotiation record (commit
754097944be2) increased the length of the instance name buffer to make
room for the trailing dot. This allowed a record with body truncated in
the processing buffer to be accepted and caused an over-read of 1 byte
in the memcpy() call saving the name to the instance buffer.

Modify the client to accept only records that fit in the processing
buffer.

Fixes: 754097944be2 ("nts: handle negotiated server as FQDN")
---

diff --git a/nts_ke_client.c b/nts_ke_client.c
index 877d1c81..89dc6fed 100644
--- a/nts_ke_client.c
+++ b/nts_ke_client.c
@@ -141,6 +141,12 @@ process_response(NKC_Instance inst)
     if (!NKSN_GetRecord(inst->session, &critical, &type, &length, &data, sizeof (data)))
       break;
 
+    if (length > sizeof (data)) {
+      DEBUG_LOG("Record too long type=%d length=%d", type, length);
+      error = 1;
+      break;
+    }
+
     switch (type) {
       case NKE_RECORD_NEXT_PROTOCOL:
         if (!critical || length != 2 || ntohs(data[0]) != NKE_NEXT_PROTOCOL_NTPV4) {