From: Harlan Stenn <stenn@ntp.org>
Date: Thu, 18 Dec 2014 13:14:59 +0000 (+0000)
Subject: [Sec 2671] vallen in extension fields are not validated
X-Git-Tag: NTP_4_2_8~6
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=80eb8197acf4226b38f37d7cad5fa46e2fb8db2e;p=thirdparty%2Fntp.git

[Sec 2671] vallen in extension fields are not validated

bk: 5492d353ncauuWt_PONxaDhC5Qv_SA
---

diff --git a/ChangeLog b/ChangeLog
index 3e4b51827..825c7481f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -3,6 +3,7 @@
 * [Sec 2668] buffer overflow in ctl_putdata().
 * [Sec 2669] buffer overflow in configure().
 * [Sec 2670] Missing return; from error clause.
+* [Sec 2671] vallen in extension fields are not validated.
 * [Sec 2672] On some OSes ::1 can be spoofed, bypassing source IP ACLs.
 (4.2.7p486-RC) 2014/12/18 Released by Harlan Stenn <stenn@ntp.org>
 * [Bug 2687] RefClock 26/hpgps doesn't work at default line speed
diff --git a/ntpd/ntp_proto.c b/ntpd/ntp_proto.c
index e658b6405..091fcf527 100644
--- a/ntpd/ntp_proto.c
+++ b/ntpd/ntp_proto.c
@@ -486,7 +486,7 @@ receive(
 	 */
 	authlen = LEN_PKT_NOMAC;
 	has_mac = rbufp->recv_length - authlen;
-	while (has_mac != 0) {
+	while (has_mac > 0) {
 		u_int32	len;
 #ifdef AUTOKEY
 		u_int32	hostlen;
@@ -540,6 +540,14 @@ receive(
 		}
 	}
 
+	/*
+	 * If has_mac is < 0 we had a malformed packet.
+	 */
+	if (has_mac < 0) {
+		sys_badlength++;
+		return;		/* bad length */
+	}
+
 	/*
 	 * If authentication required, a MAC must be present.
 	 */