From: Juergen Perlinger <perlinger@ntp.org>
Date: Tue, 29 Sep 2015 21:13:13 +0000 (+0200)
Subject: [TALOS-CAN-0054] memory corruption in password store
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a7a03f82aeaf98d902ee9b96bee88710bc948264;p=thirdparty%2Fntp.git

[TALOS-CAN-0054] memory corruption in password store

bk: 560afee95dUAWHvDs84F2ljXeZfaXQ
---

diff --git a/ChangeLog b/ChangeLog
index 30944996f..f2342eb21 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,6 @@
 ---
 * [TALOS-CAN-0052] crash by loop counter underrun. perlinger@ntp.org
+* [TALOS-CAN-0054] memory corruption in password store. perlinger@ntp.org
 * [Bug 2595] ntpdate man page quirks.  Hal Murray, Harlan Stenn.
 * [Bug 2625] Deprecate flag1 in local refclock.  Hal Murray, Harlan Stenn.
 * [Bug 2817] Stop locking ntpd into memory by default under Linux.  H.Stenn.
diff --git a/libntp/authkeys.c b/libntp/authkeys.c
index 68771ffb3..86166ff22 100644
--- a/libntp/authkeys.c
+++ b/libntp/authkeys.c
@@ -534,6 +534,9 @@ MD5auth_setkey(
 	bucket = &key_hash[KEYHASH(keyno)];
 	for (sk = *bucket; sk != NULL; sk = sk->hlink) {
 		if (keyno == sk->keyid) {
+			/* TALOS-CAN-0054: make sure we have a buffer! */
+			if (NULL == sk->secret)
+				sk->secret = emalloc(len);
 			sk->type = (u_short)keytype;
 			secretsize = len;
 			sk->secretsize = (u_short)secretsize;
@@ -599,6 +602,7 @@ auth_delkeys(void)
 			if (sk->secret != NULL) {
 				memset(sk->secret, '\0', sk->secretsize);
 				free(sk->secret);
+				sk->secret = NULL; /* TALOS-CAN-0054 */
 			}
 			sk->secretsize = 0;
 			sk->lifetime = 0;