From: Harlan Stenn <stenn@ntp.org>
Date: Fri, 12 Dec 2014 11:06:53 +0000 (+0000)
Subject: [Sec 2667] buffer overflow in crypto_recv()
X-Git-Tag: NTP_4_2_8~20
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d393a0b71a0d16297d2c0f9ac81f0acb966ab61e;p=thirdparty%2Fntp.git

[Sec 2667] buffer overflow in crypto_recv()

bk: 548acc4dN1TbM1tRJrbPcA4yc1aTdA
---

diff --git a/ChangeLog b/ChangeLog
index b21dae7d4..4ae917c14 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,4 @@
+* [Sec 2667] buffer overflow in crypto_recv().
 * [Bug 2686] refclock_gpsdjson needs strtoll(), which is not always present.
 (4.2.7p484-RC) 2014/12/11 Released by Harlan Stenn <stenn@ntp.org>
 (4.2.7p483) 2014/12/08 Released by Harlan Stenn <stenn@ntp.org>
diff --git a/ntpd/ntp_crypto.c b/ntpd/ntp_crypto.c
index e66d5c782..08a1c9f2b 100644
--- a/ntpd/ntp_crypto.c
+++ b/ntpd/ntp_crypto.c
@@ -820,15 +820,24 @@ crypto_recv(
 			 * errors.
 			 */
 			if (vallen == (u_int)EVP_PKEY_size(host_pkey)) {
+				u_int32 *cookiebuf = malloc(
+				    RSA_size(host_pkey->pkey.rsa));
+				if (!cookiebuf) {
+					rval = XEVNT_CKY;
+					break;
+				}
+
 				if (RSA_private_decrypt(vallen,
 				    (u_char *)ep->pkt,
-				    (u_char *)&temp32,
+				    (u_char *)cookiebuf,
 				    host_pkey->pkey.rsa,
-				    RSA_PKCS1_OAEP_PADDING) <= 0) {
+				    RSA_PKCS1_OAEP_PADDING) != 4) {
 					rval = XEVNT_CKY;
+					free(cookiebuf);
 					break;
 				} else {
-					cookie = ntohl(temp32);
+					cookie = ntohl(*cookiebuf);
+					free(cookiebuf);
 				}
 			} else {
 				rval = XEVNT_CKY;