From: Miroslav Lichvar <mlichvar@redhat.com>
Date: Mon, 20 Jul 2020 11:38:22 +0000 (+0200)
Subject: nts: don't allow malformed encrypted extension fields
X-Git-Tag: 4.0-pre3~43
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fd8fbcd090fdf9623721ac672b320b21f6cf286e;p=thirdparty%2Fchrony.git

nts: don't allow malformed encrypted extension fields

Require data decrypted from the NTS authenticator field to contain
correctly formatted extension fields (known or unknown).
---

diff --git a/nts_ntp_client.c b/nts_ntp_client.c
index 7ac66902..31c0960d 100644
--- a/nts_ntp_client.c
+++ b/nts_ntp_client.c
@@ -352,8 +352,10 @@ extract_cookies(NNC_Instance inst, unsigned char *plaintext, int length)
 
   for (parsed = 0; parsed < length; parsed += ef_length) {
     if (!NEF_ParseSingleField(plaintext, length, parsed,
-                              &ef_length, &ef_type, &ef_body, &ef_body_length))
-      break;
+                              &ef_length, &ef_type, &ef_body, &ef_body_length)) {
+      DEBUG_LOG("Could not parse encrypted EF");
+      return 0;
+    }
 
     if (ef_type != NTP_EF_NTS_COOKIE)
       continue;
diff --git a/nts_ntp_server.c b/nts_ntp_server.c
index c0d3e06e..6ab8fb90 100644
--- a/nts_ntp_server.c
+++ b/nts_ntp_server.c
@@ -176,8 +176,10 @@ NNS_CheckRequestAuth(NTP_Packet *packet, NTP_PacketInfo *info, uint32_t *kod)
 
   for (parsed = 0; parsed < plaintext_length; parsed += ef_length) {
     if (!NEF_ParseSingleField(plaintext, plaintext_length, parsed,
-                              &ef_length, &ef_type, &ef_body, &ef_body_length))
-      break;
+                              &ef_length, &ef_type, &ef_body, &ef_body_length)) {
+      DEBUG_LOG("Could not parse encrypted EF");
+      return 0;
+    }
 
     switch (ef_type) {
       case NTP_EF_NTS_COOKIE_PLACEHOLDER: