From: Miroslav Lichvar <mlichvar@redhat.com>
Date: Tue, 21 Jan 2014 17:45:56 +0000 (+0100)
Subject: Don't read uninitialized memory in client packet length check
X-Git-Tag: 1.30-pre1~141
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=2fc3525fdf5c1da73eefeebcd7280c4404d5fd5f;p=thirdparty%2Fchrony.git

Don't read uninitialized memory in client packet length check

Before calling PKL_ReplyLength() check that the packet has full header.
This didn't change the outcome of the test if the packet was shorter as
the invalid result from PKL_ReplyLength() was either larger than length
of the packet or smaller than header length, failing the length check in
both cases.
---

diff --git a/client.c b/client.c
index 8ce3f457..b0939a27 100644
--- a/client.c
+++ b/client.c
@@ -1366,7 +1366,11 @@ submit_request(CMD_Request *request, CMD_Reply *reply, int *reply_auth_ok)
       } else {
         
         read_length = recvfrom_status;
-        expected_length = PKL_ReplyLength(reply);
+        if (read_length >= offsetof(CMD_Reply, data)) {
+          expected_length = PKL_ReplyLength(reply);
+        } else {
+          expected_length = 0;
+        }
 
         bad_length = (read_length < expected_length ||
                       expected_length < offsetof(CMD_Reply, data));