Yo Hal!

> Hal Murray pushed to branch master at NTPsec / ntpsec

+  for (i = 0; i < inlen; i += in[i]) {
+    if (in[i] == alpn[0] && !memcmp(&in[i+1], &alpn[1], alpn[0])) {

Buffer overrun!

alpn[0] is always 7, so the length of the memcmp() is always 7.

i can be 0 to (inlen - 1).

When i is (ilen - 1) the buffer in[] will be overrun by 7.

Maybe not normally, but eassy for a malicious user packet.

RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
        g...@rellim.com  Tel:+1 541 382 8588

            Veritas liberabit vos. -- Quid est veritas?
    "If you can’t measure it, you can’t improve it." - Lord Kelvin
Title: GitLab

Hal Murray pushed to branch master at NTPsec / ntpsec

Commits:

  • 8eecdfb8
    by Christer Weinigel at 2019-06-25T17:00:33Z
    Use ALPN for the NTS server.
    
    The NTS draft requires the use of ALPN for protocol negotiation.
    Add support for ALPN to nts_server.c
    

1 changed file:

Changes:

  • ntpd/nts_server.c
    ... ... @@ -47,6 +47,31 @@ uint64_t nts_ke_serves_bad = 0;
    47 47
     uint64_t nts_ke_probes_good = 0;
    
    48 48
     uint64_t nts_ke_probes_bad = 0;
    
    49 49
     
    
    50
    +#if (OPENSSL_VERSION_NUMBER > 0x1000200fL)
    
    51
    +static int alpn_select_cb(SSL *ssl,
    
    52
    +			  const unsigned char **out,
    
    53
    +			  unsigned char *outlen,
    
    54
    +			  const unsigned char *in,
    
    55
    +			  unsigned int inlen,
    
    56
    +			  void *arg)
    
    57
    +{
    
    58
    +  static const unsigned char alpn[] = { 7, 'n', 't', 's', 'k', 'e', '/', '1' };
    
    59
    +  unsigned i;
    
    60
    +
    
    61
    +  (void)ssl;
    
    62
    +  (void)arg;
    
    63
    +
    
    64
    +  for (i = 0; i < inlen; i += in[i]) {
    
    65
    +    if (in[i] == alpn[0] && !memcmp(&in[i+1], &alpn[1], alpn[0])) {
    
    66
    +      *outlen = in[i];
    
    67
    +      *out = &in[i+1];
    
    68
    +      return SSL_TLSEXT_ERR_OK;
    
    69
    +    }
    
    70
    +  }
    
    71
    +
    
    72
    +  return SSL_TLSEXT_ERR_NOACK;
    
    73
    +}
    
    74
    +#endif
    
    50 75
     
    
    51 76
     bool nts_server_init(void) {
    
    52 77
         bool ok = true;
    
    ... ... @@ -67,6 +92,10 @@ bool nts_server_init(void) {
    67 92
           return false;
    
    68 93
         }
    
    69 94
     
    
    95
    +#if (OPENSSL_VERSION_NUMBER > 0x1000200fL)
    
    96
    +    SSL_CTX_set_alpn_select_cb(server_ctx, alpn_select_cb, NULL);
    
    97
    +#endif
    
    98
    +
    
    70 99
         SSL_CTX_set_session_cache_mode(server_ctx, SSL_SESS_CACHE_OFF);
    
    71 100
     
    
    72 101
         ok &= nts_load_versions(server_ctx);
    

  • _______________________________________________
    vc mailing list
    v...@ntpsec.org
    http://lists.ntpsec.org/mailman/listinfo/vc
    

    Attachment: pgpfQ7Z7GQ1dC.pgp
    Description: OpenPGP digital signature

    _______________________________________________
    devel mailing list
    devel@ntpsec.org
    http://lists.ntpsec.org/mailman/listinfo/devel
    

    Reply via email to