Yo Hal! > Hal Murray pushed to branch master at NTPsec / ntpsec
+ for (i = 0; i < inlen; i += in[i]) { + if (in[i] == alpn[0] && !memcmp(&in[i+1], &alpn[1], alpn[0])) { Buffer overrun! alpn[0] is always 7, so the length of the memcmp() is always 7. i can be 0 to (inlen - 1). When i is (ilen - 1) the buffer in[] will be overrun by 7. Maybe not normally, but eassy for a malicious user packet. RGDS GARY --------------------------------------------------------------------------- Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703 g...@rellim.com Tel:+1 541 382 8588 Veritas liberabit vos. -- Quid est veritas? "If you can’t measure it, you can’t improve it." - Lord KelvinTitle: GitLab
Hal Murray pushed to branch master at NTPsec / ntpsec
Commits:
-
8eecdfb8
by Christer Weinigel at 2019-06-25T17:00:33Z
1 changed file:
Changes:
... | ... | @@ -47,6 +47,31 @@ uint64_t nts_ke_serves_bad = 0; |
47 | 47 |
uint64_t nts_ke_probes_good = 0;
|
48 | 48 |
uint64_t nts_ke_probes_bad = 0;
|
49 | 49 |
|
50 |
+#if (OPENSSL_VERSION_NUMBER > 0x1000200fL)
|
|
51 |
+static int alpn_select_cb(SSL *ssl,
|
|
52 |
+ const unsigned char **out,
|
|
53 |
+ unsigned char *outlen,
|
|
54 |
+ const unsigned char *in,
|
|
55 |
+ unsigned int inlen,
|
|
56 |
+ void *arg)
|
|
57 |
+{
|
|
58 |
+ static const unsigned char alpn[] = { 7, 'n', 't', 's', 'k', 'e', '/', '1' };
|
|
59 |
+ unsigned i;
|
|
60 |
+ |
|
61 |
+ (void)ssl;
|
|
62 |
+ (void)arg;
|
|
63 |
+ |
|
64 |
+ for (i = 0; i < inlen; i += in[i]) {
|
|
65 |
+ if (in[i] == alpn[0] && !memcmp(&in[i+1], &alpn[1], alpn[0])) {
|
|
66 |
+ *outlen = in[i];
|
|
67 |
+ *out = &in[i+1];
|
|
68 |
+ return SSL_TLSEXT_ERR_OK;
|
|
69 |
+ }
|
|
70 |
+ }
|
|
71 |
+ |
|
72 |
+ return SSL_TLSEXT_ERR_NOACK;
|
|
73 |
+}
|
|
74 |
+#endif
|
|
50 | 75 |
|
51 | 76 |
bool nts_server_init(void) {
|
52 | 77 |
bool ok = true;
|
... | ... | @@ -67,6 +92,10 @@ bool nts_server_init(void) { |
67 | 92 |
return false;
|
68 | 93 |
}
|
69 | 94 |
|
95 |
+#if (OPENSSL_VERSION_NUMBER > 0x1000200fL)
|
|
96 |
+ SSL_CTX_set_alpn_select_cb(server_ctx, alpn_select_cb, NULL);
|
|
97 |
+#endif
|
|
98 |
+ |
|
70 | 99 |
SSL_CTX_set_session_cache_mode(server_ctx, SSL_SESS_CACHE_OFF);
|
71 | 100 |
|
72 | 101 |
ok &= nts_load_versions(server_ctx);
|
_______________________________________________ vc mailing list v...@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/vc
pgpfQ7Z7GQ1dC.pgp
Description: OpenPGP digital signature
_______________________________________________ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel