[ntp/f19] fix buffer overflows via specially-crafted packets (CVE-2014-9295)
Miroslav Lichvar
mlichvar at fedoraproject.org
Fri Dec 19 19:01:19 UTC 2014
commit cb964d257242fc7b40172c384f2481b9db004f48
Author: Miroslav Lichvar <mlichvar at redhat.com>
Date: Fri Dec 19 19:42:47 2014 +0100
fix buffer overflows via specially-crafted packets (CVE-2014-9295)
ntp-4.2.6p5-cve-2014-9295.patch | 110 +++++++++++++++++++++++++++++++++++++++
ntp.spec | 3 +
2 files changed, 113 insertions(+), 0 deletions(-)
---
diff --git a/ntp-4.2.6p5-cve-2014-9295.patch b/ntp-4.2.6p5-cve-2014-9295.patch
new file mode 100644
index 0000000..97fcc3a
--- /dev/null
+++ b/ntp-4.2.6p5-cve-2014-9295.patch
@@ -0,0 +1,110 @@
+2014-12-12 11:06:03+00:00, stenn at psp-fb1.ntp.org +12 -3
+ [Sec 2667] buffer overflow in crypto_recv()
+
+--- 1.168/ntpd/ntp_crypto.c 2014-11-15 04:41:02 +00:00
++++ 1.169/ntpd/ntp_crypto.c 2014-12-12 11:06:03 +00:00
+@@ -820,15 +820,24 @@ crypto_recv(
+ * errors.
+ */
+ if (vallen == (u_int)EVP_PKEY_size(host_pkey)) {
++ u_int32 *cookiebuf = malloc(
++ RSA_size(host_pkey->pkey.rsa));
++ if (!cookiebuf) {
++ rval = XEVNT_CKY;
++ break;
++ }
++
+ if (RSA_private_decrypt(vallen,
+ (u_char *)ep->pkt,
+- (u_char *)&temp32,
++ (u_char *)cookiebuf,
+ host_pkey->pkey.rsa,
+- RSA_PKCS1_OAEP_PADDING) <= 0) {
++ RSA_PKCS1_OAEP_PADDING) != 4) {
+ rval = XEVNT_CKY;
++ free(cookiebuf);
+ break;
+ } else {
+- cookie = ntohl(temp32);
++ cookie = ntohl(*cookiebuf);
++ free(cookiebuf);
+ }
+ } else {
+ rval = XEVNT_CKY;
+
+2014-12-12 11:13:40+00:00, stenn at psp-fb1.ntp.org +16 -1
+ [Sec 2668] buffer overflow in ctl_putdata()
+
+--- 1.190/ntpd/ntp_control.c 2014-11-15 04:41:02 +00:00
++++ 1.191/ntpd/ntp_control.c 2014-12-12 11:13:40 +00:00
+@@ -801,6 +801,10 @@ static char *reqend;
+ static char *reqpt;
+ static char *reqend;
+
++#ifndef MIN
++#define MIN(a, b) (((a) <= (b)) ? (a) : (b))
++#endif
++
+ /*
+ * init_control - initialize request data
+ */
+@@ -1316,6 +1320,7 @@ ctl_putdata(
+ )
+ {
+ int overhead;
++ unsigned int currentlen;
+
+ overhead = 0;
+ if (!bin) {
+@@ -1338,12 +1343,22 @@ ctl_putdata(
+ /*
+ * Save room for trailing junk
+ */
+- if (dlen + overhead + datapt > dataend) {
++ while (dlen + overhead + datapt > dataend) {
+ /*
+ * Not enough room in this one, flush it out.
+ */
++ currentlen = MIN(dlen, dataend - datapt);
++
++ memcpy(datapt, dp, currentlen);
++
++ datapt += currentlen;
++ dp += currentlen;
++ dlen -= currentlen;
++ datalinelen += currentlen;
++
+ ctl_flushpkt(CTL_MORE);
+ }
++
+ memmove((char *)datapt, dp, (unsigned)dlen);
+ datapt += dlen;
+ datalinelen += dlen;
+
+2014-12-12 11:19:37+00:00, stenn at psp-fb1.ntp.org +14 -0
+ [Sec 2669] buffer overflow in configure()
+
+--- 1.191/ntpd/ntp_control.c 2014-12-12 11:13:40 +00:00
++++ 1.192/ntpd/ntp_control.c 2014-12-12 11:19:37 +00:00
+@@ -3290,6 +3290,20 @@ static void configure(
+
+ /* Initialize the remote config buffer */
+ data_count = reqend - reqpt;
++
++ if (data_count > sizeof(remote_config.buffer) - 2) {
++ snprintf(remote_config.err_msg,
++ sizeof(remote_config.err_msg),
++ "runtime configuration failed: request too long");
++ ctl_putdata(remote_config.err_msg,
++ strlen(remote_config.err_msg), 0);
++ ctl_flushpkt(0);
++ msyslog(LOG_NOTICE,
++ "runtime config from %s rejected: request too long",
++ stoa(&rbufp->recv_srcadr));
++ return;
++ }
++
+ memcpy(remote_config.buffer, reqpt, data_count);
+ if (data_count > 0
+ && '\n' != remote_config.buffer[data_count - 1])
+
diff --git a/ntp.spec b/ntp.spec
index ac9eba3..3029fdd 100644
--- a/ntp.spec
+++ b/ntp.spec
@@ -91,6 +91,8 @@ Patch20: ntp-4.2.6p5-noservres.patch
Patch24: ntp-4.2.6p5-cve-2014-9294.patch
# ntpbz #2665
Patch25: ntp-4.2.6p5-cve-2014-9293.patch
+# ntpbz #2667
+Patch26: ntp-4.2.6p5-cve-2014-9295.patch
# handle unknown clock types
Patch50: ntpstat-0.2-clksrc.patch
@@ -201,6 +203,7 @@ This package contains NTP documentation in HTML format.
%patch20 -p1 -b .noservres
%patch24 -p1 -b .cve-2014-9294
%patch25 -p1 -b .cve-2014-9293
+%patch26 -p1 -b .cve-2014-9295
# ntpstat patches
%patch50 -p1 -b .clksrc
More information about the scm-commits
mailing list