In ntpdate.c around line 542 (4.2.4p4)is the sequence
if (!authistrusted(sys_authkey)) {
char buf[10];
(void) sprintf(buf, "%lu", (unsigned long)sys_authkey);
msyslog(LOG_ERR, "authentication key %s unknown", buf);
exit(1);
}
Since unsigned long does not have a definite length on all machines, and with
the trailing
zero certainly is potentially longer than 10 bytes, that buf is ripe for
buffer overflow.
It should be something like
char buf[(sizeof(unsigned long)*12/5+2)];
And/or the sprintf should be an snprintf.
_______________________________________________
questions mailing list
[email protected]
https://lists.ntp.org/mailman/listinfo/questions
