Unruh <[EMAIL PROTECTED]> writes:
> In ntpdate.c around line 542 (4.2.4p4)is the sequence
> if (!authistrusted(sys_authkey)) {
> char buf[10];
>
> (void) sprintf(buf, "%lu", (unsigned long)sys_authkey);
> msyslog(LOG_ERR, "authentication key %s unknown", buf);
Is that too simple?
msyslog(LOG_ERR, "authentication key %lu unknown",
(unsigned long)sys_authkey);
> exit(1);
> }
>
> Since unsigned long does not have a definite length on all machines, and with
> the trailing
> zero certainly is potentially longer than 10 bytes, that buf is ripe for
> buffer overflow.
> It should be something like
> char buf[(sizeof(unsigned long)*12/5+2)];
> And/or the sprintf should be an snprintf.
_______________________________________________
questions mailing list
[email protected]
https://lists.ntp.org/mailman/listinfo/questions
