OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: (x)ntp msyslog.c buffer overflow
From: Chris Evans (chrisscary.beasts.org)
Date: Tue Sep 26 2000 - 17:38:53 CDT

On Tue, 26 Sep 2000, Jarno Huuskonen wrote:

> Hi,
>
> Has anyone taken a look at xntp3/ntp-4.0.99k ?
>
> After brief look I found a buffer overflow in libntp/msyslog.c.
> The code uses vsprintf on a 1025 byte buffer.
> Quick way to test this is to run ntpdate `perl -e "print 'A'x10000"`

I sort of spotted this the other day when scanning for a few format string
bugs.

The RedHat7.0 package for "ntp" comes with:

ntp-4.0.99j-vsnprintf.patch:
--- ntp-4.0.99j/libntp/msyslog.c.vsnprintf Wed Aug 23 13:04:18 2000
+++ ntp-4.0.99j/libntp/msyslog.c Wed Aug 23 13:06:05 2000
-126,7 +126,8
            *n++ = '\n';
        *n = '\0';
 
- vsprintf(buf, nfmt, ap);
+ vsnprintf(buf, sizeof(buf), nfmt, ap);
+ buf[sizeof(buf)-1] = '\0';
 #if !defined(VMS) && !defined (SYS_VXWORKS)
        if (syslogit)
 #ifndef SYS_WINNT
ntp-4.0.99j-vsnprintf.patch (END)

Hopefully someone told the ntp maintainer(s)?

Cheers
Chris