From 7925ed39b81f394083e939c96d18a652f977d315 Mon Sep 17 00:00:00 2001
From: Miroslav Lichvar <mlichvar@redhat.com>
Date: Tue, 27 Apr 2021 11:18:04 +0200
Subject: [PATCH] nts: fix handling of long server negotiation record

Recent change in handling of the NTPv4 server negotiation record (commit
754097944be2) increased the length of the instance name buffer to make
room for the trailing dot. This allowed a record with body truncated in
the processing buffer to be accepted and caused an over-read of 1 byte
in the memcpy() call saving the name to the instance buffer.

Modify the client to accept only records that fit in the processing
buffer.

Fixes: 754097944be2 ("nts: handle negotiated server as FQDN")
---
 nts_ke_client.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/nts_ke_client.c b/nts_ke_client.c
index 877d1c8..89dc6fe 100644
--- a/nts_ke_client.c
+++ b/nts_ke_client.c
@@ -141,6 +141,12 @@ process_response(NKC_Instance inst)
     if (!NKSN_GetRecord(inst->session, &critical, &type, &length, &data, sizeof (data)))
       break;
 
+    if (length > sizeof (data)) {
+      DEBUG_LOG("Record too long type=%d length=%d", type, length);
+      error = 1;
+      break;
+    }
+
     switch (type) {
       case NKE_RECORD_NEXT_PROTOCOL:
         if (!critical || length != 2 || ntohs(data[0]) != NKE_NEXT_PROTOCOL_NTPV4) {