nts: fix handling of long server negotiation record
Recent change in handling of the NTPv4 server negotiation record (commit754097944b) increased the length of the instance name buffer to make room for the trailing dot. This allowed a record with body truncated in the processing buffer to be accepted and caused an over-read of 1 byte in the memcpy() call saving the name to the instance buffer. Modify the client to accept only records that fit in the processing buffer. Fixes:754097944b("nts: handle negotiated server as FQDN")
This commit is contained in:
Miroslav Lichvar
parent
9d869d8709
commit
7925ed39b8
1 changed files with 6 additions and 0 deletions
|
|
@ -141,6 +141,12 @@ process_response(NKC_Instance inst)
|
||||||
if (!NKSN_GetRecord(inst->session, &critical, &type, &length, &data, sizeof (data)))
|
if (!NKSN_GetRecord(inst->session, &critical, &type, &length, &data, sizeof (data)))
|
||||||
break;
|
break;
|
||||||
|
|
||||||
|
if (length > sizeof (data)) {
|
||||||
|
DEBUG_LOG("Record too long type=%d length=%d", type, length);
|
||||||
|
error = 1;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
switch (type) {
|
switch (type) {
|
||||||
case NKE_RECORD_NEXT_PROTOCOL:
|
case NKE_RECORD_NEXT_PROTOCOL:
|
||||||
if (!critical || length != 2 || ntohs(data[0]) != NKE_NEXT_PROTOCOL_NTPV4) {
|
if (!critical || length != 2 || ntohs(data[0]) != NKE_NEXT_PROTOCOL_NTPV4) {
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue