DWS/chrony
1
0
Fork 0
mirror of https://gitlab.com/chrony/chrony.git synced 2025-12-03 18:35:06 -05:00
Code Issues Packages Projects Releases Wiki Activity

pktlength: handle truncated MANUAL_LIST reply

Browse Source 
Before reading the n_samples field of the MANUAL_LIST reply, check if it
is actually contained in the received message. This does not change the
outcome of the client's length check as the returned length was always
larger than the length of the truncated reply and it was dropped anyway,
but it prevents the client from reading uninitialized memory.
This commit is contained in:
Miroslav Lichvar
2018-02-15 17:29:40 +01:00
parent 45f27f4f5e
commit 2343e7a89c
4 changed files with 12 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
cmdmon.c
View File

@@ -279,7 +279,7 @@ do_size_checks(void)
reply.reply = htons(i);
reply.status = STT_SUCCESS;
reply.data.manual_list.n_samples = htonl(MAX_MANUAL_LIST_SAMPLES);
reply_length = PKL_ReplyLength(&reply);
reply_length = PKL_ReplyLength(&reply, sizeof (reply));
if ((reply_length && reply_length < offsetof(CMD_Reply, data)) ||
reply_length > sizeof (CMD_Reply))
assert(0);
@@ -393,7 +393,7 @@ transmit_reply(CMD_Reply *msg, union sockaddr_all *where_to)
assert(0);
}
tx_message_length = PKL_ReplyLength(msg);
tx_message_length = PKL_ReplyLength(msg, sizeof (*msg));
status = sendto(sock_fd, (void *) msg, tx_message_length, 0,
&where_to->sa, addrlen);