nts: don't allow malformed encrypted extension fields

Require data decrypted from the NTS authenticator field to contain correctly formatted extension fields (known or unknown).
2025-12-03 16:35:06 -05:00 · 2020-07-20 13:38:22 +02:00
parent 77bd0f83fe
commit fd8fbcd090
2 changed files with 8 additions and 4 deletions
--- a/nts_ntp_server.c
+++ b/nts_ntp_server.c
@@ -176,8 +176,10 @@ NNS_CheckRequestAuth(NTP_Packet *packet, NTP_PacketInfo *info, uint32_t *kod)

  for (parsed = 0; parsed < plaintext_length; parsed += ef_length) {
    if (!NEF_ParseSingleField(plaintext, plaintext_length, parsed,
-                              &ef_length, &ef_type, &ef_body, &ef_body_length))
-      break;
+                              &ef_length, &ef_type, &ef_body, &ef_body_length)) {
+      DEBUG_LOG("Could not parse encrypted EF");
+      return 0;
+    }

    switch (ef_type) {
      case NTP_EF_NTS_COOKIE_PLACEHOLDER: