Blame SOURCES/ntp-4.2.6p5-cve-2014-9297.patch

6d3098
http://bk.ntp.org/ntp-stable/?PAGE=patch&REV=54abb266In81wLNAqIaovtP8f2UmUw
6d3098
http://bk.ntp.org/ntp-stable/?PAGE=patch&REV=54a7c595jlwS3KmAxBML75HFGLR_pQ
6d3098
http://bk.ntp.org/ntp-stable/?PAGE=patch&REV=5492d353ncauuWt_PONxaDhC5Qv_SA
6d3098
6d3098
diff -up ntp-4.2.6p5/ntpd/ntp_crypto.c.cve-2014-9297 ntp-4.2.6p5/ntpd/ntp_crypto.c
6d3098
--- ntp-4.2.6p5/ntpd/ntp_crypto.c.cve-2014-9297	2015-02-04 11:37:44.488673076 +0100
6d3098
+++ ntp-4.2.6p5/ntpd/ntp_crypto.c	2015-02-04 11:37:44.491673082 +0100
6d3098
@@ -109,6 +109,7 @@
6d3098
 #define TAI_1972	10	/* initial TAI offset (s) */
6d3098
 #define MAX_LEAP	100	/* max UTC leapseconds (s) */
6d3098
 #define VALUE_LEN	(6 * 4) /* min response field length */
6d3098
+#define MAX_VALLEN	(65535 - VALUE_LEN)
6d3098
 #define YEAR		(60 * 60 * 24 * 365) /* seconds in year */
6d3098
 
6d3098
 /*
6d3098
@@ -147,8 +148,8 @@ static char *rand_file = NULL;	/* random
6d3098
  */
6d3098
 static	int	crypto_verify	(struct exten *, struct value *,
6d3098
 				    struct peer *);
6d3098
-static	int	crypto_encrypt	(struct exten *, struct value *,
6d3098
-				    keyid_t *);
6d3098
+static	int	crypto_encrypt	(const u_char *, u_int, keyid_t *,
6d3098
+				    struct value *);
6d3098
 static	int	crypto_alice	(struct peer *, struct value *);
6d3098
 static	int	crypto_alice2	(struct peer *, struct value *);
6d3098
 static	int	crypto_alice3	(struct peer *, struct value *);
6d3098
@@ -444,6 +445,12 @@ crypto_recv(
6d3098
 			tstamp = ntohl(ep->tstamp);
6d3098
 			fstamp = ntohl(ep->fstamp);
6d3098
 			vallen = ntohl(ep->vallen);
6d3098
+			/*
6d3098
+			 * Bug 2761: I hope this isn't too early...
6d3098
+			 */
6d3098
+			if (   vallen == 0
6d3098
+			    || len - VALUE_LEN < vallen)
6d3098
+				return XEVNT_LEN;
6d3098
 		}
6d3098
 		switch (code) {
6d3098
 
6d3098
@@ -494,8 +501,9 @@ crypto_recv(
6d3098
 					rval = XEVNT_ERR;
6d3098
 				break;
6d3098
 			}
6d3098
+			INSIST(len >= VALUE_LEN);
6d3098
 			if (vallen == 0 || vallen > MAXHOSTNAME ||
6d3098
-			    len < VALUE_LEN + vallen) {
6d3098
+			    len - VALUE_LEN < vallen) {
6d3098
 				rval = XEVNT_LEN;
6d3098
 				break;
6d3098
 			}
6d3098
@@ -1162,11 +1170,11 @@ crypto_xmit(
6d3098
 	 * choice. 
6d3098
 	 */
6d3098
 	case CRYPTO_CERT | CRYPTO_RESP:
6d3098
-		vallen = ntohl(ep->vallen);
6d3098
-		if (vallen == 0 || vallen > MAXHOSTNAME) {
6d3098
+		vallen = ntohl(ep->vallen);	/* Must be <64k */
6d3098
+		if (vallen == 0 || vallen > MAXHOSTNAME ||
6d3098
+		    len - VALUE_LEN < vallen) {
6d3098
 			rval = XEVNT_LEN;
6d3098
 			break;
6d3098
-
6d3098
 		} else {
6d3098
 			memcpy(certname, ep->pkt, vallen);
6d3098
 			certname[vallen] = '\0';
6d3098
@@ -1315,7 +1323,10 @@ crypto_xmit(
6d3098
 	 * anything goes wrong.
6d3098
 	 */
6d3098
 	case CRYPTO_COOK | CRYPTO_RESP:
6d3098
-		if ((opcode & 0xffff) < VALUE_LEN) {
6d3098
+		vallen = ntohl(ep->vallen);	/* Must be <64k */
6d3098
+		if (   vallen == 0
6d3098
+		    || (vallen >= MAX_VALLEN)
6d3098
+		    || (opcode & 0x0000ffff)  < VALUE_LEN + vallen) {
6d3098
 			rval = XEVNT_LEN;
6d3098
 			break;
6d3098
 		}
6d3098
@@ -1323,8 +1334,8 @@ crypto_xmit(
6d3098
 			tcookie = cookie;
6d3098
 		else
6d3098
 			tcookie = peer->hcookie;
6d3098
-		if ((rval = crypto_encrypt(ep, &vtemp, &tcookie)) ==
6d3098
-		    XEVNT_OK) {
6d3098
+		if ((rval = crypto_encrypt((const u_char *)ep->pkt, vallen, &tcookie, &vtemp))
6d3098
+		    == XEVNT_OK) {
6d3098
 			len = crypto_send(fp, &vtemp, start);
6d3098
 			value_free(&vtemp);
6d3098
 		}
6d3098
@@ -1464,13 +1475,16 @@ crypto_verify(
6d3098
 	 * up to the next word (4 octets).
6d3098
 	 */
6d3098
 	vallen = ntohl(ep->vallen);
6d3098
-	if (vallen == 0)
6d3098
+	if (   vallen == 0
6d3098
+	    || vallen > MAX_VALLEN)
6d3098
 		return (XEVNT_LEN);
6d3098
 
6d3098
 	i = (vallen + 3) / 4;
6d3098
 	siglen = ntohl(ep->pkt[i++]);
6d3098
-	if (len < VALUE_LEN + ((vallen + 3) / 4) * 4 + ((siglen + 3) /
6d3098
-	    4) * 4)
6d3098
+	if (   siglen > MAX_VALLEN
6d3098
+	    || len - VALUE_LEN < ((vallen + 3) / 4) * 4
6d3098
+	    || len - VALUE_LEN - ((vallen + 3) / 4) * 4
6d3098
+	      < ((siglen + 3) / 4) * 4)
6d3098
 		return (XEVNT_LEN);
6d3098
 
6d3098
 	/*
6d3098
@@ -1528,6 +1542,7 @@ crypto_verify(
6d3098
 	 * proventic bit. What a relief.
6d3098
 	 */
6d3098
 	EVP_VerifyInit(&ctx, peer->digest);
6d3098
+	/* XXX: the "+ 12" needs to be at least documented... */
6d3098
 	EVP_VerifyUpdate(&ctx, (u_char *)&ep->tstamp, vallen + 12);
6d3098
 	if (EVP_VerifyFinal(&ctx, (u_char *)&ep->pkt[i], siglen,
6d3098
 	    pkey) <= 0)
6d3098
@@ -1540,34 +1555,32 @@ crypto_verify(
6d3098
 
6d3098
 
6d3098
 /*
6d3098
- * crypto_encrypt - construct encrypted cookie and signature from
6d3098
- * extension field and cookie
6d3098
+ * crypto_encrypt - construct vp (encrypted cookie and signature) from
6d3098
+ * the public key and cookie.
6d3098
  *
6d3098
- * Returns
6d3098
+ * Returns:
6d3098
  * XEVNT_OK	success
6d3098
  * XEVNT_CKY	bad or missing cookie
6d3098
  * XEVNT_PUB	bad or missing public key
6d3098
  */
6d3098
 static int
6d3098
 crypto_encrypt(
6d3098
-	struct exten *ep,	/* extension pointer */
6d3098
-	struct value *vp,	/* value pointer */
6d3098
-	keyid_t	*cookie		/* server cookie */
6d3098
+	const u_char *ptr,	/* Public Key */
6d3098
+	u_int	vallen,		/* Length of Public Key */
6d3098
+	keyid_t	*cookie,	/* server cookie */
6d3098
+	struct value *vp	/* value pointer */
6d3098
 	)
6d3098
 {
6d3098
 	EVP_PKEY *pkey;		/* public key */
6d3098
 	EVP_MD_CTX ctx;		/* signature context */
6d3098
 	tstamp_t tstamp;	/* NTP timestamp */
6d3098
 	u_int32	temp32;
6d3098
-	u_int	len;
6d3098
-	u_char	*ptr;
6d3098
+	u_char *puch;
6d3098
 
6d3098
 	/*
6d3098
 	 * Extract the public key from the request.
6d3098
 	 */
6d3098
-	len = ntohl(ep->vallen);
6d3098
-	ptr = (u_char *)ep->pkt;
6d3098
-	pkey = d2i_PublicKey(EVP_PKEY_RSA, NULL, &ptr, len);
6d3098
+	pkey = d2i_PublicKey(EVP_PKEY_RSA, NULL, &ptr, vallen);
6d3098
 	if (pkey == NULL) {
6d3098
 		msyslog(LOG_ERR, "crypto_encrypt: %s",
6d3098
 		    ERR_error_string(ERR_get_error(), NULL));
6d3098
@@ -1581,12 +1594,12 @@ crypto_encrypt(
6d3098
 	tstamp = crypto_time();
6d3098
 	vp->tstamp = htonl(tstamp);
6d3098
 	vp->fstamp = hostval.tstamp;
6d3098
-	len = EVP_PKEY_size(pkey);
6d3098
-	vp->vallen = htonl(len);
6d3098
-	vp->ptr = emalloc(len);
6d3098
-	ptr = vp->ptr;
6d3098
+	vallen = EVP_PKEY_size(pkey);
6d3098
+	vp->vallen = htonl(vallen);
6d3098
+	vp->ptr = emalloc(vallen);
6d3098
+	puch = vp->ptr;
6d3098
 	temp32 = htonl(*cookie);
6d3098
-	if (RSA_public_encrypt(4, (u_char *)&temp32, ptr,
6d3098
+	if (RSA_public_encrypt(4, (u_char *)&temp32, puch,
6d3098
 	    pkey->pkey.rsa, RSA_PKCS1_OAEP_PADDING) <= 0) {
6d3098
 		msyslog(LOG_ERR, "crypto_encrypt: %s",
6d3098
 		    ERR_error_string(ERR_get_error(), NULL));
6d3098
@@ -1601,8 +1614,8 @@ crypto_encrypt(
6d3098
 	vp->sig = emalloc(sign_siglen);
6d3098
 	EVP_SignInit(&ctx, sign_digest);
6d3098
 	EVP_SignUpdate(&ctx, (u_char *)&vp->tstamp, 12);
6d3098
-	EVP_SignUpdate(&ctx, vp->ptr, len);
6d3098
-	if (EVP_SignFinal(&ctx, vp->sig, &len, sign_pkey))
6d3098
+	EVP_SignUpdate(&ctx, vp->ptr, vallen);
6d3098
+	if (EVP_SignFinal(&ctx, vp->sig, &vallen, sign_pkey))
6d3098
 		vp->siglen = htonl(sign_siglen);
6d3098
 	return (XEVNT_OK);
6d3098
 }
6d3098
@@ -1673,6 +1686,9 @@ crypto_ident(
6d3098
  * call in the protocol module.
6d3098
  *
6d3098
  * Returns extension field pointer (no errors)
6d3098
+ *
6d3098
+ * XXX: opcode and len should really be 32-bit quantities and
6d3098
+ * we should make sure that str is not too big.
6d3098
  */
6d3098
 struct exten *
6d3098
 crypto_args(
6d3098
@@ -1685,24 +1701,31 @@ crypto_args(
6d3098
 	tstamp_t tstamp;	/* NTP timestamp */
6d3098
 	struct exten *ep;	/* extension field pointer */
6d3098
 	u_int	len;		/* extension field length */
6d3098
+	size_t	slen;
6d3098
 
6d3098
 	tstamp = crypto_time();
6d3098
 	len = sizeof(struct exten);
6d3098
-	if (str != NULL)
6d3098
-		len += strlen(str);
6d3098
+	if (str != NULL) {
6d3098
+		slen = strlen(str);
6d3098
+		INSIST(slen < MAX_VALLEN);
6d3098
+		len += slen;
6d3098
+	}
6d3098
 	ep = emalloc(len);
6d3098
 	memset(ep, 0, len);
6d3098
 	if (opcode == 0)
6d3098
 		return (ep);
6d3098
 
6d3098
+	REQUIRE(0 == (len    & ~0x0000ffff));
6d3098
+	REQUIRE(0 == (opcode & ~0xffff0000));
6d3098
+
6d3098
 	ep->opcode = htonl(opcode + len);
6d3098
 	ep->associd = htonl(associd);
6d3098
 	ep->tstamp = htonl(tstamp);
6d3098
 	ep->fstamp = hostval.tstamp;
6d3098
 	ep->vallen = 0;
6d3098
 	if (str != NULL) {
6d3098
-		ep->vallen = htonl(strlen(str));
6d3098
-		memcpy((char *)ep->pkt, str, strlen(str));
6d3098
+		ep->vallen = htonl(slen);
6d3098
+		memcpy((char *)ep->pkt, str, slen);
6d3098
 	}
6d3098
 	return (ep);
6d3098
 }
6d3098
@@ -1715,6 +1738,8 @@ crypto_args(
6d3098
  * Note: it is not polite to send a nonempty signature with zero
6d3098
  * timestamp or a nonzero timestamp with an empty signature, but those
6d3098
  * rules are not enforced here.
6d3098
+ *
6d3098
+ * XXX This code won't work on a box with 16-bit ints.
6d3098
  */
6d3098
 int
6d3098
 crypto_send(
6d3098
@@ -1730,8 +1755,9 @@ crypto_send(
6d3098
 	 * Calculate extension field length and check for buffer
6d3098
 	 * overflow. Leave room for the MAC.
6d3098
 	 */
6d3098
-	len = 16;
6d3098
+	len = 16;				/* XXX Document! */
6d3098
 	vallen = ntohl(vp->vallen);
6d3098
+	INSIST(vallen <= MAX_VALLEN);
6d3098
 	len += ((vallen + 3) / 4 + 1) * 4; 
6d3098
 	siglen = ntohl(vp->siglen);
6d3098
 	len += ((siglen + 3) / 4 + 1) * 4; 
6d3098
@@ -1772,6 +1798,7 @@ crypto_send(
6d3098
 	}
6d3098
 	opcode = ntohl(ep->opcode);
6d3098
 	ep->opcode = htonl((opcode & 0xffff0000) | len); 
6d3098
+	ENSURE(len <= MAX_VALLEN);
6d3098
 	return (len);
6d3098
 }
6d3098
 
6d3098
@@ -1807,7 +1834,6 @@ crypto_update(void)
6d3098
 	if (hostval.tstamp == 0)
6d3098
 		return;
6d3098
 
6d3098
-
6d3098
 	/*
6d3098
 	 * Sign public key and timestamps. The filestamp is derived from
6d3098
 	 * the host key file extension from wherever the file was
6d3098
@@ -2108,7 +2134,8 @@ crypto_bob(
6d3098
 	tstamp_t tstamp;	/* NTP timestamp */
6d3098
 	BIGNUM	*bn, *bk, *r;
6d3098
 	u_char	*ptr;
6d3098
-	u_int	len;
6d3098
+	u_int	len;		/* extension field length */
6d3098
+	u_int	vallen = 0;	/* value length */
6d3098
 
6d3098
 	/*
6d3098
 	 * If the IFF parameters are not valid, something awful
6d3098
@@ -2123,8 +2150,11 @@ crypto_bob(
6d3098
 	/*
6d3098
 	 * Extract r from the challenge.
6d3098
 	 */
6d3098
-	len = ntohl(ep->vallen);
6d3098
-	if ((r = BN_bin2bn((u_char *)ep->pkt, len, NULL)) == NULL) {
6d3098
+	vallen = ntohl(ep->vallen);
6d3098
+	len = ntohl(ep->opcode) & 0x0000ffff;
6d3098
+	if (vallen == 0 || len < VALUE_LEN || len - VALUE_LEN < vallen)
6d3098
+		return XEVNT_LEN;
6d3098
+	if ((r = BN_bin2bn((u_char *)ep->pkt, vallen, NULL)) == NULL) {
6d3098
 		msyslog(LOG_ERR, "crypto_bob: %s",
6d3098
 		    ERR_error_string(ERR_get_error(), NULL));
6d3098
 		return (XEVNT_ERR);
6d3098
@@ -2136,7 +2166,7 @@ crypto_bob(
6d3098
 	 */
6d3098
 	bctx = BN_CTX_new(); bk = BN_new(); bn = BN_new();
6d3098
 	sdsa = DSA_SIG_new();
6d3098
-	BN_rand(bk, len * 8, -1, 1);		/* k */
6d3098
+	BN_rand(bk, vallen * 8, -1, 1);		/* k */
6d3098
 	BN_mod_mul(bn, dsa->priv_key, r, dsa->q, bctx); /* b r mod q */
6d3098
 	BN_add(bn, bn, bk);
6d3098
 	BN_mod(bn, bn, dsa->q, bctx);		/* k + b r mod q */
6d3098
@@ -2155,30 +2185,37 @@ crypto_bob(
6d3098
 	 * Encode the values in ASN.1 and sign. The filestamp is from
6d3098
 	 * the local file.
6d3098
 	 */
6d3098
-	len = i2d_DSA_SIG(sdsa, NULL);
6d3098
-	if (len == 0) {
6d3098
+	vallen = i2d_DSA_SIG(sdsa, NULL);
6d3098
+	if (vallen == 0) {
6d3098
 		msyslog(LOG_ERR, "crypto_bob: %s",
6d3098
 		    ERR_error_string(ERR_get_error(), NULL));
6d3098
 		DSA_SIG_free(sdsa);
6d3098
 		return (XEVNT_ERR);
6d3098
 	}
6d3098
+	if (vallen > MAX_VALLEN) {
6d3098
+		msyslog(LOG_ERR, "crypto_bob: signature is too big: %d",
6d3098
+		    vallen);
6d3098
+		DSA_SIG_free(sdsa);
6d3098
+		return (XEVNT_LEN);
6d3098
+	}
6d3098
 	memset(vp, 0, sizeof(struct value));
6d3098
 	tstamp = crypto_time();
6d3098
 	vp->tstamp = htonl(tstamp);
6d3098
 	vp->fstamp = htonl(iffkey_info->fstamp);
6d3098
-	vp->vallen = htonl(len);
6d3098
-	ptr = emalloc(len);
6d3098
+	vp->vallen = htonl(vallen);
6d3098
+	ptr = emalloc(vallen);
6d3098
 	vp->ptr = ptr;
6d3098
 	i2d_DSA_SIG(sdsa, &ptr);
6d3098
 	DSA_SIG_free(sdsa);
6d3098
 	if (tstamp == 0)
6d3098
 		return (XEVNT_OK);
6d3098
 
6d3098
+	/* XXX: more validation to make sure the sign fits... */
6d3098
 	vp->sig = emalloc(sign_siglen);
6d3098
 	EVP_SignInit(&ctx, sign_digest);
6d3098
 	EVP_SignUpdate(&ctx, (u_char *)&vp->tstamp, 12);
6d3098
-	EVP_SignUpdate(&ctx, vp->ptr, len);
6d3098
-	if (EVP_SignFinal(&ctx, vp->sig, &len, sign_pkey))
6d3098
+	EVP_SignUpdate(&ctx, vp->ptr, vallen);
6d3098
+	if (EVP_SignFinal(&ctx, vp->sig, &vallen, sign_pkey))
6d3098
 		vp->siglen = htonl(sign_siglen);
6d3098
 	return (XEVNT_OK);
6d3098
 }
6d3098
diff -up ntp-4.2.6p5/ntpd/ntp_proto.c.cve-2014-9297 ntp-4.2.6p5/ntpd/ntp_proto.c
6d3098
--- ntp-4.2.6p5/ntpd/ntp_proto.c.cve-2014-9297	2015-02-04 11:37:44.490673080 +0100
6d3098
+++ ntp-4.2.6p5/ntpd/ntp_proto.c	2015-02-04 11:47:42.653868627 +0100
6d3098
@@ -431,7 +431,7 @@ receive(
6d3098
 	 */
6d3098
 	authlen = LEN_PKT_NOMAC;
6d3098
 	has_mac = rbufp->recv_length - authlen;
6d3098
-	while (has_mac != 0) {
6d3098
+	while (has_mac > 0) {
6d3098
 		u_int32	len;
6d3098
 
6d3098
 		if (has_mac % 4 != 0 || has_mac < MIN_MAC_LEN) {
6d3098
@@ -456,6 +456,14 @@ receive(
6d3098
 	}
6d3098
 
6d3098
 	/*
6d3098
+	 * If has_mac is < 0 we had a malformed packet.
6d3098
+	 */
6d3098
+	if (has_mac < 0) {
6d3098
+		sys_badlength++;
6d3098
+		return;		/* bad length */
6d3098
+	}
6d3098
+
6d3098
+	/*
6d3098
 	 * If authentication required, a MAC must be present.
6d3098
 	 */
6d3098
 	if (restrict_mask & RES_DONTTRUST && has_mac == 0) {