| Re: [chrony-dev] Alleged out of bounds read in cmdmon.c |
[ Thread Index |
Date Index
| More chrony.tuxfamily.org/chrony-dev Archives
]
On Wed, Jul 30, 2014 at 12:56:21AM -0700, clouds@xxxxxxxxxx wrote:
> It looks like there is a out of bound read within Chrony - 1.30 (as
> pulled from
> http://download.tuxfamily.org/chrony/chrony-1.30.tar.gz
> )
>
> Within cmdmon.c, transmit_reply() - line 670, a temporary buffer is
> declared and allocated 8 bytes. So further along, within cmdmon.c - line
> 693, sendto(), addrlen is set to 28 bytes. Which reads far beyond the 8
> bytes allocated.
You mean the memory which where_to is pointing at is only 8 bytes?
where_to should be pointing at union sockaddr_in46, which includes
sockaddr_in, sockaddr_in6 and sockaddr, allocated on stack in
read_from_cmd_socket(). Here, it seems to be 28 bytes with IPv6
enabled and 16 bytes with IPv6 disabled. I don't see how it could be
only 8 bytes.
On what system and architecture are you seeing this?
> Similarily, cmdmon.c - line 1815 is allocated 8 bytes. Which on line
> 1818, 28 bytes are allocated to from_length. Which leads a read far
> beyond the 8 bytes initially allocated.
Line 1815 in cmdmom.c from 1.30 has "if (prev_tx_message) {", there is
no allocation.
> I have confirmed the out of bounds reads in Valgrind and static analysis
> tools. So it looks and smells plausible. Exploitability? Plausible but
> not entirely certain.
valgrind seems to be silent here.
--
Miroslav Lichvar
--
To unsubscribe email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "unsubscribe" in the subject.
For help email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "help" in the subject.
Trouble? Email listmaster@xxxxxxxxxxxxxxxxxxxx.