[chrony-dev] Alleged out of bounds read in cmdmon.c

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-dev Archives ]


To whom it may concern;

It looks like there is a out of bound read within Chrony  - 1.30 (as
pulled from
http://download.tuxfamily.org/chrony/chrony-1.30.tar.gz
)

Within cmdmon.c, transmit_reply() - line 670, a temporary buffer is
declared and allocated 8 bytes. So further along, within cmdmon.c - line
693, sendto(), addrlen is set to 28 bytes.  Which reads far beyond the 8
bytes allocated.

Similarily, cmdmon.c - line 1815 is allocated 8 bytes.  Which on line
1818, 28 bytes are allocated to from_length.  Which leads a read far
beyond the 8 bytes initially allocated.

I have confirmed the out of bounds reads in Valgrind and static analysis
tools.  So it looks and smells plausible.  Exploitability?  Plausible but
not entirely certain.


You can find additional information @
http://cwe.mitre.org/data/definitions/125.html and
http://www.hpenterprisesecurity.com/vulncat/en/vulncat/cpp/out_of_bounds_read.html
..


- Clouds


-- 
To unsubscribe email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "unsubscribe" in the subject.
For help email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.


Mail converted by MHonArc 2.6.19+ http://listengine.tuxfamily.org/