| [chrony-dev] Alleged out of bounds read in cmdmon.c |
[ Thread Index |
Date Index
| More chrony.tuxfamily.org/chrony-dev Archives
]
- To: chrony-dev@xxxxxxxxxxxxxxxxxxxx
- Subject: [chrony-dev] Alleged out of bounds read in cmdmon.c
- From: clouds@xxxxxxxxxx
- Date: Wed, 30 Jul 2014 00:56:21 -0700
- Dkim-signature: v=1; a=rsa-sha256; c=simple/simple; d=riseup.net; s=squak; t=1406706981; bh=CbcRHqTkUCi1bkiCiFheCkbfy85Yv29KfG9Ul+oI9rw=; h=Date:Subject:From:To:From; b=FKXgln3oee3POmj3S3N37i0VE9JFqOH68gc5ayQySzPP/l207tFuH4p0Oxgp8fPfX ZpG2XBv6npV3yiIG1C8aBGDyHMY2De7ce01Ym5ZkZmb8v+6eLv9ey6YetbxpZOSD2p sIF95YhYZnt5T/JLnQ0uBQWk0+6B0WNhP9vycXU4=
To whom it may concern;
It looks like there is a out of bound read within Chrony - 1.30 (as
pulled from
http://download.tuxfamily.org/chrony/chrony-1.30.tar.gz
)
Within cmdmon.c, transmit_reply() - line 670, a temporary buffer is
declared and allocated 8 bytes. So further along, within cmdmon.c - line
693, sendto(), addrlen is set to 28 bytes. Which reads far beyond the 8
bytes allocated.
Similarily, cmdmon.c - line 1815 is allocated 8 bytes. Which on line
1818, 28 bytes are allocated to from_length. Which leads a read far
beyond the 8 bytes initially allocated.
I have confirmed the out of bounds reads in Valgrind and static analysis
tools. So it looks and smells plausible. Exploitability? Plausible but
not entirely certain.
You can find additional information @
http://cwe.mitre.org/data/definitions/125.html and
http://www.hpenterprisesecurity.com/vulncat/en/vulncat/cpp/out_of_bounds_read.html
..
- Clouds
--
To unsubscribe email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "unsubscribe" in the subject.
For help email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "help" in the subject.
Trouble? Email listmaster@xxxxxxxxxxxxxxxxxxxx.