The function, tlv_post_recv, and the functions it calls don't check
the length of the tlv before flipping the byte order of fields. An
attacker (or a really buggy client) can craft a message causing the
byte order of data outside the received message to be flipped.
None of the supported tlvs are large enough to flip bytes outside the
ptp_message struct, which could corrupt the heap. However, it's easy
to mess up the message's refcnt field, leading to memory leaks.
The fix is to check that the tlv length is what is expected when
receiving, and tlv_post_recv needs to return an int to signal when a
tlv is invalid.
Signed-off-by: Geoff Salmon <gsalmon@se-instruments.com>
This non-portable, implementation specific message is designed to inform
external programs about the relationship between the local clock and the
remote master clock.
Signed-off-by: Richard Cochran <richardcochran@gmail.com>
Geoff Salmon
Richard Cochran