Description
In get_unix_time_by_addr(), the timestamp conversion subtracts SNTP_TIME_OFFSET (2,208,988,800) from raw_secs (u32) before casting to i64:
Ok((raw_secs - SNTP_TIME_OFFSET) as i64)
If a malicious or malfunctioning NTP server returns raw_secs < SNTP_TIME_OFFSET, the subtraction causes a u32 underflow (wrapping around), resulting in a completely wrong Unix timestamp instead of an error.
Suggested fix
Cast to i64 before the subtraction:
Ok((raw_secs as i64) - (SNTP_TIME_OFFSET as i64))
Or use checked arithmetic:
raw_secs.checked_sub(SNTP_TIME_OFFSET)
.map(|v| v as i64)
.ok_or_else(|| Error::new(
ErrorKind::InvalidData,
"Server returned timestamp before SNTP epoch",
))
Description
In
get_unix_time_by_addr(), the timestamp conversion subtractsSNTP_TIME_OFFSET(2,208,988,800) fromraw_secs(u32) before casting to i64:If a malicious or malfunctioning NTP server returns
raw_secs < SNTP_TIME_OFFSET, the subtraction causes a u32 underflow (wrapping around), resulting in a completely wrong Unix timestamp instead of an error.Suggested fix
Cast to
i64before the subtraction:Or use checked arithmetic: