[Git][NTPsec/ntpsec][master] Prevent potential buffer overruns in the mode 6 code.

[Eric S. Raymond]

Eric S. Raymond pushed to branch master at NTPsec / ntpsec


Commits:
ffc76878 by Eric S. Raymond at 2017-03-13T06:05:42-04:00
Prevent potential buffer overruns in the mode 6 code.

Not exploitable in practice, but audit tools may pick these up and complain.

- - - - -


1 changed file:

- ntpd/ntp_control.c


Changes:

=====================================
ntpd/ntp_control.c
=====================================
--- a/ntpd/ntp_control.c
+++ b/ntpd/ntp_control.c
@@ -1129,6 +1129,8 @@ ctl_putunqstr(
 	size_t tl;
 
 	tl = strlen(tag);
+	if (tl >= sizeof(buffer))
+	    return;
 	memcpy(buffer, tag, tl);
 	cp = buffer + tl;
 	if (len > 0) {
@@ -1158,7 +1160,7 @@ ctl_putdblf(
 
 	cp = buffer;
 	cq = tag;
-	while (*cq != '\0')
+	while (*cq != '\0' && cp < buffer + sizeof(buffer) - 1)
 		*cp++ = *cq++;
 	*cp++ = '=';
 	NTP_INSIST((size_t)(cp - buffer) < sizeof(buffer));
@@ -1184,7 +1186,7 @@ ctl_putuint(
 
 	cp = buffer;
 	cq = tag;
-	while (*cq != '\0')
+	while (*cq != '\0' && cp < buffer + sizeof(buffer) - 1)
 		*cp++ = *cq++;
 
 	*cp++ = '=';
@@ -1212,7 +1214,7 @@ ctl_putfs(
 
 	cp = buffer;
 	cq = tag;
-	while (*cq != '\0')
+	while (*cq != '\0' && cp < buffer + sizeof(buffer) - 1)
 		*cp++ = *cq++;
 
 	*cp++ = '=';
@@ -1247,7 +1249,7 @@ ctl_puthex(
 
 	cp = buffer;
 	cq = tag;
-	while (*cq != '\0')
+	while (*cq != '\0' && cp < buffer + sizeof(buffer) - 1)
 		*cp++ = *cq++;
 
 	*cp++ = '=';
@@ -1273,7 +1275,7 @@ ctl_putint(
 
 	cp = buffer;
 	cq = tag;
-	while (*cq != '\0')
+	while (*cq != '\0' && cp < buffer + sizeof(buffer) - 1)
 		*cp++ = *cq++;
 
 	*cp++ = '=';
@@ -1299,7 +1301,7 @@ ctl_putts(
 
 	cp = buffer;
 	cq = tag;
-	while (*cq != '\0')
+	while (*cq != '\0' && cp < buffer + sizeof(buffer) - 1)
 		*cp++ = *cq++;
 
 	*cp++ = '=';
@@ -1327,7 +1329,7 @@ ctl_putadr(
 
 	cp = buffer;
 	cq = tag;
-	while (*cq != '\0')
+	while (*cq != '\0' && cp < buffer + sizeof(buffer) - 1)
 		*cp++ = *cq++;
 
 	*cp++ = '=';
@@ -1398,7 +1400,7 @@ ctl_putarray(
 	int i;
 	cp = buffer;
 	cq = tag;
-	while (*cq != '\0')
+	while (*cq != '\0' && cp < buffer + sizeof(buffer) - 1)
 		*cp++ = *cq++;
 	*cp++ = '=';
 	i = start;



View it on GitLab: https://gitlab.com/NTPsec/ntpsec/commit/ffc76878ecbf8fa60b8a225ad4e96bcd582c72be
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20170313/dbb6f428/attachment.html>