rpms / ntp

Clone
Source Code
GIT

Blame SOURCES/ntp-4.2.6p5-cve-2017-6462.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta
  1.   5e410e87d5e9ed4489d5cd20a456cc4dd1ef3534
  2.   SOURCES
  3.   ntp-4.2.6p5-cve-2017-6462.patch
Blob History Raw
edcb74 
2017-02-12 13:46:35+01:00, perlinger@ntp.org
edcb74 
  [Sec 3388] NTP-01-014: Buffer Overflow in DPTS Clock
edcb74
edcb74 
diff -up ntp-4.2.6p5/ntpd/refclock_datum.c.cve-2017-6462 ntp-4.2.6p5/ntpd/refclock_datum.c
edcb74 
--- ntp-4.2.6p5/ntpd/refclock_datum.c.cve-2017-6462	2009-12-09 08:36:36.000000000 +0100
edcb74 
+++ ntp-4.2.6p5/ntpd/refclock_datum.c	2017-03-22 13:34:48.851357820 +0100
edcb74 
@@ -584,7 +584,7 @@ datum_pts_receive(
edcb74 
 	struct recvbuf *rbufp
edcb74 
 	)
edcb74 
 {
edcb74 
-	int i;
edcb74 
+	int i, nb;
edcb74 
 	l_fp tstmp;
edcb74 
 	struct datum_pts_unit *datum_pts;
edcb74 
 	char *dpt;
edcb74 
@@ -623,22 +623,23 @@ datum_pts_receive(
edcb74 
 	** received to reduce the jitter.
edcb74 
 	*/
edcb74
edcb74 
-	if (datum_pts->nbytes == 0) {
edcb74 
+	nb = datum_pts->nbytes;
edcb74 
+	if (nb == 0) {
edcb74 
 		datum_pts->lastrec = rbufp->recv_time;
edcb74 
 	}
edcb74
edcb74 
 	/*
edcb74 
 	** Increment our count to the number of bytes received so far. Return if we
edcb74 
 	** haven't gotten all seven bytes yet.
edcb74 
+	** [Sec 3388] make sure we do not overrun the buffer.
edcb74 
+	** TODO: what to do with excessive bytes, if we ever get them?
edcb74 
 	*/
edcb74 
-
edcb74 
-	for (i=0; i
edcb74 
-		datum_pts->retbuf[datum_pts->nbytes+i] = dpt[i];
edcb74 
+	for (i=0; (i < dpend) && (nb < sizeof(datum_pts->retbuf)); i++, nb++) {
edcb74 
+		datum_pts->retbuf[nb] = dpt[i];
edcb74 
 	}
edcb74 
-
edcb74 
-	datum_pts->nbytes += dpend;
edcb74 
-
edcb74 
-	if (datum_pts->nbytes != 7) {
edcb74 
+	datum_pts->nbytes = nb;
edcb74 
+
edcb74 
+	if (nb < 7) {
edcb74 
 		return;
edcb74 
 	}
edcb74

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation