2017-02-12 13:46:35+01:00, perlinger@ntp.org
[Sec 3388] NTP-01-014: Buffer Overflow in DPTS Clock
diff -up ntp-4.2.6p5/ntpd/refclock_datum.c.cve-2017-6462 ntp-4.2.6p5/ntpd/refclock_datum.c
--- ntp-4.2.6p5/ntpd/refclock_datum.c.cve-2017-6462 2009-12-09 08:36:36.000000000 +0100
+++ ntp-4.2.6p5/ntpd/refclock_datum.c 2017-03-22 13:34:48.851357820 +0100
@@ -584,7 +584,7 @@ datum_pts_receive(
struct recvbuf *rbufp
)
{
- int i;
+ int i, nb;
l_fp tstmp;
struct datum_pts_unit *datum_pts;
char *dpt;
@@ -623,22 +623,23 @@ datum_pts_receive(
** received to reduce the jitter.
*/
- if (datum_pts->nbytes == 0) {
+ nb = datum_pts->nbytes;
+ if (nb == 0) {
datum_pts->lastrec = rbufp->recv_time;
}
/*
** Increment our count to the number of bytes received so far. Return if we
** haven't gotten all seven bytes yet.
+ ** [Sec 3388] make sure we do not overrun the buffer.
+ ** TODO: what to do with excessive bytes, if we ever get them?
*/
-
- for (i=0; i<dpend; i++) {
- datum_pts->retbuf[datum_pts->nbytes+i] = dpt[i];
+ for (i=0; (i < dpend) && (nb < sizeof(datum_pts->retbuf)); i++, nb++) {
+ datum_pts->retbuf[nb] = dpt[i];
}
-
- datum_pts->nbytes += dpend;
-
- if (datum_pts->nbytes != 7) {
+ datum_pts->nbytes = nb;
+
+ if (nb < 7) {
return;
}