Blob Blame History Raw
2017-02-12 13:46:35+01:00, perlinger@ntp.org
  [Sec 3388] NTP-01-014: Buffer Overflow in DPTS Clock

diff -up ntp-4.2.6p5/ntpd/refclock_datum.c.cve-2017-6462 ntp-4.2.6p5/ntpd/refclock_datum.c
--- ntp-4.2.6p5/ntpd/refclock_datum.c.cve-2017-6462	2009-12-09 08:36:36.000000000 +0100
+++ ntp-4.2.6p5/ntpd/refclock_datum.c	2017-03-22 13:34:48.851357820 +0100
@@ -584,7 +584,7 @@ datum_pts_receive(
 	struct recvbuf *rbufp
 	)
 {
-	int i;
+	int i, nb;
 	l_fp tstmp;
 	struct datum_pts_unit *datum_pts;
 	char *dpt;
@@ -623,22 +623,23 @@ datum_pts_receive(
 	** received to reduce the jitter.
 	*/
 
-	if (datum_pts->nbytes == 0) {
+	nb = datum_pts->nbytes;
+	if (nb == 0) {
 		datum_pts->lastrec = rbufp->recv_time;
 	}
 
 	/*
 	** Increment our count to the number of bytes received so far. Return if we
 	** haven't gotten all seven bytes yet.
+	** [Sec 3388] make sure we do not overrun the buffer.
+	** TODO: what to do with excessive bytes, if we ever get them?
 	*/
-
-	for (i=0; i<dpend; i++) {
-		datum_pts->retbuf[datum_pts->nbytes+i] = dpt[i];
+	for (i=0; (i < dpend) && (nb < sizeof(datum_pts->retbuf)); i++, nb++) {
+		datum_pts->retbuf[nb] = dpt[i];
 	}
-
-	datum_pts->nbytes += dpend;
-
-	if (datum_pts->nbytes != 7) {
+	datum_pts->nbytes = nb;
+	
+	if (nb < 7) {
 		return;
 	}