NTP - Network Time Protocol

#### ChangeSet ####

2014-12-12 11:13:55+00:00, stenn@psp-fb1.ntp.org [Sec 2668] buffer overflow in ctl_putdata()

==== ChangeLog ====

2014-12-12 11:13:36+00:00, stenn@psp-fb1.ntp.org +1 -0 [Sec 2668] buffer overflow in ctl_putdata()
--- 1.1580/ChangeLog 2014-12-12 11:05:58 +00:00
+++ 1.1581/ChangeLog 2014-12-12 11:13:36 +00:00
@@ -1,4 +1,5 @@ * [Sec 2667] buffer overflow in crypto_recv().
+* [Sec 2668] buffer overflow in ctl_putdata().
* [Bug 2686] refclock_gpsdjson needs strtoll(), which is not always present. (4.2.7p484-RC) 2014/12/11 Released by Harlan Stenn <stenn@ntp.org> (4.2.7p483) 2014/12/08 Released by Harlan Stenn <stenn@ntp.org>

==== ntpd/ntp_control.c ====

2014-12-12 11:13:40+00:00, stenn@psp-fb1.ntp.org +16 -1 [Sec 2668] buffer overflow in ctl_putdata()
--- 1.190/ntpd/ntp_control.c 2014-11-15 04:41:02 +00:00
+++ 1.191/ntpd/ntp_control.c 2014-12-12 11:13:40 +00:00
@@ -801,6 +801,10 @@ static char *reqend; static char *reqpt; static char *reqend;
+#ifndef MIN +#define MIN(a, b) (((a) <= (b)) ? (a) : (b)) +#endif +
/* * init_control - initialize request data */ @@ -1316,6 +1320,7 @@ ctl_putdata( ) { int overhead;
+ unsigned int currentlen;
overhead = 0; if (!bin) { @@ -1338,12 +1343,22 @@ ctl_putdata( /* * Save room for trailing junk */
- if (dlen + overhead + datapt > dataend) {
+ while (dlen + overhead + datapt > dataend) {
/* * Not enough room in this one, flush it out. */
+ currentlen = MIN(dlen, dataend - datapt); + + memcpy(datapt, dp, currentlen); + + datapt += currentlen; + dp += currentlen; + dlen -= currentlen; + datalinelen += currentlen; +
ctl_flushpkt(CTL_MORE); }
+
memcpy(datapt, dp, dlen); datapt += dlen; datalinelen += dlen;