NTP - Network Time Protocol

#### ChangeSet ####

2014-12-12 11:19:49+00:00, stenn@psp-fb1.ntp.org [Sec 2669] buffer overflow in configure()

==== ChangeLog ====

2014-12-12 11:19:33+00:00, stenn@psp-fb1.ntp.org +1 -0 [Sec 2669] buffer overflow in configure()
--- 1.1581/ChangeLog 2014-12-12 11:13:36 +00:00
+++ 1.1582/ChangeLog 2014-12-12 11:19:33 +00:00
@@ -1,5 +1,6 @@ * [Sec 2667] buffer overflow in crypto_recv(). * [Sec 2668] buffer overflow in ctl_putdata().
+* [Sec 2669] buffer overflow in configure().
* [Bug 2686] refclock_gpsdjson needs strtoll(), which is not always present. (4.2.7p484-RC) 2014/12/11 Released by Harlan Stenn <stenn@ntp.org> (4.2.7p483) 2014/12/08 Released by Harlan Stenn <stenn@ntp.org>

==== ntpd/ntp_control.c ====

2014-12-12 11:19:37+00:00, stenn@psp-fb1.ntp.org +14 -0 [Sec 2669] buffer overflow in configure()
--- 1.191/ntpd/ntp_control.c 2014-12-12 11:13:40 +00:00
+++ 1.192/ntpd/ntp_control.c 2014-12-12 11:19:37 +00:00
@@ -3290,6 +3290,20 @@ static void configure( /* Initialize the remote config buffer */ data_count = reqend - reqpt;
+ + if (data_count > sizeof(remote_config.buffer) - 2) { + snprintf(remote_config.err_msg, + sizeof(remote_config.err_msg), + "runtime configuration failed: request too long"); + ctl_putdata(remote_config.err_msg, + strlen(remote_config.err_msg), 0); + ctl_flushpkt(0); + msyslog(LOG_NOTICE, + "runtime config from %s rejected: request too long", + stoa(&rbufp->recv_srcadr)); + return; + } +
memcpy(remote_config.buffer, reqpt, data_count); if (data_count > 0 && '\n' != remote_config.buffer[data_count - 1])