[TALOS-CAN-0063] avoid buffer overrun in ntpq

bk: 560c26b1C8KIHjmGWF5kXbY_3BUHQA

diff --git a/ChangeLog b/ChangeLog
index f2342eb21e9b3a5592d4b82961477d78db1ebd76..31cffecc907ffef60ee4d0a8109384712aa98ee9 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,6 +1,7 @@
 ---
 * [TALOS-CAN-0052] crash by loop counter underrun. perlinger@ntp.org
 * [TALOS-CAN-0054] memory corruption in password store. perlinger@ntp.org
+* [TALOS-CAN-0063] avoid buffer overrun in ntpq. perlinger@ntp.org
 * [Bug 2595] ntpdate man page quirks.  Hal Murray, Harlan Stenn.
 * [Bug 2625] Deprecate flag1 in local refclock.  Hal Murray, Harlan Stenn.
 * [Bug 2817] Stop locking ntpd into memory by default under Linux.  H.Stenn.

diff --git a/ntpq/ntpq.c b/ntpq/ntpq.c
index 17fe2ea45d5b756b48e85e4833211cf7158af6dd..c8d5eced800dba45b64f4d040d46b64942068eeb 100644 (file)
--- a/ntpq/ntpq.c
+++ b/ntpq/ntpq.c
@@ -3361,12 +3361,17 @@ cookedprint(
                }
 
                if (output_raw != 0) {
+                       /* TALOS-CAN-0063: avoid buffer overrun */
                        atoascii(name, MAXVARLEN, bn, sizeof(bn));
-                       atoascii(value, MAXVALLEN, bv, sizeof(bv));
                        if (output_raw != '*') {
+                               atoascii(value, MAXVALLEN,
+                                        bv, sizeof(bv) - 1);
                                len = strlen(bv);
                                bv[len] = output_raw;
                                bv[len+1] = '\0';
+                       } else {
+                               atoascii(value, MAXVALLEN,
+                                        bv, sizeof(bv));
                        }
                        output(fp, bn, bv);
                }