[Sec 3386] NTP-01-011: ntpq_stripquotes() returns incorrect Value

bk: 58a04868cNA4vy24WAI8cH1sK8y9og

diff --git a/ChangeLog b/ChangeLog
index 595a3d77629ef0c056a6c4fb26f723863cf7d42e..849f371c97ba86533a849036fc488b32770af010 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+---
+* [Sec 3386] NTP-01-011: ntpq_stripquotes() returns incorrect Value
+  (Pentest report 01.2017) <perlinger@ntp.org>
+
 ---
 (4.2.8p9-win) 2017/02/01 Released by Harlan Stenn <stenn@ntp.org>
 

diff --git a/ntpq/libntpq.c b/ntpq/libntpq.c
index 3070e47b53c7f6731c9085c6464e6f4c54e8a184..e7f02668a9ca9c98c4e47f6bf51e33549a4539b9 100644 (file)
--- a/ntpq/libntpq.c
+++ b/ntpq/libntpq.c
@@ -57,41 +57,44 @@ struct ntpq_varlist ntpq_varlist[MAXLIST];
 
 int ntpq_stripquotes ( char *resultbuf, char *srcbuf, int datalen, int maxlen )
 {
-       char* tmpbuf = srcbuf;
-
-       while ( *tmpbuf != 0 )
-       {
-               if ( *tmpbuf == '\"' )
-               {
-                       tmpbuf++;
-                       continue;
-               }
-               
-               if ( *tmpbuf == '\\' )
-               {
-                       tmpbuf++;
-                       switch ( *tmpbuf )
-                       {
-                               /* ignore if end of string */
-                               case 0:
-                                       continue;
+       char* dst = resultbuf;
+       char* dep = resultbuf + maxlen - 1;
+       char* src = srcbuf;
+       char* sep = srcbuf + (datalen >= 0 ? datalen : 0); 
+       int   esc = 0;
+       int   ch;
+       
+       if (maxlen <= 0)
+               return 0;
+       
+       while ((dst != dep) && (src != sep) && (ch = (u_char)*src++) != 0) {
+               if (esc) {
+                       esc = 0;
+                       switch (ch) {
                                /* skip and do not copy */
-                               case '\"': /* quotes */
-                               case 'n': /*newline*/
-                               case 'r': /*carriage return*/
-                               case 'g': /*bell*/
-                               case 't': /*tab*/
-                                       tmpbuf++;
-                                       continue;
+                               /* case '"':*/ /* quotes */
+                       case 'n': /*newline*/
+                       case 'r': /*carriage return*/
+                       case 'g': /*bell*/
+                       case 't': /*tab*/
+                               continue;
+                       default:
+                               break;
                        }
-               } 
-
-               *resultbuf++ = *tmpbuf++;
-               
+               } else {
+                       switch (ch) {
+                       case '\\':
+                               esc = 1;
+                       case '"':
+                               continue;
+                       default:
+                               break;
+                       }
+               }
+               *dst++ = (char)ch;
        }
-       
-       *resultbuf = 0;
-       return strlen(resultbuf);
+       *dst = '\0';
+       return (int)(dst - resultbuf);
 }