+---
+* [Bug 2645] out-of-bound pointers in ctl_putsys and decode_bitflags
+ - Fixed these and some more locations of this pattern.
+ Probably din't get them all, though. <perlinger@ntp.org>
+
---
(4.2.8p8) 2016/06/02 Released by Harlan Stenn <stenn@ntp.org>
colonp = tp;
continue;
}
- if (tp + NS_INT16SZ > endp)
+ if (NS_INT16SZ > endp - tp)
return (0);
*tp++ = (unsigned char) (val >> 8) & 0xff;
*tp++ = (unsigned char) val & 0xff;
val = 0;
continue;
}
- if (ch == '.' && ((tp + NS_INADDRSZ) <= endp) &&
+ if (ch == '.' && (NS_INADDRSZ <= endp - tp) &&
inet_pton4(curtok, tp) > 0) {
tp += NS_INADDRSZ;
seen_xdigits = 0;
return (0);
}
if (seen_xdigits) {
- if (tp + NS_INT16SZ > endp)
+ if (NS_INT16SZ > endp - tp)
return (0);
*tp++ = (unsigned char) (val >> 8) & 0xff;
*tp++ = (unsigned char) val & 0xff;
for (b = 0; b < tab_ct; b++) {
if (tab[b].code & bits) {
- rc = snprintf(pch, (lim - pch), "%s%s", sep,
+ size_t avail = lim - pch;
+ rc = snprintf(pch, avail, "%s%s", sep,
tab[b].string);
- if (rc < 0)
- goto toosmall;
- pch += (u_int)rc;
- if (pch >= lim)
+ if ((size_t)rc >= avail)
goto toosmall;
+ pch += rc;
sep = sep2;
}
}
cq = numtoa(addr32);
else
cq = stoa(addr);
- INSIST((cp - buffer) < (int)sizeof(buffer));
+ INSIST((size_t)(cp - buffer) < sizeof(buffer));
snprintf(cp, sizeof(buffer) - (cp - buffer), "%s", cq);
cp += strlen(cp);
ctl_putdata(buffer, (unsigned)(cp - buffer), 0);
buffp = buf;
buffend = buf + sizeof(buf);
- if (buffp + strlen(sys_var[CS_VARLIST].text) + 4 > buffend)
+ if (strlen(sys_var[CS_VARLIST].text) + 4 > buffend - buffp)
break; /* really long var name */
snprintf(buffp, sizeof(buf), "%s=\"",sys_var[CS_VARLIST].text);
if (k->flags & PADDING)
continue;
len = strlen(k->text);
- if (buffp + len + 1 >= buffend)
+ if (len + 1 >= buffend - buffp)
break;
if (!firstVarName)
*buffp++ = ',';
len = strlen(k->text);
else
len = ss1 - k->text;
- if (buffp + len + 1 >= buffend)
+ if (len + 1 >= buffend - buffp)
break;
if (firstVarName) {
*buffp++ = ',';
memcpy(buffp, k->text,(unsigned)len);
buffp += len;
}
- if (buffp + 2 >= buffend)
+ if (2 >= buffend - buffp)
break;
*buffp++ = '"';
{
#ifdef OPEN_BCAST_SOCKET
struct interface * interf;
- int nif;
+ unsigned int nif;
nif = 0;
set_reuseaddr(1);
}
}
set_reuseaddr(0);
- if (nif > 0) {
+ if (nif != 0) {
broadcast_client_enabled = ISC_TRUE;
DPRINTF(1, ("io_setbclient: listening to %d broadcast addresses\n", nif));
- }
- else if (!nif) {
+ } else {
broadcast_client_enabled = ISC_FALSE;
msyslog(LOG_ERR,
"Unable to listen for broadcasts, no broadcast interfaces available");
if (sreset[i].flag == 0) {
fprintf(fp, "Flag %s unknown\n",
pcmd->argval[res].string);
- err++;
+ err = 1;
} else {
rflags.flags |= sreset[i].flag;
}
* with. sntp is a 1-shot program, so snooping for
* timing attacks is Harder.
*/
- authentic = !memcmp(digest, pkt_data + pkt_size + 4,
- hash_len);
+ authentic = !memcmp(digest, (const char*)pkt_data + pkt_size + 4,
+ hash_len);
}
return authentic;
}
projects / thirdparty / ntp.git / commitdiff
