[Sec 3388] NTP-01-014: Buffer Overflow in DPTS Clock

bk: 58a0592bal7oYBqUMCqId4WgiuiOqw

diff --git a/ChangeLog b/ChangeLog
index 595a3d77629ef0c056a6c4fb26f723863cf7d42e..acf894caaf3cacf56aa2ce956b49cc3c317e3005 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+---
+* [Sec 3388] NTP-01-014: Buffer Overflow in DPTS Clock
+  (Pentest report 01.2017) <perlinger@ntp.org>
+
 ---
 (4.2.8p9-win) 2017/02/01 Released by Harlan Stenn <stenn@ntp.org>
 

diff --git a/ntpd/refclock_datum.c b/ntpd/refclock_datum.c
index 95f13a8c0ca111355656322b158913a9aaf4fed1..9795cfadaab284986a215325dddd445b4f5d5cef 100644 (file)
--- a/ntpd/refclock_datum.c
+++ b/ntpd/refclock_datum.c
@@ -485,7 +485,7 @@ datum_pts_receive(
        struct recvbuf *rbufp
        )
 {
-       int i;
+       int i, nb;
        l_fp tstmp;
        struct peer *p;
        struct datum_pts_unit *datum_pts;
@@ -526,22 +526,23 @@ datum_pts_receive(
        ** received to reduce the jitter.
        */
 
-       if (datum_pts->nbytes == 0) {
+       nb = datum_pts->nbytes;
+       if (nb == 0) {
                datum_pts->lastrec = rbufp->recv_time;
        }
 
        /*
        ** Increment our count to the number of bytes received so far. Return if we
        ** haven't gotten all seven bytes yet.
+       ** [Sec 3388] make sure we do not overrun the buffer.
+       ** TODO: what to do with excessive bytes, if we ever get them?
        */
-
-       for (i=0; i<dpend; i++) {
-               datum_pts->retbuf[datum_pts->nbytes+i] = dpt[i];
+       for (i=0; (i < dpend) && (nb < sizeof(datum_pts->retbuf)); i++, nb++) {
+               datum_pts->retbuf[nb] = dpt[i];
        }
-
-       datum_pts->nbytes += dpend;
-
-       if (datum_pts->nbytes != 7) {
+       datum_pts->nbytes = nb;
+       
+       if (nb < 7) {
                return;
        }