[Sec 2669] buffer overflow in configure()

bk: 548acf55dxKfhb6MuYQwzu8eDlS97g

diff --git a/ChangeLog b/ChangeLog
index 8896aa0d16c3f6f9d0901395285ae39bb9ad5fc0..327208d66fde6993a5354535bb0ee2673d6232ec 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,6 @@
 * [Sec 2667] buffer overflow in crypto_recv().
 * [Sec 2668] buffer overflow in ctl_putdata().
+* [Sec 2669] buffer overflow in configure().
 * [Bug 2686] refclock_gpsdjson needs strtoll(), which is not always present.
 (4.2.7p484-RC) 2014/12/11 Released by Harlan Stenn <stenn@ntp.org>
 (4.2.7p483) 2014/12/08 Released by Harlan Stenn <stenn@ntp.org>

diff --git a/ntpd/ntp_control.c b/ntpd/ntp_control.c
index a5c4091aad6d9134e29ceb19fddcf620a1b2603d..f5f326ca48113f24a5a03f5e3ff0bc1644081e25 100644 (file)
--- a/ntpd/ntp_control.c
+++ b/ntpd/ntp_control.c
@@ -3290,6 +3290,20 @@ static void configure(
 
        /* Initialize the remote config buffer */
        data_count = reqend - reqpt;
+
+       if (data_count > sizeof(remote_config.buffer) - 2) {
+               snprintf(remote_config.err_msg,
+                        sizeof(remote_config.err_msg),
+                        "runtime configuration failed: request too long");
+               ctl_putdata(remote_config.err_msg,
+                           strlen(remote_config.err_msg), 0);
+               ctl_flushpkt(0);
+               msyslog(LOG_NOTICE,
+                       "runtime config from %s rejected: request too long",
+                       stoa(&rbufp->recv_srcadr));
+               return;
+       }
+
        memcpy(remote_config.buffer, reqpt, data_count);
        if (data_count > 0
            && '\n' != remote_config.buffer[data_count - 1])