ntp: check value returned by CMSG_FIRSTHDR

In NIO_Linux_RequestTxTimestamp(), check the returned pointer and the
length of the buffer before adding the control message. This fixes an
issue reported by the Clang static analyzer.

diff --git a/ntp_io_linux.c b/ntp_io_linux.c
index 374ac5cf5bd20eaad917c4ee16338148e0777718..f0cf121b15b08d4fb341605011f3ee5acdadf343 100644 (file)
--- a/ntp_io_linux.c
+++ b/ntp_io_linux.c
@@ -856,7 +856,12 @@ NIO_Linux_RequestTxTimestamp(struct msghdr *msg, int cmsglen, int sock_fd)
   /* Add control message that will enable TX timestamping for this message.
      Don't use CMSG_NXTHDR as the one in glibc is buggy for creating new
      control messages. */
-  cmsg = (struct cmsghdr *)((char *)CMSG_FIRSTHDR(msg) + cmsglen);
+
+  cmsg = CMSG_FIRSTHDR(msg);
+  if (!cmsg || cmsglen + CMSG_SPACE(sizeof (ts_tx_flags)) > msg->msg_controllen)
+    return cmsglen;
+
+  cmsg = (struct cmsghdr *)((char *)cmsg + cmsglen);
   memset(cmsg, 0, CMSG_SPACE(sizeof (ts_tx_flags)));
   cmsglen += CMSG_SPACE(sizeof (ts_tx_flags));