[Sec 3380] NTP-01-005: Off-by-one in Oncore GPS Receiver

author Juergen Perlinger <perlinger@ntp.org>

Sun, 12 Feb 2017 17:15:23 +0000 (18:15 +0100)

committer Juergen Perlinger <perlinger@ntp.org>

Sun, 12 Feb 2017 17:15:23 +0000 (18:15 +0100)
author Juergen Perlinger <perlinger@ntp.org>
Sun, 12 Feb 2017 17:15:23 +0000 (18:15 +0100)
committer Juergen Perlinger <perlinger@ntp.org>
Sun, 12 Feb 2017 17:15:23 +0000 (18:15 +0100)
diff --git a/ChangeLog b/ChangeLog

index 595a3d77629ef0c056a6c4fb26f723863cf7d42e..df5e19d408de2dfa78c453af5263c1633130d1f5 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+---
+* [Sec 3380] NTP-01-005: Off-by-one in Oncore GPS Receiver
+  (Pentest report 01.2017) <perlinger@ntp.org>
+
  ---
  (4.2.8p9-win) 2017/02/01 Released by Harlan Stenn <stenn@ntp.org>
  
diff --git a/ntpd/refclock_oncore.c b/ntpd/refclock_oncore.c

index 30924b8bbc2dc5a637d90b92b6ac7b0c2d302acb..ebd30d6c081898c79bd9031833d273a268332c3c 100644 (file)
--- a/ntpd/refclock_oncore.c
+++ b/ntpd/refclock_oncore.c
@@ -1461,7 +1461,7 @@ oncore_receive(
  #endif
  
         i = rbufp->recv_length;
-       if (rcvbuf+rcvptr+i > &rcvbuf[sizeof rcvbuf])
+       if ((size_t)rcvptr + i >= sizeof(rcvbuf))
                 i = sizeof(rcvbuf) - rcvptr;    /* and some char will be lost */
         memcpy(rcvbuf+rcvptr, p, i);
         rcvptr += i;
author	Juergen Perlinger <perlinger@ntp.org>
	Sun, 12 Feb 2017 17:15:23 +0000 (18:15 +0100)
committer	Juergen Perlinger <perlinger@ntp.org>
	Sun, 12 Feb 2017 17:15:23 +0000 (18:15 +0100)
ChangeLog		patch \| blob \| blame \| history
ntpd/refclock_oncore.c		patch \| blob \| blame \| history