---
+* [Sec 3505] CVE-2018-12327 - Arbitrary Code Execution Vulnerability
+ - fixed stack buffer overflow in NTPQ/NTPDC <perlinger@ntp.org>
* [Bug 3486] Buffer overflow in ntpq/ntpq.c:tstflags() <perlinger@ntp.org>
- applied patch by Gerry Garvey
* [Bug 3485] Undefined sockaddr used in error messages in ntp_config.c <perlinger@ntp.org>
)
{
char temphost[LENHOSTNAME];
- int a_info, i;
+ int a_info;
struct addrinfo hints, *ai = NULL;
sockaddr_u addr;
size_t octets;
- register const char *cp;
+ const char *cp;
char name[LENHOSTNAME];
char service[5];
/*
* We need to get by the [] if they were entered
*/
-
- cp = hname;
-
- if (*cp == '[') {
- cp++;
- for (i = 0; *cp && *cp != ']'; cp++, i++)
- name[i] = *cp;
- if (*cp == ']') {
- name[i] = '\0';
- hname = name;
- } else {
+ if (*hname == '[') {
+ cp = strchr(hname + 1, ']');
+ if (!cp || (octets = (size_t)(cp - hname) - 1) >= sizeof(name)) {
+ errno = EINVAL;
+ warning("%s", "bad hostname/address");
return 0;
}
- }
+ memcpy(name, hname + 1, octets);
+ name[octets] = '\0';
+ hname = name;
+ }
/*
* First try to resolve it as an ip address and if that fails,
{
const char svc[] = "ntp";
char temphost[LENHOSTNAME];
- int a_info, i;
+ int a_info;
struct addrinfo hints, *ai;
sockaddr_u addr;
size_t octets;
- register const char *cp;
+ const char *cp;
char name[LENHOSTNAME];
/*
* We need to get by the [] if they were entered
*/
-
- cp = hname;
-
- if (*cp == '[') {
- cp++;
- for (i = 0; *cp && *cp != ']'; cp++, i++)
- name[i] = *cp;
- if (*cp == ']') {
- name[i] = '\0';
- hname = name;
- } else {
+ if (*hname == '[') {
+ cp = strchr(hname + 1, ']');
+ if (!cp || (octets = (size_t)(cp - hname) - 1) >= sizeof(name)) {
+ errno = EINVAL;
+ warning("%s", "bad hostname/address");
return 0;
}
+ memcpy(name, hname + 1, octets);
+ name[octets] = '\0';
+ hname = name;
}
/*
projects / thirdparty / ntp.git / commitdiff
