[Bug 2999] out-of-bounds access in 'is_safe_filename()'

bk: 56a9be7ad1JGBmfacSMb7cTbPOpr-g

diff --git a/ChangeLog b/ChangeLog
index c70fe8fc563cf0a16def01a652b989e8bc667f06..f642b05bd112d0900c235f47152551de2337563b 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -2,6 +2,7 @@
 
 * [Bug 2994] Systems with HAVE_SIGNALED_IO fail to compile. perlinger@ntp.org
 * [Bug 2995] Fixes to compile on Windows
+* [Bug 2999] out-of-bounds access in 'is_safe_filename()'. perlinger@ntp.org
 
 ---
 (4.2.8p6) 2016/01/20 Released by Harlan Stenn <stenn@ntp.org>

diff --git a/ntpd/ntp_control.c b/ntpd/ntp_control.c
index e5a567e789d6db41f8ac4c909e0aac670c8091be..593eea59fbfb7941f4173981db45ded6e8fddc8d 100644 (file)
--- a/ntpd/ntp_control.c
+++ b/ntpd/ntp_control.c
@@ -911,18 +911,18 @@ is_safe_filename(const char * name)
        };
 
        u_int widx, bidx, mask;
-       if (!*name)
+       if ( ! (name && *name))
                return FALSE;
        
        mask = 1u;
        while (0 != (widx = (u_char)*name++)) {
                bidx = (widx & 15) << 1;
                widx = widx >> 4;
-               if (widx >= sizeof(chclass))
+               if (widx >= sizeof(chclass)/sizeof(chclass[0]))
                        return FALSE;
                if (0 == ((chclass[widx] >> bidx) & mask))
                        return FALSE;
-               mask |= 2u;
+               mask = 2u;
        }
        return TRUE;
 }