[Sec 2668] buffer overflow in ctl_putdata()

bk: 548acdf3tUSFizXcv_X4b77Jt_Y-cg

diff --git a/ChangeLog b/ChangeLog
index 4ae917c14d796de2150d80185af37b20e9227d0e..8896aa0d16c3f6f9d0901395285ae39bb9ad5fc0 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,4 +1,5 @@
 * [Sec 2667] buffer overflow in crypto_recv().
+* [Sec 2668] buffer overflow in ctl_putdata().
 * [Bug 2686] refclock_gpsdjson needs strtoll(), which is not always present.
 (4.2.7p484-RC) 2014/12/11 Released by Harlan Stenn <stenn@ntp.org>
 (4.2.7p483) 2014/12/08 Released by Harlan Stenn <stenn@ntp.org>

diff --git a/ntpd/ntp_control.c b/ntpd/ntp_control.c
index 266978e4af691c005acc19cde703fdf3ace7331a..a5c4091aad6d9134e29ceb19fddcf620a1b2603d 100644 (file)
--- a/ntpd/ntp_control.c
+++ b/ntpd/ntp_control.c
@@ -801,6 +801,10 @@ static u_char      res_async;      /* sending async trap response? */
 static char *reqpt;
 static char *reqend;
 
+#ifndef MIN
+#define MIN(a, b) (((a) <= (b)) ? (a) : (b))
+#endif
+
 /*
  * init_control - initialize request data
  */
@@ -1316,6 +1320,7 @@ ctl_putdata(
        )
 {
        int overhead;
+       unsigned int currentlen;
 
        overhead = 0;
        if (!bin) {
@@ -1338,12 +1343,22 @@ ctl_putdata(
        /*
         * Save room for trailing junk
         */
-       if (dlen + overhead + datapt > dataend) {
+       while (dlen + overhead + datapt > dataend) {
                /*
                 * Not enough room in this one, flush it out.
                 */
+               currentlen = MIN(dlen, dataend - datapt);
+
+               memcpy(datapt, dp, currentlen);
+
+               datapt += currentlen;
+               dp += currentlen;
+               dlen -= currentlen;
+               datalinelen += currentlen;
+
                ctl_flushpkt(CTL_MORE);
        }
+
        memcpy(datapt, dp, dlen);
        datapt += dlen;
        datalinelen += dlen;