From: Juergen Perlinger <perlinger@ntp.org>
Date: Sat, 21 Apr 2018 09:48:47 +0000 (+0200)
Subject: [Bug 3486] Buffer overflow in ntpq/ntpq.c:tstflags()
X-Git-Tag: NTP_4_2_8P12~16^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=083a5e07d8552eceb23c738076f301ecdc3cf963;p=thirdparty%2Fntp.git

[Bug 3486] Buffer overflow in ntpq/ntpq.c:tstflags()

bk: 5adb08fffC7cgRsFHaBRCv6iQnEpVA
---

diff --git a/ChangeLog b/ChangeLog
index 8651807fb..8ef7b262e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,7 @@
 ---
 
+* [Bug 3486] Buffer overflow in ntpq/ntpq.c:tstflags() <perlinger@ntp.org>
+  - applied patch by Gerry Garvey
 * [Bug 3485] Undefined sockaddr used in error messages in ntp_config.c <perlinger@ntp.org>
   - applied patch by Gerry Garvey
 * [Bug 3484] ntpq response from ntpd is incorrect when REFID is null <perlinger@ntp.org>
diff --git a/ntpq/ntpq.c b/ntpq/ntpq.c
index 9ffe8267f..bda9b5602 100644
--- a/ntpq/ntpq.c
+++ b/ntpq/ntpq.c
@@ -3370,44 +3370,61 @@ tstflags(
 	u_long val
 	)
 {
-	register char *cp, *s;
-	size_t cb;
-	register int i;
-	register const char *sep;
+#	if CBLEN < 10
+#	 error BLEN is too small -- increase!
+#	endif
+
+	char *cp, *s;
+	size_t cb, i;
+	int l;
 
-	sep = "";
 	s = cp = circ_buf[nextcb];
 	if (++nextcb >= NUMCB)
 		nextcb = 0;
 	cb = sizeof(circ_buf[0]);
 
-	snprintf(cp, cb, "%02lx", val);
-	cp += strlen(cp);
-	cb -= strlen(cp);
+	l = snprintf(cp, cb, "%02lx", val);
+	if (l < 0 || (size_t)l >= cb)
+		goto fail;
+	cp += l;
+	cb -= l;
 	if (!val) {
-		strlcat(cp, " ok", cb);
-		cp += strlen(cp);
-		cb -= strlen(cp);
+		l = strlcat(cp, " ok", cb);
+		if ((size_t)l >= cb)
+			goto fail;
+		cp += l;
+		cb -= l;
 	} else {
-		if (cb) {
-			*cp++ = ' ';
-			cb--;
-		}
-		for (i = 0; i < (int)COUNTOF(tstflagnames); i++) {
+		const char *sep;
+		
+		sep = " ";
+		for (i = 0; i < COUNTOF(tstflagnames); i++) {
 			if (val & 0x1) {
-				snprintf(cp, cb, "%s%s", sep,
-					 tstflagnames[i]);
+				l = snprintf(cp, cb, "%s%s", sep,
+					     tstflagnames[i]);
+				if (l < 0)
+					goto fail;
+				if ((size_t)l >= cb) {
+					cp += cb - 4;
+					cb = 4;
+					l = strlcpy (cp, "...", cb);
+					cp += l;
+					cb -= l;
+					break;
+				}
 				sep = ", ";
-				cp += strlen(cp);
-				cb -= strlen(cp);
+				cp += l;
+				cb -= l;
 			}
 			val >>= 1;
 		}
 	}
-	if (cb)
-		*cp = '\0';
 
 	return s;
+
+  fail:
+	*cp = '\0';
+	return s;
 }
 
 /*