From: Juergen Perlinger <perlinger@ntp.org>
Date: Sat, 11 Feb 2017 18:30:47 +0000 (+0100)
Subject: [Sec 3377] NTP-01-002 Buffer Overflow in ntpq when fetching reslist
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=099a2f29b54f4ef9afdf6c404d585d03eabc1ae5;p=thirdparty%2Fntp.git

[Sec 3377] NTP-01-002 Buffer Overflow in ntpq when fetching reslist

bk: 589f58574daOkdmCkyXNpBeidQfotw
---

diff --git a/ChangeLog b/ChangeLog
index 595a3d776..8fe0e4960 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+---
+* [Sec 3377] NTP-01-002 Buffer Overflow in ntpq when fetching reslist
+  (Pentest report 01.2017) <perlinger@ntp.org
+
 ---
 (4.2.8p9-win) 2017/02/01 Released by Harlan Stenn <stenn@ntp.org>
 
diff --git a/ntpq/ntpq-subs.c b/ntpq/ntpq-subs.c
index 35caee223..08f9d426a 100644
--- a/ntpq/ntpq-subs.c
+++ b/ntpq/ntpq-subs.c
@@ -3614,11 +3614,13 @@ reslist(
 				if (NULL == val) {
 					row.flagstr[0] = '\0';
 					comprende = TRUE;
-				} else {
-					len = strlen(val);
+				} else if ((len = strlen(val)) < sizeof(row.flagstr)) {
 					memcpy(row.flagstr, val, len);
 					row.flagstr[len] = '\0';
 					comprende = TRUE;
+				} else {
+					 /* no flags, and still !comprende */
+					row.flagstr[0] = '\0';
 				}
 			}
 			break;