From: Juergen Perlinger <perlinger@ntp.org>
Date: Wed, 30 Sep 2015 18:15:13 +0000 (+0200)
Subject: [TALOS-CAN-0063] avoid buffer overrun in ntpq
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0f0d79e914804eae09fc7c20f3bc0289c885bc65;p=thirdparty%2Fntp.git

[TALOS-CAN-0063] avoid buffer overrun in ntpq

bk: 560c26b1C8KIHjmGWF5kXbY_3BUHQA
---

diff --git a/ChangeLog b/ChangeLog
index f2342eb21..31cffecc9 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,6 +1,7 @@
 ---
 * [TALOS-CAN-0052] crash by loop counter underrun. perlinger@ntp.org
 * [TALOS-CAN-0054] memory corruption in password store. perlinger@ntp.org
+* [TALOS-CAN-0063] avoid buffer overrun in ntpq. perlinger@ntp.org
 * [Bug 2595] ntpdate man page quirks.  Hal Murray, Harlan Stenn.
 * [Bug 2625] Deprecate flag1 in local refclock.  Hal Murray, Harlan Stenn.
 * [Bug 2817] Stop locking ntpd into memory by default under Linux.  H.Stenn.
diff --git a/ntpq/ntpq.c b/ntpq/ntpq.c
index 17fe2ea45..c8d5eced8 100644
--- a/ntpq/ntpq.c
+++ b/ntpq/ntpq.c
@@ -3361,12 +3361,17 @@ cookedprint(
 		}
 
 		if (output_raw != 0) {
+			/* TALOS-CAN-0063: avoid buffer overrun */
 			atoascii(name, MAXVARLEN, bn, sizeof(bn));
-			atoascii(value, MAXVALLEN, bv, sizeof(bv));
 			if (output_raw != '*') {
+				atoascii(value, MAXVALLEN,
+					 bv, sizeof(bv) - 1);
 				len = strlen(bv);
 				bv[len] = output_raw;
 				bv[len+1] = '\0';
+			} else {
+				atoascii(value, MAXVALLEN,
+					 bv, sizeof(bv));
 			}
 			output(fp, bn, bv);
 		}