From: Juergen Perlinger <perlinger@ntp.org>
Date: Sun, 12 Feb 2017 11:35:04 +0000 (+0100)
Subject: [Sec 3386] NTP-01-011: ntpq_stripquotes() returns incorrect Value
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=10cb6ef1605ac7ecf6d670cb720c97cf10a50fe2;p=thirdparty%2Fntp.git

[Sec 3386] NTP-01-011: ntpq_stripquotes() returns incorrect Value

bk: 58a04868cNA4vy24WAI8cH1sK8y9og
---

diff --git a/ChangeLog b/ChangeLog
index 595a3d776..849f371c9 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+---
+* [Sec 3386] NTP-01-011: ntpq_stripquotes() returns incorrect Value
+  (Pentest report 01.2017) <perlinger@ntp.org>
+
 ---
 (4.2.8p9-win) 2017/02/01 Released by Harlan Stenn <stenn@ntp.org>
 
diff --git a/ntpq/libntpq.c b/ntpq/libntpq.c
index 3070e47b5..e7f02668a 100644
--- a/ntpq/libntpq.c
+++ b/ntpq/libntpq.c
@@ -57,41 +57,44 @@ struct ntpq_varlist ntpq_varlist[MAXLIST];
 
 int ntpq_stripquotes ( char *resultbuf, char *srcbuf, int datalen, int maxlen )
 {
-	char* tmpbuf = srcbuf;
-
-	while ( *tmpbuf != 0 )
-	{
-		if ( *tmpbuf == '\"' )
-		{
-			tmpbuf++;
-			continue;
-		}
-		
-		if ( *tmpbuf == '\\' )
-		{
-			tmpbuf++;
-			switch ( *tmpbuf )
-			{
-				/* ignore if end of string */
-				case 0:
-					continue;
+	char* dst = resultbuf;
+	char* dep = resultbuf + maxlen - 1;
+	char* src = srcbuf;
+	char* sep = srcbuf + (datalen >= 0 ? datalen : 0); 
+	int   esc = 0;
+	int   ch;
+	
+	if (maxlen <= 0)
+		return 0;
+	
+	while ((dst != dep) && (src != sep) && (ch = (u_char)*src++) != 0) {
+		if (esc) {
+			esc = 0;
+			switch (ch) {
 				/* skip and do not copy */
-				case '\"': /* quotes */
-				case 'n': /*newline*/
-				case 'r': /*carriage return*/
-				case 'g': /*bell*/
-				case 't': /*tab*/
-					tmpbuf++;
-					continue;
+				/* case '"':*/ /* quotes */
+			case 'n': /*newline*/
+			case 'r': /*carriage return*/
+			case 'g': /*bell*/
+			case 't': /*tab*/
+				continue;
+			default:
+				break;
 			}
-		} 
-
-		*resultbuf++ = *tmpbuf++;
-		
+		} else {
+			switch (ch) {
+			case '\\':
+				esc = 1;
+			case '"':
+				continue;
+			default:
+				break;
+			}
+		}
+		*dst++ = (char)ch;
 	}
-	
-	*resultbuf = 0;
-	return strlen(resultbuf);
+	*dst = '\0';
+	return (int)(dst - resultbuf);
 }