From: Harlan Stenn <stenn@ntp.org>
Date: Fri, 14 Nov 2014 09:19:09 +0000 (+0000)
Subject: [Sec 2630] buffer overrun in ntpq tokenize()
X-Git-Tag: NTP_4_2_7P478~3
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1bda44969ceb4b538e9e54e3c32d7079781f31fc;p=thirdparty%2Fntp.git

[Sec 2630] buffer overrun in ntpq tokenize()

bk: 5465c90dVRkNdoFoI_Qy5njl2AgDTg
---

diff --git a/ChangeLog b/ChangeLog
index 26aa3f517..766a365fa 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,4 @@
+* [Sec 2630] buffer overrun in ntpq tokenize().
 * [Bug 2661] ntpq crashes with mreadvar.
 (4.2.7p477) 2014/11/13 Released by Harlan Stenn <stenn@ntp.org>
 * [Bug 2657] Document that "restrict nopeer" intereferes with "pool".
diff --git a/ntpq/ntpq.c b/ntpq/ntpq.c
index 33cdd4442..2ffdfc7be 100644
--- a/ntpq/ntpq.c
+++ b/ntpq/ntpq.c
@@ -1575,6 +1575,8 @@ tokenize(
 
 		if (*ntok == 1 && tokens[0][0] == ':') {
 			do {
+				if (sp - tspace >= MAXLINE)
+					goto toobig;
 				*sp++ = *cp++;
 			} while (!ISEOL(*cp));
 		}
@@ -1585,19 +1587,33 @@ tokenize(
 		else if (*cp == '\"') {
 			++cp;
 			do {
+				if (sp - tspace >= MAXLINE)
+					goto toobig;
 				*sp++ = *cp++;
 			} while ((*cp != '\"') && !ISEOL(*cp));
 			/* HMS: a missing closing " should be an error */
 		}
 		else {
 			do {
+				if (sp - tspace >= MAXLINE)
+					goto toobig;
 				*sp++ = *cp++;
 			} while ((*cp != '\"') && !ISSPACE(*cp) && !ISEOL(*cp));
 			/* HMS: Why check for a " in the previous line? */
 		}
 
+		if (sp - tspace >= MAXLINE)
+			goto toobig;
 		*sp++ = '\0';
 	}
+	return;
+
+  toobig:
+	*ntok = 0;
+	fprintf(stderr,
+		"***Line `%s' is too big\n",
+		line);
+	return;
 }