From: Juergen Perlinger <perlinger@ntp.org>
Date: Sun, 12 Feb 2017 12:46:35 +0000 (+0100)
Subject: [Sec 3388] NTP-01-014: Buffer Overflow in DPTS Clock
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=436788e622b84ed4d93b55009e5034c672dc1fa2;p=thirdparty%2Fntp.git

[Sec 3388] NTP-01-014: Buffer Overflow in DPTS Clock

bk: 58a0592bal7oYBqUMCqId4WgiuiOqw
---

diff --git a/ChangeLog b/ChangeLog
index 595a3d776..acf894caa 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+---
+* [Sec 3388] NTP-01-014: Buffer Overflow in DPTS Clock
+  (Pentest report 01.2017) <perlinger@ntp.org>
+
 ---
 (4.2.8p9-win) 2017/02/01 Released by Harlan Stenn <stenn@ntp.org>
 
diff --git a/ntpd/refclock_datum.c b/ntpd/refclock_datum.c
index 95f13a8c0..9795cfada 100644
--- a/ntpd/refclock_datum.c
+++ b/ntpd/refclock_datum.c
@@ -485,7 +485,7 @@ datum_pts_receive(
 	struct recvbuf *rbufp
 	)
 {
-	int i;
+	int i, nb;
 	l_fp tstmp;
 	struct peer *p;
 	struct datum_pts_unit *datum_pts;
@@ -526,22 +526,23 @@ datum_pts_receive(
 	** received to reduce the jitter.
 	*/
 
-	if (datum_pts->nbytes == 0) {
+	nb = datum_pts->nbytes;
+	if (nb == 0) {
 		datum_pts->lastrec = rbufp->recv_time;
 	}
 
 	/*
 	** Increment our count to the number of bytes received so far. Return if we
 	** haven't gotten all seven bytes yet.
+	** [Sec 3388] make sure we do not overrun the buffer.
+	** TODO: what to do with excessive bytes, if we ever get them?
 	*/
-
-	for (i=0; i<dpend; i++) {
-		datum_pts->retbuf[datum_pts->nbytes+i] = dpt[i];
+	for (i=0; (i < dpend) && (nb < sizeof(datum_pts->retbuf)); i++, nb++) {
+		datum_pts->retbuf[nb] = dpt[i];
 	}
-
-	datum_pts->nbytes += dpend;
-
-	if (datum_pts->nbytes != 7) {
+	datum_pts->nbytes = nb;
+	
+	if (nb < 7) {
 		return;
 	}