From: Harlan Stenn <stenn@ntp.org>
Date: Fri, 12 Dec 2014 11:19:49 +0000 (+0000)
Subject: [Sec 2669] buffer overflow in configure()
X-Git-Tag: NTP_4_2_8~18
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5573cc78c48abdc49eb7e122ad2a56c887d1d570;p=thirdparty%2Fntp.git

[Sec 2669] buffer overflow in configure()

bk: 548acf55dxKfhb6MuYQwzu8eDlS97g
---

diff --git a/ChangeLog b/ChangeLog
index 8896aa0d1..327208d66 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,6 @@
 * [Sec 2667] buffer overflow in crypto_recv().
 * [Sec 2668] buffer overflow in ctl_putdata().
+* [Sec 2669] buffer overflow in configure().
 * [Bug 2686] refclock_gpsdjson needs strtoll(), which is not always present.
 (4.2.7p484-RC) 2014/12/11 Released by Harlan Stenn <stenn@ntp.org>
 (4.2.7p483) 2014/12/08 Released by Harlan Stenn <stenn@ntp.org>
diff --git a/ntpd/ntp_control.c b/ntpd/ntp_control.c
index a5c4091aa..f5f326ca4 100644
--- a/ntpd/ntp_control.c
+++ b/ntpd/ntp_control.c
@@ -3290,6 +3290,20 @@ static void configure(
 
 	/* Initialize the remote config buffer */
 	data_count = reqend - reqpt;
+
+	if (data_count > sizeof(remote_config.buffer) - 2) {
+		snprintf(remote_config.err_msg,
+			 sizeof(remote_config.err_msg),
+			 "runtime configuration failed: request too long");
+		ctl_putdata(remote_config.err_msg,
+			    strlen(remote_config.err_msg), 0);
+		ctl_flushpkt(0);
+		msyslog(LOG_NOTICE,
+			"runtime config from %s rejected: request too long",
+			stoa(&rbufp->recv_srcadr));
+		return;
+	}
+
 	memcpy(remote_config.buffer, reqpt, data_count);
 	if (data_count > 0
 	    && '\n' != remote_config.buffer[data_count - 1])