From: Harlan Stenn Date: Tue, 6 Oct 2015 08:51:27 +0000 (+0000) Subject: [Sec 2922] decodenetnum() will ASSERT botch instead of returning FAIL on some bogus... X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=820407ec2673c300156f03c4a4d588c867f6faa5;p=thirdparty%2Fntp.git [Sec 2922] decodenetnum() will ASSERT botch instead of returning FAIL on some bogus values. Harlan Stenn. bk: 56138b8fV64uKWy_5qc_bjZcpHyU7g --- diff --git a/ChangeLog b/ChangeLog index 93d35a7fd..81cf32688 100644 --- a/ChangeLog +++ b/ChangeLog @@ -15,6 +15,8 @@ * [Sec 2020] TALOS-CAN-0064: signed/unsiged clash could lead to buffer overun and memory corruption. perlinger@ntp.org * [Sec 2921] TALOS-CAN-0065: password length memory corruption. JPerlinger. +* [Sec 2922] decodenetnum() will ASSERT botch instead of returning FAIL + on some bogus values. Harlan Stenn. * [Bug 2332] (reopened) Exercise thread cancellation once before dropping privileges and limiting resources in NTPD removes the need to link forcefully against 'libgcc_s' which does not always work. J.Perlinger diff --git a/libntp/decodenetnum.c b/libntp/decodenetnum.c index ebcb2da69..35b908f39 100644 --- a/libntp/decodenetnum.c +++ b/libntp/decodenetnum.c @@ -36,7 +36,10 @@ decodenetnum( char name[80]; REQUIRE(num != NULL); - REQUIRE(strlen(num) < sizeof(name)); + + if (strlen(num) >= sizeof(name)) { + return 0; + } port_str = NULL; if ('[' != num[0]) {