From: Juergen Perlinger <perlinger@ntp.org>
Date: Sun, 11 Oct 2015 07:32:40 +0000 (+0200)
Subject: [Bug 2937] (NTPQ) nextvar() missing length check
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=94ded526772cb6434957476f6e3c4e577af92a5e;p=thirdparty%2Fntp.git

[Bug 2937] (NTPQ) nextvar() missing length check

bk: 561a1098bV4TuIdC-bG8ms5EzF3FIQ
---

diff --git a/ChangeLog b/ChangeLog
index b022ef6f6..839efbfca 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,4 +1,6 @@
 ---
+* [Bug 2937] ntpq: nextvar() missing length check. perlinger@ntp.org
+---
 (4.2.8p4-RC1) 2015/10/06 Released by Harlan Stenn <stenn@ntp.org>
 
 * [Bug 2332] (reopened) Exercise thread cancellation once before dropping
diff --git a/ntpq/ntpq.c b/ntpq/ntpq.c
index 17fe2ea45..ce3a49b45 100644
--- a/ntpq/ntpq.c
+++ b/ntpq/ntpq.c
@@ -2950,6 +2950,8 @@ nextvar(
 	len = srclen;
 	while (len > 0 && isspace((unsigned char)cp[len - 1]))
 		len--;
+	if (len >= sizeof(name))
+	    return 0;
 	if (len > 0)
 		memcpy(name, cp, len);
 	name[len] = '\0';