From: Juergen Perlinger <perlinger@ntp.org>
Date: Sun, 12 Feb 2017 17:15:23 +0000 (+0100)
Subject: [Sec 3380] NTP-01-005: Off-by-one in Oncore GPS Receiver
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=acf9c8022ddacdf9ed4f4510d306e44cce46188d;p=thirdparty%2Fntp.git

[Sec 3380] NTP-01-005: Off-by-one in Oncore GPS Receiver

bk: 58a0982b4Us3fEKsxxwdgL43NfkIDw
---

diff --git a/ChangeLog b/ChangeLog
index 595a3d776..df5e19d40 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+---
+* [Sec 3380] NTP-01-005: Off-by-one in Oncore GPS Receiver
+  (Pentest report 01.2017) <perlinger@ntp.org>
+
 ---
 (4.2.8p9-win) 2017/02/01 Released by Harlan Stenn <stenn@ntp.org>
 
diff --git a/ntpd/refclock_oncore.c b/ntpd/refclock_oncore.c
index 30924b8bb..ebd30d6c0 100644
--- a/ntpd/refclock_oncore.c
+++ b/ntpd/refclock_oncore.c
@@ -1461,7 +1461,7 @@ oncore_receive(
 #endif
 
 	i = rbufp->recv_length;
-	if (rcvbuf+rcvptr+i > &rcvbuf[sizeof rcvbuf])
+	if ((size_t)rcvptr + i >= sizeof(rcvbuf))
 		i = sizeof(rcvbuf) - rcvptr;	/* and some char will be lost */
 	memcpy(rcvbuf+rcvptr, p, i);
 	rcvptr += i;