From: Juergen Perlinger <perlinger@ntp.org>
Date: Tue, 3 Jul 2018 16:46:27 +0000 (+0200)
Subject: [Sec 3505] CVE-2018-12327 - Arbitrary Code Execution Vulnerability
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c2ce04fd5a945606b2fcf2ccb9fe8c61a66c7279;p=thirdparty%2Fntp.git

[Sec 3505] CVE-2018-12327 - Arbitrary Code Execution Vulnerability

bk: 5b3ba863G-42Ac2TFzCy-PZ8vqNfVA
---

diff --git a/ChangeLog b/ChangeLog
index 25bb8f082..cbc6942bb 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,7 @@
 ---
 
+* [Sec 3505] CVE-2018-12327 - Arbitrary Code Execution Vulnerability
+  - fixed stack buffer overflow in NTPQ/NTPDC <perlinger@ntp.org>
 * [Bug 3486] Buffer overflow in ntpq/ntpq.c:tstflags() <perlinger@ntp.org>
   - applied patch by Gerry Garvey
 * [Bug 3485] Undefined sockaddr used in error messages in ntp_config.c <perlinger@ntp.org>
diff --git a/ntpdc/ntpdc.c b/ntpdc/ntpdc.c
index af3694d46..c54596e32 100644
--- a/ntpdc/ntpdc.c
+++ b/ntpdc/ntpdc.c
@@ -404,31 +404,28 @@ openhost(
 	)
 {
 	char temphost[LENHOSTNAME];
-	int a_info, i;
+	int a_info;
 	struct addrinfo hints, *ai = NULL;
 	sockaddr_u addr;
 	size_t octets;
-	register const char *cp;
+	const char *cp;
 	char name[LENHOSTNAME];
 	char service[5];
 
 	/*
 	 * We need to get by the [] if they were entered 
 	 */
-	
-	cp = hname;
-	
-	if (*cp == '[') {
-		cp++;	
-		for (i = 0; *cp && *cp != ']'; cp++, i++)
-			name[i] = *cp;
-		if (*cp == ']') {
-			name[i] = '\0';
-			hname = name;
-		} else {
+	if (*hname == '[') {
+		cp = strchr(hname + 1, ']');
+		if (!cp || (octets = (size_t)(cp - hname) - 1) >= sizeof(name)) {
+			errno = EINVAL;
+			warning("%s", "bad hostname/address");
 			return 0;
 		}
-	}	
+		memcpy(name, hname + 1, octets);
+		name[octets] = '\0';
+		hname = name;
+	}
 
 	/*
 	 * First try to resolve it as an ip address and if that fails,
diff --git a/ntpq/ntpq.c b/ntpq/ntpq.c
index bda9b5602..4b9210392 100644
--- a/ntpq/ntpq.c
+++ b/ntpq/ntpq.c
@@ -654,29 +654,26 @@ openhost(
 {
 	const char svc[] = "ntp";
 	char temphost[LENHOSTNAME];
-	int a_info, i;
+	int a_info;
 	struct addrinfo hints, *ai;
 	sockaddr_u addr;
 	size_t octets;
-	register const char *cp;
+	const char *cp;
 	char name[LENHOSTNAME];
 
 	/*
 	 * We need to get by the [] if they were entered
 	 */
-
-	cp = hname;
-
-	if (*cp == '[') {
-		cp++;
-		for (i = 0; *cp && *cp != ']'; cp++, i++)
-			name[i] = *cp;
-		if (*cp == ']') {
-			name[i] = '\0';
-			hname = name;
-		} else {
+	if (*hname == '[') {
+		cp = strchr(hname + 1, ']');
+		if (!cp || (octets = (size_t)(cp - hname) - 1) >= sizeof(name)) {
+			errno = EINVAL;
+			warning("%s", "bad hostname/address");
 			return 0;
 		}
+		memcpy(name, hname + 1, octets);
+		name[octets] = '\0';
+		hname = name;
 	}
 
 	/*