From: Juergen Perlinger <perlinger@ntp.org>
Date: Thu, 28 Jan 2016 07:08:42 +0000 (+0100)
Subject: [Bug 2999] out-of-bounds access in 'is_safe_filename()'
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d8116df97299b68cb778577f7c1871a847986c63;p=thirdparty%2Fntp.git

[Bug 2999] out-of-bounds access in 'is_safe_filename()'

bk: 56a9be7ad1JGBmfacSMb7cTbPOpr-g
---

diff --git a/ChangeLog b/ChangeLog
index c70fe8fc5..f642b05bd 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -2,6 +2,7 @@
 
 * [Bug 2994] Systems with HAVE_SIGNALED_IO fail to compile. perlinger@ntp.org
 * [Bug 2995] Fixes to compile on Windows
+* [Bug 2999] out-of-bounds access in 'is_safe_filename()'. perlinger@ntp.org
 
 ---
 (4.2.8p6) 2016/01/20 Released by Harlan Stenn <stenn@ntp.org>
diff --git a/ntpd/ntp_control.c b/ntpd/ntp_control.c
index e5a567e78..593eea59f 100644
--- a/ntpd/ntp_control.c
+++ b/ntpd/ntp_control.c
@@ -911,18 +911,18 @@ is_safe_filename(const char * name)
 	};
 
 	u_int widx, bidx, mask;
-	if (!*name)
+	if ( ! (name && *name))
 		return FALSE;
 	
 	mask = 1u;
 	while (0 != (widx = (u_char)*name++)) {
 		bidx = (widx & 15) << 1;
 		widx = widx >> 4;
-		if (widx >= sizeof(chclass))
+		if (widx >= sizeof(chclass)/sizeof(chclass[0]))
 			return FALSE;
 		if (0 == ((chclass[widx] >> bidx) & mask))
 			return FALSE;
-		mask |= 2u;
+		mask = 2u;
 	}
 	return TRUE;
 }