From: Harlan Stenn <stenn@ntp.org>
Date: Mon, 22 Feb 2016 05:33:56 +0000 (+0000)
Subject: [Sec 3008] Always check the return value of ctl_getitem().  HStenn.
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e8be115b92c01e5def69c697aa70060541e6d964;p=thirdparty%2Fntp.git

[Sec 3008] Always check the return value of ctl_getitem().  HStenn.

bk: 56ca9dc4OGNQF63p9J74Ua6TYxfTtQ
---

diff --git a/ChangeLog b/ChangeLog
index d524d00f0..593a5771e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -4,6 +4,7 @@
 * [Sec 2936] Skeleton Key: Any system knowing the trusted key can serve
   time. Include passive servers in this check. HStenn.
 * [Sec 2945] Additional KoD packet checks.  HStenn.
+* [Sec 3008] Always check the return value of ctl_getitem().  HStenn.
 * [Bug 2858] bool support.  Use stdbool.h when available.  HStenn.
 * [Bug 2879] Improve NTP security against timing attacks. perlinger@ntp.org
   - integrated patches by Loganaden Velvidron <logan@ntp.org>
diff --git a/ntpd/ntp_control.c b/ntpd/ntp_control.c
index e5a567e78..9bf881af3 100644
--- a/ntpd/ntp_control.c
+++ b/ntpd/ntp_control.c
@@ -3334,7 +3334,11 @@ read_sysvars(void)
 			gotvar = 1;
 		} else {
 			v = ctl_getitem(ext_sys_var, &valuep);
-			INSIST(v != NULL);
+			if (NULL == v) {
+				ctl_error(CERR_BADVALUE);
+				free(wants);
+				return;
+			}
 			if (EOV & v->flags) {
 				ctl_error(CERR_UNKNOWNVAR);
 				free(wants);
@@ -4575,7 +4579,12 @@ read_clockstatus(
 			gotvar = TRUE;
 		} else {
 			v = ctl_getitem(kv, &valuep);
-			INSIST(NULL != v);
+			if (NULL == v) {
+				ctl_error(CERR_BADVALUE);
+				free(wants);
+				free_varlist(cs.kv_list);
+				return;
+			}
 			if (EOV & v->flags) {
 				ctl_error(CERR_UNKNOWNVAR);
 				free(wants);