From: Juergen Perlinger <perlinger@ntp.org>
Date: Wed, 16 Jan 2019 20:42:59 +0000 (+0100)
Subject: [Sec 3565] null pointer crash by remote attack
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f66b21df8de439448aa67375d11bdaa775ffa19c;p=thirdparty%2Fntp.git

[Sec 3565] null pointer crash by remote attack

bk: 5c3f9753-uhxXmYRwCTIgy-6GT15_g
---

diff --git a/ChangeLog b/ChangeLog
index e342adf2a..1c835e707 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,6 @@
+---
+* [Sec 3565] null pointer crash by remote attack <perlinger@ntp.org>
+
 ---
 (4.2.8p13)
 
diff --git a/ntpd/ntp_control.c b/ntpd/ntp_control.c
index 63f9980ac..49a197ed7 100644
--- a/ntpd/ntp_control.c
+++ b/ntpd/ntp_control.c
@@ -3448,11 +3448,11 @@ write_variables(
 	 * Look through the variables. Dump out at the first sign of
 	 * trouble.
 	 */
-	while ((v = ctl_getitem(sys_var, &valuep)) != 0) {
+	while ((v = ctl_getitem(sys_var, &valuep)) != NULL) {
 		ext_var = 0;
 		if (v->flags & EOV) {
-			if ((v = ctl_getitem(ext_sys_var, &valuep)) !=
-			    0) {
+			v = ctl_getitem(ext_sys_var, &valuep);
+			if (v != NULL) {
 				if (v->flags & EOV) {
 					ctl_error(CERR_UNKNOWNVAR);
 					return;
@@ -3466,16 +3466,24 @@ write_variables(
 			ctl_error(CERR_PERMISSION);
 			return;
 		}
-		if (!ext_var && (*valuep == '\0' || !atoint(valuep,
-							    &val))) {
+		/* [bug 3565] writing makes sense only if we *have* a
+		 * value in the packet!
+		 */
+		if (valuep == NULL) {
 			ctl_error(CERR_BADFMT);
 			return;
 		}
-		if (!ext_var && (val & ~LEAP_NOTINSYNC) != 0) {
-			ctl_error(CERR_BADVALUE);
-			return;
+		if (!ext_var) {
+			if ( !(*valuep && atoint(valuep, &val))) {
+				ctl_error(CERR_BADFMT);
+				return;
+			}
+			if ((val & ~LEAP_NOTINSYNC) != 0) {
+				ctl_error(CERR_BADVALUE);
+				return;
+			}
 		}
-
+		
 		if (ext_var) {
 			octets = strlen(v->text) + strlen(valuep) + 2;
 			vareqv = emalloc(octets);