From: Harlan Stenn <stenn@ntp.org>
Date: Fri, 12 Dec 2014 11:13:55 +0000 (+0000)
Subject: [Sec 2668] buffer overflow in ctl_putdata()
X-Git-Tag: NTP_4_2_8~19
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fb9f5e18cb53d7ce2ed89b5ecf138c93ca9a455c;p=thirdparty%2Fntp.git

[Sec 2668] buffer overflow in ctl_putdata()

bk: 548acdf3tUSFizXcv_X4b77Jt_Y-cg
---

diff --git a/ChangeLog b/ChangeLog
index 4ae917c14..8896aa0d1 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,4 +1,5 @@
 * [Sec 2667] buffer overflow in crypto_recv().
+* [Sec 2668] buffer overflow in ctl_putdata().
 * [Bug 2686] refclock_gpsdjson needs strtoll(), which is not always present.
 (4.2.7p484-RC) 2014/12/11 Released by Harlan Stenn <stenn@ntp.org>
 (4.2.7p483) 2014/12/08 Released by Harlan Stenn <stenn@ntp.org>
diff --git a/ntpd/ntp_control.c b/ntpd/ntp_control.c
index 266978e4a..a5c4091aa 100644
--- a/ntpd/ntp_control.c
+++ b/ntpd/ntp_control.c
@@ -801,6 +801,10 @@ static u_char	res_async;	/* sending async trap response? */
 static	char *reqpt;
 static	char *reqend;
 
+#ifndef MIN
+#define MIN(a, b) (((a) <= (b)) ? (a) : (b))
+#endif
+
 /*
  * init_control - initialize request data
  */
@@ -1316,6 +1320,7 @@ ctl_putdata(
 	)
 {
 	int overhead;
+	unsigned int currentlen;
 
 	overhead = 0;
 	if (!bin) {
@@ -1338,12 +1343,22 @@ ctl_putdata(
 	/*
 	 * Save room for trailing junk
 	 */
-	if (dlen + overhead + datapt > dataend) {
+	while (dlen + overhead + datapt > dataend) {
 		/*
 		 * Not enough room in this one, flush it out.
 		 */
+		currentlen = MIN(dlen, dataend - datapt);
+
+		memcpy(datapt, dp, currentlen);
+
+		datapt += currentlen;
+		dp += currentlen;
+		dlen -= currentlen;
+		datalinelen += currentlen;
+
 		ctl_flushpkt(CTL_MORE);
 	}
+
 	memcpy(datapt, dp, dlen);
 	datapt += dlen;
 	datalinelen += dlen;