From: Harlan Stenn <stenn@ntp.org>
Date: Wed, 1 May 2013 02:36:28 +0000 (-0400)
Subject: [Bug 2145] ntpq dumps core when displaying sys_var_list and more
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=08fd7dfb035b7446ef0de922d1ca9bbf6c182163;p=thirdparty%2Fntp.git

[Bug 2145] ntpq dumps core when displaying sys_var_list and more

bk: 51807facD5KWsrGTr4_9gGjqCNVsNg
---

diff --git a/ChangeLog b/ChangeLog
index 3004238aff..8b28caad36 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,4 @@
+* [Bug 2145] ntpq dumps core when displaying sys_var_list and more.
 (4.2.7p367) 2013/04/25 Released by Harlan Stenn <stenn@ntp.org>
 * [Bug 1485] Sometimes ntpd crashes
 * [Bug 2382] Implement LOGTOD using ldexp() instead of shifting.
diff --git a/ntpd/ntp_control.c b/ntpd/ntp_control.c
index 2fe55c0523..28073133f5 100644
--- a/ntpd/ntp_control.c
+++ b/ntpd/ntp_control.c
@@ -1843,26 +1843,39 @@ ctl_putsys(
 		break;
 
 	case CS_VARLIST:
-		snprintf(str, sizeof(str), "%s=\"",
-			 sys_var[CS_VARLIST].text);
-		ctl_putdata(str, strlen(str), TRUE);
+	{
+		char buf[CTL_MAX_DATA_LEN];
+		//buffPointer, firstElementPointer, buffEndPointer
+		register char *buffp, *buffend;
+		register int firstVarName;
+		register const char *ss;
+		register int len;
+		register struct ctl_var *k;
+
+		buffp = buf;
+		buffend = buf + sizeof(buf);
+		if (buffp + strlen(sys_var[CS_VARLIST].text) + 4 > buffend)
+			break;	/* really long var name */
 
-		firstvarname = TRUE;
-		for (k = sys_var; !(EOV & k->flags); k++) {
-			if (PADDING & k->flags)
+		snprintf(buffp, sizeof(buf), "%s=\"",sys_var[CS_VARLIST].text);
+		buffp += strlen(buffp);
+		firstVarName = TRUE;
+		for (k = sys_var; !(k->flags & EOV); k++) {
+			if (k->flags & PADDING)
 				continue;
 			len = strlen(k->text);
-			if (0 == len)
-				continue;
-			if (!firstvarname)
-				ctl_putdata(",", 1, TRUE);
+			if (buffp + len + 1 >= buffend)
+				break;
+			if (!firstVarName)
+				*buffp++ = ',';
 			else
-				firstvarname = FALSE;
-			ctl_putdata(k->text, len, TRUE);
+				firstVarName = FALSE;
+			memcpy(buffp, k->text, len);
+			buffp += len;
 		}
 
-		for (k = ext_sys_var; k && !(EOV & k->flags); k++) {
-			if (PADDING & k->flags)
+		for (k = ext_sys_var; k && !(k->flags & EOV); k++) {
+			if (k->flags & PADDING)
 				continue;
 			if (NULL == k->text)
 				continue;
@@ -1871,13 +1884,25 @@ ctl_putsys(
 				len = strlen(k->text);
 			else
 				len = ss - k->text;
-			ctl_putdata(",", 1, TRUE);
-			ctl_putdata(k->text, len, TRUE);
+			if (buffp + len + 1 >= buffend)
+				break;
+			if (firstVarName) {
+				*buffp++ = ',';
+				firstVarName = FALSE;
+			}
+			memcpy(buffp, k->text,(unsigned)len);
+			buffp += len;
 		}
+		if (buffp + 2 >= buffend)
+			break;
 
-		ctl_putdata("\"", 1, TRUE);
-		break;
+		*buffp++ = '"';
+		*buffp = '\0';
 
+		ctl_putdata(buf, (unsigned)( buffp - buf ), 0);
+		break;
+	}
+    
 	case CS_TAI:
 		if (sys_tai > 0)
 			ctl_putuint(sys_var[CS_TAI].text, sys_tai);