From: Dave Hart <hart@ntp.org>
Date: Tue, 2 Jun 2009 22:04:37 +0000 (+0000)
Subject: [Bug 1208] decodenetnum() buffer overrun on [ with no ]
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=5c28ccb1e321d6bec78a86f4afdae323771ab987;p=thirdparty%2Fntp.git

[Bug 1208] decodenetnum() buffer overrun on [ with no ]

bk: 4a25a1f5b0XKgNmUI-qa6TI6bI_xww
---

diff --git a/ChangeLog b/ChangeLog
index 533e251902..b922dc5038 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,4 @@
+* [Bug 1208] decodenetnum() buffer overrun on [ with no ]
 (4.2.5p180) 2009/05/29 Released by Harlan Stenn <stenn@ntp.org>
 * [Bug 1200] Enable IPv6 in Windows port
 * Lose FLAG_FIXPOLL, from Dave Mills.
diff --git a/libntp/decodenetnum.c b/libntp/decodenetnum.c
index 746c855d8b..5d646c377a 100644
--- a/libntp/decodenetnum.c
+++ b/libntp/decodenetnum.c
@@ -7,6 +7,7 @@
 #include <netinet/in.h>
 
 #include "ntp_stdlib.h"
+#include "ntp_assert.h"
 
 int
 decodenetnum(
@@ -15,25 +16,30 @@ decodenetnum(
 	)
 {
 	struct addrinfo hints, *ai = NULL;
-	register int err, i;
+	register int err;
 	register const char *cp;
 	char name[80];
+	char *np;
 
-	cp = num;
+	NTP_REQUIRE(num != NULL);
+	NTP_REQUIRE(strlen(num) < sizeof(name));
 
-	if (*cp == '[') {
-		cp++;
-		for (i = 0; *cp != ']'; cp++, i++)
-			name[i] = *cp;
-	name[i] = '\0';
-	num = name; 
+	if ('[' != num[0]) 
+		np = name;
+	else {
+		cp = num + 1;
+		np = name; 
+		while (*cp && ']' != *cp)
+			*np++ = *cp++;
+		*np = 0;
+		np = name; 
 	}
-	memset(&hints, 0, sizeof(struct addrinfo));
+	memset(&hints, 0, sizeof(hints));
 	hints.ai_flags = AI_NUMERICHOST;
-	err = getaddrinfo(num, NULL, &hints, &ai);
+	err = getaddrinfo(np, NULL, &hints, &ai);
 	if (err != 0)
 		return 0;
-	memcpy(netnum, (struct sockaddr_storage *)ai->ai_addr, ai->ai_addrlen); 
+	memcpy(netnum, ai->ai_addr, ai->ai_addrlen); 
 	freeaddrinfo(ai);
 	return 1;
 }