From 562c0cc96b42afce4eeef8da8ac315f03e2e99df Mon Sep 17 00:00:00 2001 From: Miroslva Lichvar Date: Thu, 20 Apr 2023 08:27:41 PM GMT+0800 Subject: [PATCH] mstolfp:make sure the buffer has enough room for the input extra characters Reference:https://build.opensuse.org/package/view_file/openSUSE:Factory/ntp/ntp-CVE-2023-26551.patch?expand=1 Conflict:NA CVE-2023-26552, CVE-2023-26553 and CVE-2023-26554 are marked identical to CVE-2023-26551 https://github.com/spwpun/ntp-4.2.8p15-cves/issues/1#issuecomment-1507034339 --- libntp/mstolfp.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/libntp/mstolfp.c b/libntp/mstolfp.c index 3dfc4ef..a8defa2 100644 --- a/libntp/mstolfp.c +++ b/libntp/mstolfp.c @@ -14,7 +14,7 @@ mstolfp( l_fp *lfp ) { - register const char *cp; + register const char *cp, *end; register char *bp; register const char *cpdec; char buf[100]; @@ -42,6 +42,15 @@ mstolfp( if (*cp != '.' && !isdigit((unsigned char)*cp)) return 0; + /* + * Make sure the buffer has enough room for the input string and the + * extra characters, in the worst case replacing "." with "0.000" + */ + end = cp; + while (isdigit((unsigned char)*end) || *end == '.') + end++; + if (end - cp + 4 >= sizeof (buf) - (bp - buf)) + return 0; /* * Search forward for the decimal point or the end of the string. -- 2.27.0