48 lines
1.4 KiB
Diff
48 lines
1.4 KiB
Diff
From 562c0cc96b42afce4eeef8da8ac315f03e2e99df Mon Sep 17 00:00:00 2001
|
|
From: Miroslva Lichvar <mlichvar@redhat.com>
|
|
Date: Thu, 20 Apr 2023 08:27:41 PM GMT+0800
|
|
Subject: [PATCH] mstolfp:make sure the buffer has enough room for the input extra characters
|
|
|
|
Reference:https://build.opensuse.org/package/view_file/openSUSE:Factory/ntp/ntp-CVE-2023-26551.patch?expand=1
|
|
Conflict:NA
|
|
|
|
CVE-2023-26552, CVE-2023-26553 and CVE-2023-26554 are marked identical to CVE-2023-26551
|
|
https://github.com/spwpun/ntp-4.2.8p15-cves/issues/1#issuecomment-1507034339
|
|
|
|
---
|
|
libntp/mstolfp.c | 11 ++++++++++-
|
|
1 file changed, 10 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/libntp/mstolfp.c b/libntp/mstolfp.c
|
|
index 3dfc4ef..a8defa2 100644
|
|
--- a/libntp/mstolfp.c
|
|
+++ b/libntp/mstolfp.c
|
|
@@ -14,7 +14,7 @@ mstolfp(
|
|
l_fp *lfp
|
|
)
|
|
{
|
|
- register const char *cp;
|
|
+ register const char *cp, *end;
|
|
register char *bp;
|
|
register const char *cpdec;
|
|
char buf[100];
|
|
@@ -42,6 +42,15 @@ mstolfp(
|
|
if (*cp != '.' && !isdigit((unsigned char)*cp))
|
|
return 0;
|
|
|
|
+ /*
|
|
+ * Make sure the buffer has enough room for the input string and the
|
|
+ * extra characters, in the worst case replacing "." with "0.000"
|
|
+ */
|
|
+ end = cp;
|
|
+ while (isdigit((unsigned char)*end) || *end == '.')
|
|
+ end++;
|
|
+ if (end - cp + 4 >= sizeof (buf) - (bp - buf))
|
|
+ return 0;
|
|
|
|
/*
|
|
* Search forward for the decimal point or the end of the string.
|
|
--
|
|
2.27.0
|
|
|