1 files changed, 19 insertions, 20 deletions
diff --git a/plugins/check_ntp.c b/plugins/check_ntp.c
index 09a923eb..914b40ce 100644
--- a/plugins/check_ntp.c
+++ b/plugins/check_ntp.c
@@ -297,7 +297,7 @@ void setup_request(ntp_message *p){
 * this is done by filtering servers based on stratum, dispersion, and
 * finally round-trip delay. */
 int best_offset_server(const ntp_server_results *slist, int nservers){
-        int i=0, cserver=0, best_server=-1;
+        int cserver=0, best_server=-1;
        /* for each server */
        for(cserver=0; cserver<nservers; cserver++){
@@ -356,7 +356,7 @@ int best_offset_server(const ntp_server_results *slist, int nservers){
 *   we have to do it in a way that our lazy macros don't handle currently :( */
 double offset_request(const char *host, int *status){
        int i=0, j=0, ga_result=0, num_hosts=0, *socklist=NULL, respnum=0;
-        int servers_completed=0, one_written=0, one_read=0, servers_readable=0, best_index=-1;
+        int servers_completed=0, one_read=0, servers_readable=0, best_index=-1;
        time_t now_time=0, start_ts=0;
        ntp_message *req=NULL;
        double avg_offset=0.;
@@ -421,7 +421,6 @@ double offset_request(const char *host, int *status){
                 * been touched in the past second or so and is still lacking
                 * some responses.  for each of these servers, send a new request,
                 * and update the "waiting" timestamp with the current time. */
-                one_written=0;
                now_time=time(NULL);
                for(i=0; i<num_hosts; i++){
@@ -431,7 +430,6 @@ double offset_request(const char *host, int *status){
                                setup_request(&req[i]);
                                write(socklist[i], &req[i], sizeof(ntp_message));
                                servers[i].waiting=now_time;
-                                one_written=1;
                                break;
                        }
                }
@@ -517,14 +515,13 @@ setup_control_request(ntp_control_message *p, uint8_t opcode, uint16_t seq){
 double jitter_request(const char *host, int *status){
        int conn=-1, i, npeers=0, num_candidates=0, syncsource_found=0;
        int run=0, min_peer_sel=PEER_INCLUDED, num_selected=0, num_valid=0;
-        int peers_size=0, peer_offset=0, bytes_read=0;
+        int peers_size=0, peer_offset=0;
        ntp_assoc_status_pair *peers=NULL;
        ntp_control_message req;
        const char *getvar = "jitter";
        double rval = 0.0, jitter = -1.0;
        char *startofvalue=NULL, *nptr=NULL;
        void *tmp;
-        int ntp_cm_ints = sizeof(uint16_t) * 5 + sizeof(uint8_t) * 2;
        /* Long-winded explanation:
         * Getting the jitter requires a number of steps:
@@ -551,7 +548,7 @@ double jitter_request(const char *host, int *status){
                DBG(print_ntp_control_message(&req));
                /* Attempt to read the largest size packet possible */
                req.count=htons(MAX_CM_SIZE);
-                DBG(printf("recieving READSTAT response"))
+                DBG(printf("receiving READSTAT response"))
                read(conn, &req, SIZEOF_NTPCM(req));
                DBG(print_ntp_control_message(&req));
                /* Each peer identifier is 4 bytes in the data section, which
@@ -591,6 +588,9 @@ double jitter_request(const char *host, int *status){
                for (i = 0; i < npeers; i++){
                        /* Only query this server if it is the current sync source */
                        if (PEER_SEL(peers[i].status) >= min_peer_sel){
+                                char jitter_data[MAX_CM_SIZE+1];
+                                size_t jitter_data_count;
                                num_selected++;
                                setup_control_request(&req, OP_READVAR, 2);
                                req.assoc = peers[i].assoc;
@@ -608,16 +608,8 @@ double jitter_request(const char *host, int *status){
                                DBG(print_ntp_control_message(&req));
                                req.count = htons(MAX_CM_SIZE);
-                                DBG(printf("recieving READVAR response...\n"));
+                                DBG(printf("receiving READVAR response...\n"));
+                                read(conn, &req, SIZEOF_NTPCM(req));
-                                /* cov-66524 - req.data not null terminated before usage. Also covers verifying struct was returned correctly*/
-                                if ((bytes_read = read(conn, &req, SIZEOF_NTPCM(req))) == -1)
-                                        die(STATE_UNKNOWN, _("Cannot read from socket: %s"), strerror(errno));
-                                if (bytes_read != ntp_cm_ints + req.count)
-                                        die(STATE_UNKNOWN, _("Invalid NTP response: %d bytes read does not equal %d plus %d data segment"), bytes_read, ntp_cm_ints, req.count); 
-                                /* else null terminate */
-                                strncpy(req.data[req.count], "\0", 1);
                                DBG(print_ntp_control_message(&req));
                                if(req.op&REM_ERROR && strstr(getvar, "jitter")) {
@@ -632,7 +624,14 @@ double jitter_request(const char *host, int *status){
                                if(verbose) {
                                        printf("parsing jitter from peer %.2x: ", ntohs(peers[i].assoc));
                                }
-                                startofvalue = strchr(req.data, '=');
+                                if((jitter_data_count = ntohs(req.count)) >= sizeof(jitter_data)){
+                                        die(STATE_UNKNOWN,
+                                            _("jitter response too large (%lu bytes)\n"),
+                                            (unsigned long)jitter_data_count);
+                                }
+                                memcpy(jitter_data, req.data, jitter_data_count);
+                                jitter_data[jitter_data_count] = '\0';
+                                startofvalue = strchr(jitter_data, '=');
                                if(startofvalue != NULL) {
                                        startofvalue++;
                                        jitter = strtod(startofvalue, &nptr);
@@ -690,11 +689,11 @@ int process_arguments(int argc, char **argv){
                switch (c) {
                case 'h':
                        print_help();
-                        exit(STATE_OK);
+                        exit(STATE_UNKNOWN);
                        break;
                case 'V':
                        print_revision(progname, NP_VERSION);
-                        exit(STATE_OK);
+                        exit(STATE_UNKNOWN);
                        break;
                case 'v':
                        verbose++;

diff --git a/plugins/check_ntp.c b/plugins/check_ntp.c index 09a923eb..914b40ce 100644 --- a/plugins/check_ntp.c +++ b/plugins/check_ntp.c
@@ -297,7 +297,7 @@ void setup_request(ntp_message *p){
297	* this is done by filtering servers based on stratum, dispersion, and	297	* this is done by filtering servers based on stratum, dispersion, and
298	* finally round-trip delay. */	298	* finally round-trip delay. */
299	int best_offset_server(const ntp_server_results *slist, int nservers){	299	int best_offset_server(const ntp_server_results *slist, int nservers){
300	int i=0, cserver=0, best_server=-1;	300	int cserver=0, best_server=-1;
301		301
302	/* for each server */	302	/* for each server */
303	for(cserver=0; cserver<nservers; cserver++){	303	for(cserver=0; cserver<nservers; cserver++){
@@ -356,7 +356,7 @@ int best_offset_server(const ntp_server_results *slist, int nservers){
356	* we have to do it in a way that our lazy macros don't handle currently :( */	356	* we have to do it in a way that our lazy macros don't handle currently :( */
357	double offset_request(const char host, int status){	357	double offset_request(const char host, int status){
358	int i=0, j=0, ga_result=0, num_hosts=0, *socklist=NULL, respnum=0;	358	int i=0, j=0, ga_result=0, num_hosts=0, *socklist=NULL, respnum=0;
359	int servers_completed=0, one_written=0, one_read=0, servers_readable=0, best_index=-1;	359	int servers_completed=0, one_read=0, servers_readable=0, best_index=-1;
360	time_t now_time=0, start_ts=0;	360	time_t now_time=0, start_ts=0;
361	ntp_message *req=NULL;	361	ntp_message *req=NULL;
362	double avg_offset=0.;	362	double avg_offset=0.;
@@ -421,7 +421,6 @@ double offset_request(const char host, int status){
421	* been touched in the past second or so and is still lacking	421	* been touched in the past second or so and is still lacking
422	* some responses. for each of these servers, send a new request,	422	* some responses. for each of these servers, send a new request,
423	* and update the "waiting" timestamp with the current time. */	423	* and update the "waiting" timestamp with the current time. */
424	one_written=0;
425	now_time=time(NULL);	424	now_time=time(NULL);
426		425
427	for(i=0; i<num_hosts; i++){	426	for(i=0; i<num_hosts; i++){
@@ -431,7 +430,6 @@ double offset_request(const char host, int status){
431	setup_request(&req[i]);	430	setup_request(&req[i]);
432	write(socklist[i], &req[i], sizeof(ntp_message));	431	write(socklist[i], &req[i], sizeof(ntp_message));
433	servers[i].waiting=now_time;	432	servers[i].waiting=now_time;
434	one_written=1;
435	break;	433	break;
436	}	434	}
437	}	435	}
@@ -517,14 +515,13 @@ setup_control_request(ntp_control_message *p, uint8_t opcode, uint16_t seq){
517	double jitter_request(const char host, int status){	515	double jitter_request(const char host, int status){
518	int conn=-1, i, npeers=0, num_candidates=0, syncsource_found=0;	516	int conn=-1, i, npeers=0, num_candidates=0, syncsource_found=0;
519	int run=0, min_peer_sel=PEER_INCLUDED, num_selected=0, num_valid=0;	517	int run=0, min_peer_sel=PEER_INCLUDED, num_selected=0, num_valid=0;
520	int peers_size=0, peer_offset=0, bytes_read=0;	518	int peers_size=0, peer_offset=0;
521	ntp_assoc_status_pair *peers=NULL;	519	ntp_assoc_status_pair *peers=NULL;
522	ntp_control_message req;	520	ntp_control_message req;
523	const char *getvar = "jitter";	521	const char *getvar = "jitter";
524	double rval = 0.0, jitter = -1.0;	522	double rval = 0.0, jitter = -1.0;
525	char startofvalue=NULL, nptr=NULL;	523	char startofvalue=NULL, nptr=NULL;
526	void *tmp;	524	void *tmp;
527	int ntp_cm_ints = sizeof(uint16_t) * 5 + sizeof(uint8_t) * 2;
528		525
529	/* Long-winded explanation:	526	/* Long-winded explanation:
530	* Getting the jitter requires a number of steps:	527	* Getting the jitter requires a number of steps:
@@ -551,7 +548,7 @@ double jitter_request(const char host, int status){
551	DBG(print_ntp_control_message(&req));	548	DBG(print_ntp_control_message(&req));
552	/* Attempt to read the largest size packet possible */	549	/* Attempt to read the largest size packet possible */
553	req.count=htons(MAX_CM_SIZE);	550	req.count=htons(MAX_CM_SIZE);
554	DBG(printf("recieving READSTAT response"))	551	DBG(printf("receiving READSTAT response"))
555	read(conn, &req, SIZEOF_NTPCM(req));	552	read(conn, &req, SIZEOF_NTPCM(req));
556	DBG(print_ntp_control_message(&req));	553	DBG(print_ntp_control_message(&req));
557	/* Each peer identifier is 4 bytes in the data section, which	554	/* Each peer identifier is 4 bytes in the data section, which
@@ -591,6 +588,9 @@ double jitter_request(const char host, int status){
591	for (i = 0; i < npeers; i++){	588	for (i = 0; i < npeers; i++){
592	/* Only query this server if it is the current sync source */	589	/* Only query this server if it is the current sync source */
593	if (PEER_SEL(peers[i].status) >= min_peer_sel){	590	if (PEER_SEL(peers[i].status) >= min_peer_sel){
		591	char jitter_data[MAX_CM_SIZE+1];
		592	size_t jitter_data_count;
		593
594	num_selected++;	594	num_selected++;
595	setup_control_request(&req, OP_READVAR, 2);	595	setup_control_request(&req, OP_READVAR, 2);
596	req.assoc = peers[i].assoc;	596	req.assoc = peers[i].assoc;
@@ -608,16 +608,8 @@ double jitter_request(const char host, int status){
608	DBG(print_ntp_control_message(&req));	608	DBG(print_ntp_control_message(&req));
609		609
610	req.count = htons(MAX_CM_SIZE);	610	req.count = htons(MAX_CM_SIZE);
611	DBG(printf("recieving READVAR response...\n"));	611	DBG(printf("receiving READVAR response...\n"));
612		612	read(conn, &req, SIZEOF_NTPCM(req));
613	/* cov-66524 - req.data not null terminated before usage. Also covers verifying struct was returned correctly*/
614	if ((bytes_read = read(conn, &req, SIZEOF_NTPCM(req))) == -1)
615	die(STATE_UNKNOWN, _("Cannot read from socket: %s"), strerror(errno));
616	if (bytes_read != ntp_cm_ints + req.count)
617	die(STATE_UNKNOWN, _("Invalid NTP response: %d bytes read does not equal %d plus %d data segment"), bytes_read, ntp_cm_ints, req.count);
618	/* else null terminate */
619	strncpy(req.data[req.count], "\0", 1);
620
621	DBG(print_ntp_control_message(&req));	613	DBG(print_ntp_control_message(&req));
622		614
623	if(req.op&REM_ERROR && strstr(getvar, "jitter")) {	615	if(req.op&REM_ERROR && strstr(getvar, "jitter")) {
@@ -632,7 +624,14 @@ double jitter_request(const char host, int status){
632	if(verbose) {	624	if(verbose) {
633	printf("parsing jitter from peer %.2x: ", ntohs(peers[i].assoc));	625	printf("parsing jitter from peer %.2x: ", ntohs(peers[i].assoc));
634	}	626	}
635	startofvalue = strchr(req.data, '=');	627	if((jitter_data_count = ntohs(req.count)) >= sizeof(jitter_data)){
		628	die(STATE_UNKNOWN,
		629	_("jitter response too large (%lu bytes)\n"),
		630	(unsigned long)jitter_data_count);
		631	}
		632	memcpy(jitter_data, req.data, jitter_data_count);
		633	jitter_data[jitter_data_count] = '\0';
		634	startofvalue = strchr(jitter_data, '=');
636	if(startofvalue != NULL) {	635	if(startofvalue != NULL) {
637	startofvalue++;	636	startofvalue++;
638	jitter = strtod(startofvalue, &nptr);	637	jitter = strtod(startofvalue, &nptr);
@@ -690,11 +689,11 @@ int process_arguments(int argc, char **argv){
690	switch (c) {	689	switch (c) {
691	case 'h':	690	case 'h':
692	print_help();	691	print_help();
693	exit(STATE_OK);	692	exit(STATE_UNKNOWN);
694	break;	693	break;
695	case 'V':	694	case 'V':
696	print_revision(progname, NP_VERSION);	695	print_revision(progname, NP_VERSION);
697	exit(STATE_OK);	696	exit(STATE_UNKNOWN);
698	break;	697	break;
699	case 'v':	698	case 'v':
700	verbose++;	699	verbose++;