From a04df3e1b67dc5eab3adc202cc89901f801cdeaa Mon Sep 17 00:00:00 2001 From: Spenser Reinhardt Date: Sun, 22 Jun 2014 14:49:25 -0500 Subject: plugins/check_ntp.c - Verify struct from response Coverity 66524 - req.data is not neccessarily null terminated but still feed to printf statements. This both does that, and verifies the struct more so than before. - SR --- plugins/check_ntp.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/plugins/check_ntp.c b/plugins/check_ntp.c index 0a7640a7..09a923eb 100644 --- a/plugins/check_ntp.c +++ b/plugins/check_ntp.c @@ -517,13 +517,14 @@ setup_control_request(ntp_control_message *p, uint8_t opcode, uint16_t seq){ double jitter_request(const char *host, int *status){ int conn=-1, i, npeers=0, num_candidates=0, syncsource_found=0; int run=0, min_peer_sel=PEER_INCLUDED, num_selected=0, num_valid=0; - int peers_size=0, peer_offset=0; + int peers_size=0, peer_offset=0, bytes_read=0; ntp_assoc_status_pair *peers=NULL; ntp_control_message req; const char *getvar = "jitter"; double rval = 0.0, jitter = -1.0; char *startofvalue=NULL, *nptr=NULL; void *tmp; + int ntp_cm_ints = sizeof(uint16_t) * 5 + sizeof(uint8_t) * 2; /* Long-winded explanation: * Getting the jitter requires a number of steps: @@ -608,7 +609,15 @@ double jitter_request(const char *host, int *status){ req.count = htons(MAX_CM_SIZE); DBG(printf("recieving READVAR response...\n")); - read(conn, &req, SIZEOF_NTPCM(req)); + + /* cov-66524 - req.data not null terminated before usage. Also covers verifying struct was returned correctly*/ + if ((bytes_read = read(conn, &req, SIZEOF_NTPCM(req))) == -1) + die(STATE_UNKNOWN, _("Cannot read from socket: %s"), strerror(errno)); + if (bytes_read != ntp_cm_ints + req.count) + die(STATE_UNKNOWN, _("Invalid NTP response: %d bytes read does not equal %d plus %d data segment"), bytes_read, ntp_cm_ints, req.count); + /* else null terminate */ + strncpy(req.data[req.count], "\0", 1); + DBG(print_ntp_control_message(&req)); if(req.op&REM_ERROR && strstr(getvar, "jitter")) { -- cgit v1.2.3-74-g34f1