2017-02-11 20:47:37+01:00, perlinger@ntp.org
  [Sec 3378] NTP-01-003 Improper use of snprintf() in mx4200_send()

==== ntpd/refclock_mx4200.c ====

2017-02-11 20:47:37+01:00, perlinger@ntp.org +20 -12
  [Sec 3378] NTP-01-003 Improper use of snprintf() in mx4200_send()
--- 1.30/ntpd/refclock_mx4200.c	2011-04-12 06:01:53 +00:00
+++ 1.31/ntpd/refclock_mx4200.c	2017-02-11 19:47:37 +00:00
@@ -1596,34 +1596,42 @@ mx4200_send(peer, fmt, va_alist)
 	struct refclockproc *pp;
 	struct mx4200unit *up;
 
-	register char *cp;
+	register char *cp, *ep;
 	register int n, m;
 	va_list ap;
 	char buf[1024];
 	u_char ck;
 
+	pp = peer->procptr;
+	up = pp->unitptr;
+
+	cp = buf;
+	ep = cp + sizeof(buf);
+	*cp++ = '$';
+	
 #if defined(__STDC__)
 	va_start(ap, fmt);
 #else
 	va_start(ap);
 #endif /* __STDC__ */
+	n = VSNPRINTF((cp, (size_t)(ep - cp), fmt, ap));
+	va_end(ap);
+	if (n < 0 || (size_t)n >= (size_t)(ep - cp))
+		goto overflow;
 
-	pp = peer->procptr;
-	up = (struct mx4200unit *)pp->unitptr;
-
-	cp = buf;
-	*cp++ = '$';
-	n = VSNPRINTF((cp, sizeof(buf) - 1, fmt, ap));
 	ck = mx4200_cksum(cp, n);
+	cp += n;	    
+	n = SNPRINTF((cp, (size_t)(ep - cp), "*%02X\r\n", ck));
+	if (n < 0 || (size_t)n >= (size_t)(ep - cp))
+		goto overflow;
 	cp += n;
-	++n;
-	n += SNPRINTF((cp, sizeof(buf) - n - 5, "*%02X\r\n", ck));
-
-	m = write(pp->io.fd, buf, (unsigned)n);
+	m = write(pp->io.fd, buf, (unsigned)(cp - buf));
 	if (m < 0)
 		msyslog(LOG_ERR, "mx4200_send: write: %m (%s)", buf);
 	mx4200_debug(peer, "mx4200_send: %d %s\n", m, buf);
-	va_end(ap);
+	
+  overflow:
+	msyslog(LOG_ERR, "mx4200_send: %s", "data exceeds buffer size");
 }
 
 #else