From 8739eaf11a4bf4332fb28070a1e06cadcb411286 Mon Sep 17 00:00:00 2001
From: Miroslav Lichvar <mlichvar@redhat.com>
Date: Mar 23 2017 15:07:37 +0000
Subject: fix potential buffer overflow in mx4200 refclock driver (CVE-2017-6451)


---

diff --git a/ntp-4.2.6p5-cve-2017-6451.patch b/ntp-4.2.6p5-cve-2017-6451.patch
new file mode 100644
index 0000000..29beaf5
--- /dev/null
+++ b/ntp-4.2.6p5-cve-2017-6451.patch
@@ -0,0 +1,66 @@
+
+2017-02-11 20:47:37+01:00, perlinger@ntp.org
+  [Sec 3378] NTP-01-003 Improper use of snprintf() in mx4200_send()
+
+==== ntpd/refclock_mx4200.c ====
+
+2017-02-11 20:47:37+01:00, perlinger@ntp.org +20 -12
+  [Sec 3378] NTP-01-003 Improper use of snprintf() in mx4200_send()
+--- 1.30/ntpd/refclock_mx4200.c	2011-04-12 06:01:53 +00:00
++++ 1.31/ntpd/refclock_mx4200.c	2017-02-11 19:47:37 +00:00
+@@ -1596,34 +1596,42 @@ mx4200_send(peer, fmt, va_alist)
+ 	struct refclockproc *pp;
+ 	struct mx4200unit *up;
+ 
+-	register char *cp;
++	register char *cp, *ep;
+ 	register int n, m;
+ 	va_list ap;
+ 	char buf[1024];
+ 	u_char ck;
+ 
++	pp = peer->procptr;
++	up = pp->unitptr;
++
++	cp = buf;
++	ep = cp + sizeof(buf);
++	*cp++ = '$';
++	
+ #if defined(__STDC__)
+ 	va_start(ap, fmt);
+ #else
+ 	va_start(ap);
+ #endif /* __STDC__ */
++	n = VSNPRINTF((cp, (size_t)(ep - cp), fmt, ap));
++	va_end(ap);
++	if (n < 0 || (size_t)n >= (size_t)(ep - cp))
++		goto overflow;
+ 
+-	pp = peer->procptr;
+-	up = (struct mx4200unit *)pp->unitptr;
+-
+-	cp = buf;
+-	*cp++ = '$';
+-	n = VSNPRINTF((cp, sizeof(buf) - 1, fmt, ap));
+ 	ck = mx4200_cksum(cp, n);
++	cp += n;	    
++	n = SNPRINTF((cp, (size_t)(ep - cp), "*%02X\r\n", ck));
++	if (n < 0 || (size_t)n >= (size_t)(ep - cp))
++		goto overflow;
+ 	cp += n;
+-	++n;
+-	n += SNPRINTF((cp, sizeof(buf) - n - 5, "*%02X\r\n", ck));
+-
+-	m = write(pp->io.fd, buf, (unsigned)n);
++	m = write(pp->io.fd, buf, (unsigned)(cp - buf));
+ 	if (m < 0)
+ 		msyslog(LOG_ERR, "mx4200_send: write: %m (%s)", buf);
+ 	mx4200_debug(peer, "mx4200_send: %d %s\n", m, buf);
+-	va_end(ap);
++	
++  overflow:
++	msyslog(LOG_ERR, "mx4200_send: %s", "data exceeds buffer size");
+ }
+ 
+ #else
+
diff --git a/ntp.spec b/ntp.spec
index 7512c8d..0024131 100644
--- a/ntp.spec
+++ b/ntp.spec
@@ -201,6 +201,8 @@ Patch75: ntp-4.2.6p5-cve-2016-7433.patch
 Patch76: ntp-4.2.6p5-cve-2016-9310.patch
 # ntpbz #3119
 Patch77: ntp-4.2.6p5-cve-2016-9311.patch
+# ntpbz #3378
+Patch78: ntp-4.2.6p5-cve-2017-6451.patch
 
 # handle unknown clock types
 Patch100: ntpstat-0.2-clksrc.patch
@@ -377,6 +379,7 @@ This package contains NTP documentation in HTML format.
 %patch75 -p1 -b .cve-2016-7433
 %patch76 -p1 -b .cve-2016-9310
 %patch77 -p1 -b .cve-2016-9311
+%patch78 -p1 -b .cve-2017-6451
 
 # ntpstat patches
 %patch100 -p1 -b .clksrc