From 138e15be283dcc7401e844f27670d8b24f0b72be Mon Sep 17 00:00:00 2001
From: wzc <u201911736@hust.edu.cn>
Date: Sat, 6 May 2023 14:57:24 +0800
Subject: [PATCH] backport-CVE-2023-26552

---
 CVE-2023-26552.patch | 37 +++++++++++++++++++++++++++++++++++++
 ntp.spec             |  9 ++++++++-
 2 files changed, 45 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2023-26552.patch

diff --git a/CVE-2023-26552.patch b/CVE-2023-26552.patch
new file mode 100644
index 0000000..7333b1e
--- /dev/null
+++ b/CVE-2023-26552.patch
@@ -0,0 +1,37 @@
+Subject: [PATCH] CVE-2023-26552,Make sure the buffer has enough room for the input string and the extra characters, in the worst case replacing "." with "0.000"
+Reference: https://github.com/spwpun/ntp-4.2.8p15-cves/issues/1#issuecomment-1516242868
+---
+Index: libntp/mstolfp.c
+IDEA additional info:
+Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
+<+>UTF-8
+===================================================================
+diff --git a/libntp/mstolfp.c b/libntp/mstolfp.c
+--- a/libntp/mstolfp.c
++++ b/libntp/mstolfp.c
+@@ -14,7 +14,7 @@
+ 	l_fp *lfp
+ 	)
+ {
+-	register const char *cp;
++	register const char *cp, *end;
+ 	register char *bp;
+ 	register const char *cpdec;
+ 	char buf[100];
+@@ -41,6 +41,16 @@
+
+ 	if (*cp != '.' && !isdigit((unsigned char)*cp))
+ 	    return 0;
++
++    /*
++    * Make sure the buffer has enough room for the input string and the
++    * extra characters, in the worst case replacing "." with "0.000"
++    */
++    end = cp;
++    while (isdigit((unsigned char)*end) || *end == '.')
++        end++;
++    if (end - cp + 4 >= sizeof (buf) - (bp - buf))
++        return 0;
+
+
+ 	/*
diff --git a/ntp.spec b/ntp.spec
index d6a6020..e52c418 100644
--- a/ntp.spec
+++ b/ntp.spec
@@ -2,7 +2,7 @@
 
 Name:                  ntp
 Version:               4.2.8p15
-Release:               7
+Release:               8
 Summary:               A protocol designed to synchronize the clocks of computers over a network
 License:               MIT and BSD and BSD with advertising
 URL:                   https://www.ntp.org/
@@ -26,6 +26,7 @@ Patch3:                bugfix-fix-ifindex-length.patch
 Patch4:                fix-multiple-defination-with-gcc-10.patch
 Patch5:                Do-not-use-PTHREAD_STACK_MIN-on-glibc.patch
 Patch6:                fix-MD5-manpage.patch
+Patch7:                CVE-2023-26552.patch
 
 BuildRequires:	       libcap-devel openssl-devel libedit-devel libevent-devel pps-tools-devel
 BuildRequires:         autogen autogen-libopts-devel systemd gcc perl-generators perl-HTML-Parser libtool
@@ -211,6 +212,12 @@ make check
 %{_mandir}/man8/*.8*
 
 %changelog
+* Mon Apr 24 2023 ZCWei51 <u201911736@hust.edu.cn> - 4.2.8p15-8
+- Type:CVE
+- ID:CVE-2023-26552
+- SUG:NA
+- DESC: Make sure the buffer has enough room for the input string and the extra characters, in the worst case replacing "." with "0.000"
+
 * Thu Nov 24 2022 chengyechun <chengyechun1@huawei.com> - 4.2.8p15-7
 - Type:bugfix
 - ID:NA
-- 
Gitee