buffer overrun in start_ntpc
I'm a low karma user and thus can't paste a straight link
in bitbucket.org
pl_shibby/tomato-arm/src/d05c007143cb16385b91f2e5aa7c98ab10c149aa/release/src-rt-6.x.4708/router/rc/services.c?at=shibby-arm#cl-1483
The function allocates just 31 bytes for a list of NTP servers.
The builtin US default seems to take 54 characters
static char servers[32];
…
strcpy(servers, nvram_safe_get("ntp_server"));
Blind trust of an strcpy source is bad news to boot, but in this case the allocated string also happens to be absurdly small