[ntp:security] [Bug 3379] NTP-01-004 NTP: Potential Overflows in ctl_put() functions (Pentest report 01.2017)

bugzilla-daemon at ntp.org bugzilla-daemon at ntp.org
Wed Mar 22 00:04:12 UTC 2017


Harlan Stenn <stenn at ntp.org> changed:

           What    |Removed                     |Added
             Status|STAGED                      |RESOLVED
              Group|Security                    |
         Resolution|                            |FIXED

--- Comment #4 from Harlan Stenn <stenn at ntp.org> 2017-03-22 00:04:12 UTC ---
Here's a better summary:

ntpd makes use of different wrappers around ctl_putdata() to create name/value
ntpq (mode 6) response strings. For example, ctl_putstr() is usually used to
send string data (variable names or string data). The formatting code was
missing a length check for variable names. If somebody explicitly created any
unusually long variable names in ntpd (longer than 200-512 bytes, depending on
the type of variable), then if any of these variables are added to the response
list it would overflow a buffer.

Pearly, thanks for your work on this.

Configure bugmail: http://bugs.ntp.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

More information about the security mailing list