NTP BUG 2922: decodenetnum() will ASSERT botch instead of returning FAIL on some bogus values

Last update: March 2, 2022 17:28 UTC (616623bea)


Summary

Resolved 4.2.8p4 21 Oct 2015
References Bug 2922 CVE-2015-7855
Affects All ntp-4 releases up to, but not including 4.2.8p4,
and 4.3.0 up to, but not including 4.3.77.
Resolved in 4.2.8p4.
CVSS2 Score 4.6 AV:N/AC:H/Au:M/C:N/I:N/A:C
Base Score: 4.6, worst case

Description

If ntpd is fed a crafted mode 6 or mode 7 packet containing an unusually long data value where a network address is expected, the decodenetnum() function will abort with an assertion failure instead of simply returning a failure condition.


Mitigation


Credit

This weakness was discovered by John D “Doug” Birdwell with the Institute for Defense Analyses (IDA.org).


Timeline