NTP BUG 3377: Buffer Overflow in ntpq when fetching reslist from a malicious ntpd
Last update: February 15, 2022 20:59 UTC (43fbd379b)
A stack buffer overflow in
ntpq can be triggered by a malicious
ntpd server when
ntpq requests the restriction list from the server. This is due to a missing length check in the
reslist() function. It occurs whenever the function parses the server’s response and encounters a
flagstr variable of an excessive length. The string will be copied into a fixed-size buffer, leading to an overflow on the function’s stack-frame.
Note well that this problem requires a malicious server, and affects
- Upgrade to 4.2.8p10 or later.
- If you can’t upgrade your version of
ntpq then if you want to know the
reslist of an instance of
ntpd that you do not control, know that if the target
ntpd is malicious that it can send back a response that intends to crash your
This weakness was discovered by Cure53.