NTP BUG 3379: Potential Overflows in ctl_put() functions
Last update: February 15, 2022 20:59 UTC (43fbd379b)
ntpd makes use of different wrappers around
ctl_putdata() to create name/value
ntpq (mode 6) response strings. For example,
ctl_putstr() is usually used to send string data (variable names or string data). The formatting code was missing a length check for variable names. If somebody explicitly created any unusually long variable names in
ntpd (longer than 200-512 bytes, depending on the type of variable), then if any of these variables are added to the response list it would overflow a buffer.
- Implement BCP-38.
- Upgrade to 4.2.8p10 or later.
- If you don’t want to upgrade, then don’t
setvar variable names longer than 200-512 bytes in your
- Properly monitor your
ntpd instances, and auto-restart
-g) if it stops running.
This weakness was discovered by Cure53.