NTP BUG 3379: Potential Overflows in ctl_put() functions
Last update: June 27, 2022 20:45 UTC (51d68a4aa)
Summary
Description
ntpd
makes use of different wrappers around ctl_putdata()
to create name/value ntpq
(mode 6) response strings. For example, ctl_putstr()
is usually used to send string data (variable names or string data). The formatting code was missing a length check for variable names. If somebody explicitly created any unusually long variable names in ntpd
(longer than 200-512 bytes, depending on the type of variable), then if any of these variables are added to the response list it would overflow a buffer.
Mitigation
- Implement BCP-38.
- Upgrade to 4.2.8p10 or later.
- If you don’t want to upgrade, then don’t
setvar
variable names longer than 200-512 bytes in your ntp.conf
file.
- Properly monitor your
ntpd
instances, and auto-restart ntpd
(without -g
) if it stops running.
Credit
This weakness was discovered by Cure53.
Timeline