NTP BUG 3610: process_control() should bail earlier on short packets

Last update: February 14, 2022 13:55 UTC (b6ca43fd1)


Summary

Resolved 4.2.8p14 03 Mar 2020
References Bug 3610
Affects All versions of ntpd up to, but not including ntp-4.2.8p14 and ntp-4.3.100. Resolved in ntp-4.2.8p14 and ntp-4.3.100.
CVSS2 Score 0.0 AV:N/AC:L/Au:N/C:N/I:N/A:N
CVSS3 Score 0.0 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N

Description

Fuzz testing detected that on systems that override the default and enable ntpdc (mode 7) packets, a short packet will cause ntpd to read uninitialized data.


Mitigation

Upgrade to 4.2.8p14 or later.


Credit

Reported by Philippe Antoine (Catena cyber with oss-fuzz).


Timeline