NTP users are strongly urged to take immediate action to ensure that their NTP daemons are not susceptible to being used in distributed denial-of-service (DDoS) attacks. Please also take this opportunity to defeat denial-of-service attacks by implementing Ingress and Egress filtering through BCP38.

ntp-4.2.8p18 was released on 25 May 2024 and addresses 40 bugs and provides 40 improvements.

Please see the NTP 4.2.8p18 Changelog for details.

Bug 2669 - buffer overflow: configure()
Summary: buffer overflow: configure()
Status: RESOLVED FIXED
Alias: None
Product: ntp
Classification: Unclassified
Component: ntpd (show other bugs)
Version: 4.2.6
Hardware: N/A All
: P1 critical
Assignee: Harlan Stenn
URL:
Depends on:
Blocks: 2655
  Show dependency tree
 
Reported: 2014-11-03 00:33 UTC by Harlan Stenn
Modified: 2023-03-30 10:09 UTC (History)
6 users (show)

See Also:
stenn: blocking4.2.6+
stenn: blocking4.2.8+


Attachments
patch for the configure overflow, bail if the configuration doesn't fit into the buffer (993 bytes, patch)
2014-11-24 15:14 UTC, Stephen Röttger
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Harlan Stenn 2014-11-03 00:33:53 UTC
+++ This bug was initially created as a clone of Bug #2655 +++

5) ntpd/ntp_control.c:2495 <configure> (buffer overflow, needs privileges)
 fix: length check before memcpy
Comment 1 Harlan Stenn 2014-11-12 08:21:37 UTC
In 4.2.7 it's ntp_control.c:3275
Comment 2 Harlan Stenn 2014-11-12 08:45:04 UTC
Stephen,

If the requested transfer will exceed the buffer should we truncate?  Reject the request?
Comment 3 Stephen Röttger 2014-11-12 09:40:13 UTC
I think rejecting the request is the better approach.
E.g. what if I have restrict statements:
restrict default nomodify
restrict myip
and the second line gets cut off. In that case, I'll lose access.
Comment 4 Stephen Röttger 2014-11-24 15:14:44 UTC
Created attachment 1159 [details]
patch for the configure overflow, bail if the configuration doesn't fit into the buffer
Comment 5 Harlan Stenn 2014-12-12 11:20:10 UTC
Fixed in my ntp-dev-sec/ subdir.
Comment 6 Harlan Stenn 2014-12-20 06:07:43 UTC
Fixed in 4.2.8
Comment 7 sai 2014-12-22 22:27:54 UTC
Hi, I saw the "ntp_control.c" source , in function "process_control", there are length checking code like this:
"

...
req_data = rbufp->recv_length - CTL_HEADER_LEN;
if (req_data < req_count || rbufp->recv_length & 0x3) {
	ctl_error(CERR_BADFMT);
	numctldatatooshort++;
	return;
}


properlen = req_count + CTL_HEADER_LEN;
/* round up proper len to a 8 octet boundary */

properlen = (properlen + 7) & ~7;
maclen = rbufp->recv_length - properlen;
if ((rbufp->recv_length & 3) == 0 &&
	maclen >= MIN_MAC_LEN && maclen <= MAX_MAC_LEN && sys_authenticate) {
	...// need to go to this
}

/*
 * Set up translate pointers
 */
reqpt = (char *)pkt->data;
reqend = reqpt + req_count;

	
...
"
	
since rbufp->recv_length is always less than 1000("#define RX_BUFF_SIZE 1000" in recvbuff.h), and maclen should be between 4 and 24, so the maximum of properlen is 996(1000-4),  that means (req_count+CTL_HEADER_LEN) could not greater than 996. CTL_HEADER_LEN is 12, so req_count can't be greater than 984(996-12), in "configure" function, the remote_config.buffer is 1024 bytes. 

I don't know how to make it overflow (except someone modifies the RX_BUFF_SIZE in recvbuff.h), does anyone reproduce this bug and explain it? 
Thanks