NTP BUG 2920: Invalid length data provided by a custom refclock driver could cause a buffer overflow
Last update: June 28, 2022 20:06 UTC (57417e17c)
||21 Oct 2015
||Potentially all ntp-4 releases running up to, but not including 4.2.8p4,
and 4.3.0 up to, but not including 4.3.77 that have custom refclocks.
|Resolved in 4.2.8p4.
||0.0 usual case, 5.9 unusual worst case
A negative value for the
datalen parameter will overflow a data buffer. NTF’s
ntpd driver implementations always set this value to 0 and are therefore not vulnerable to this weakness. If you are running a custom refclock driver in
ntpd and that driver supplies a negative value for
datalen (no custom driver of even minimal competence would do this) then
ntpd would overflow a data buffer. It is even hypothetically possible in this case that instead of simply crashing
ntpd the attacker could effect a code injection attack.
- Upgrade to 4.2.8p4 or later.
- If you are unable to upgrade:
- If you are running custom refclock drivers, make sure the signed
datalen value is either zero or positive.
- Monitor your
This weakness was discovered by Yves Younan of Cisco Talos.