NTP BUG 3008: ctl_getitem() return value not always checked
Last update: June 28, 2022 20:06 UTC (57417e17c)
ntpdc can be used to store and retrieve information in
ntpd. It is possible to store a data value that is larger than the size of the buffer that the
ctl_getitem() function of
ntpd uses to report the return value. If the length of the requested data value returned by
ctl_getitem() is too large, the value
NULL is returned instead. There are 2 cases where the return value from
ctl_getitem() was not directly checked to make sure it’s not
NULL, but there are subsequent
INSIST() checks that make sure the return value is not
NULL. There are no data values ordinarily stored in
ntpd that would exceed this buffer length. But if one has permission to store values and one stores a value that is “too large”, then
ntpd will abort if an attempt is made to read that oversized value.
This weakness was discovered by Yihan Lian of the Cloud Security Team, Qihoo 360.