NTP BUG 3009: Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC

Last update: April 22, 2024 18:49 UTC (7e7bd5857)


Resolved 4.2.8p7 26 Apr 2016
References Bug 3009 CVE-2016-2518
Affects All ntp-4 releases up to, but not including 4.2.8p7,
and 4.3.0 up to, but not including 4.3.92.
Resolved in 4.2.8p7.
CVSS2 Score LOW 2.1 AV:N/AC:H/Au:S/C:N/I:N/A:P
CVSS3 Score LOW 2.0 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L


Using a crafted packet to create a peer association with hmode > 7 causes the MATCH_ASSOC() lookup to make an out-of-bounds reference.



This weakness was discovered by Yihan Lian of the Cloud Security Team, Qihoo 360.