Recently, the ntp’s official website released a Update Patch:

<http://support.ntp.org/bin/view/Main/SecurityNotice&gt;

A total of 6 vulnerabilities 4 CVE number, both of Google Security Team found and submitted.

Wherein the CVE-2 0 1 4-9 2 9 5 includes a 3 stack overflow: a

<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9295&gt;

This article from the source code perspective, these three stack overflow, respectively, what is the possibility of using the lift right.

Note: the reference to a vulnerability of the old version is ntp-4.2. 6p5

Buffer overflow in configure()

First, about the configure()function of stack overflow, the website DESCRIPTION is as follows:

! [t01d31fb18692ac507a. png](/Article/UploadPic/2014-12/2 0 1 4 1 2 2 5 1 1 1 6 5 6 1 5 6. png)

We look at 1 2 on 1 2 September patch content

http://bk1.ntp.org/ntp-dev/?PAGE=patch&REV=548acf55dxKfhb6MuYQwzu8eDlS97g

! [t0180bac9382d7cc886. png](/Article/UploadPic/2014-12/2 0 1 4 1 2 2 5 1 1 1 6 5 6 8 1 3. png)

In the memcpy function, added check data_count is greater than remote_config. buffer length logic.

That is to say, the patch before this memcpy is likely to overflow. The destination address remote_config. buffer is in the stack?

! [t01b242106304a5d6ac. png](/Article/UploadPic/2014-12/2 0 1 4 1 2 2 5 1 1 1 6 5 6 4 4 4. png)

Here in ntp_config. h

[1] [2] [3] [4] [5] [6] next