Network Time Protocol Reference Clock Memory Corruption Vulnerability

ID TALOS-2015-0064
Type talos
Reporter Talos Intelligence
Modified 2015-10-21T00:00:00


Talos Vulnerability Report


Network Time Protocol Reference Clock Memory Corruption Vulnerability

October 21, 2015
CVE Number



A potential buffer overflow vulnerability exists in the refclock of ntpd. An invalid length provided by a hardware reference clock could cause a buffer overflow potentially resulting in memory being modified. A malicious reflock could provide a negative length to trigger this vulnerability.

Tested Versions

ntp 4.2.8p2

Product URLs



At line 3233 in ntp_io.c, a size check is performed to ensure that the length provided isn’t greater than the space available in the buffer that is being written to.

3233    i = (rp-&gt;datalen == 0
3234    || rp-&gt;datalen &gt; (int)sizeof(rb-&gt;recv_space))
3235    ? (int)sizeof(rb-&gt;recv_space)
3236    : rp-&gt;datalen;
3237    do {
3238        buflen = read(fd, (char *)&rb-&gt;recv_space, (u_int)i);
3239    } while (buflen &lt; 0 && EINTR == errno);

However, the size is performed by casting the size of the buffer to an integer type and doing an integer comparison. This means that if datalen is negative, then i will be assigned a negative value, resulting in a buffer overflow when it is used as an argument to read at line 3238.


Yves Younan of Cisco Talos

Vulnerability Reports Next Report


Previous Report