Lucene search

HistoryDec 25, 2014 - 12:00 a.m.

From the source perspective on the ntpd stack buffer overflow vulnerability(CVE-2 0 1 4-9 2 9 5)analysis-vulnerability warning-the black bar safety net






Recently, the ntp’s official website released a Update Patch:


A total of 6 vulnerabilities 4 CVE number, both of Google Security Team found and submitted.

Wherein the CVE-2 0 1 4-9 2 9 5 includes a 3 stack overflow: a


This article from the source code perspective, these three stack overflow, respectively, what is the possibility of using the lift right.

Note: the reference to a vulnerability of the old version is ntp-4.2. 6p5

Buffer overflow in configure()

First, about the configure()function of stack overflow, the website DESCRIPTION is as follows:

! [t01d31fb18692ac507a. png](/Article/UploadPic/2014-12/2 0 1 4 1 2 2 5 1 1 1 6 5 6 1 5 6. png)

We look at 1 2 on 1 2 September patch content

! [t0180bac9382d7cc886. png](/Article/UploadPic/2014-12/2 0 1 4 1 2 2 5 1 1 1 6 5 6 8 1 3. png)

In the memcpy function, added check data_count is greater than remote_config. buffer length logic.

That is to say, the patch before this memcpy is likely to overflow. The destination address remote_config. buffer is in the stack?

! [t01b242106304a5d6ac. png](/Article/UploadPic/2014-12/2 0 1 4 1 2 2 5 1 1 1 6 5 6 4 4 4. png)

Here in ntp_config. h

[1] [2] [3] [4] [5] [6] next