An unauthenticated ntpdc reslist command can cause a segmentation fault in ntpd by causing a NULL pointer dereference.
The following conditions must be met: 1. Mode 7 must be enabled. By default, mode 7 is disabled. 2. A large enough number of entries must exist in the restrict list
to cause seqno to be equal to MAXSEQ
The ntpdc reslist command is used to query the restrictions currently enforced by ntpd. If the number of restrictions is too large to fit into a single packet, the results will be split across a sequence of packets. The reslist command does not require authentication.
The functions that return the results (listrestrict4() and listrestrict6()) do not correctly handle the case where the number of packets required is greater than the maximum value of the response packet sequence number resulting in a NULL pointer dereference.
In the event that seqno is equal to MAXSEQ and more_pkt() returns NULL the return value should be checked and ntpd should fail gracefully.
The root cause of the crash is a segmentation violation caused by a NULL pointer dereference in listrestrict4() or listrestrict6().
The IPv4 and IPv6 restriction lists are kept sorted in reverse order. To correctly display the output, the functions listrestrict4() and listrestrict6() traverse the list recursively and dump the lists in reverse.
After recursing to the end of the list, the value pointed to by ppir is assigned the result of morepkt(). Within morepkt(), if databytes + itemsize > RESPDATASIZE and seqno == MAXSEQ then NULL is returned and assigned to ppir. The pointer pir is then assigned ppir and dereferenced, resulting in a segmentation violation.
An attacker that can increase the size of the restrict list on a server with request mode enabled can crash ntpd. The attacker might be able to increase the number of restrictions dynamically via the "restrict source" mechanism. Additionally, an authenticated user can add restrict lines to the configuration with mode 6 if it is enabled.
Check the return value of morepkt(), and if it is NULL, fail gracefully. The morepkt() function is used in several places, and the value should be checked at each invocation.
CVSSv2: 5.4 - AV:N/AC:H/Au:N/C:N/I:N/A:C
CVSSv3: 5.9 - AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
2015-10-07 - Vendor Disclosure
2016-01-19 - Public Release