University of Delaware Information for VU#970472
| Date Notified | |
| Date Modified | 05/22/2008 12:42:44 PM |
| Status Summary | Vulnerable |
Vendor StatementThe patch I sent out applies to the NTPv4 99k distribution which for
safety I fetched directly from its public place. For record:
--- ntp_control.c.1 Thu Apr 5 21:41:56 2001
+++ ntp_control.c Thu Apr 5 21:43:02 2001
@@ -1824,6 +1824,8 @@
while (cp < reqend && *cp !=
',')
*tp++ = *cp++;
+ if (tp >= buf + sizeof(buf))
+ return (0);
if (cp < reqend)
cp++;
*tp = '\0';
Not fancy; it's been a long day.Addendum
Target CVS repository:
http://maccarony.ntp.org/cgi-bin/cvsweb.cgi/ntp/ntpd/ntp_control.c?rev=1.33&content-type=text/x-cvsweb-markup
Target patched version:
ftp://ftp.udel.edu/pub/ntp/ntp4/ntp-4.0.99k23.tar.gz
If you have feedback, comments, or additional information about this vulnerability, please send us
email.
|
