CVE-2015-7853
A potential buffer overflow vulnerability exists in the refclock of ntpd. An invalid length provided by a hardware reference clock could cause a buffer overflow potentially resulting in memory being modified. A malicious reflock could provide a negative length to trigger this vulnerability.
ntp 4.2.8p2
At line 3233 in ntp_io.c, a size check is performed to ensure that the length provided isn’t greater than the space available in the buffer that is being written to.
3233 i = (rp->datalen == 0
3234 || rp->datalen > (int)sizeof(rb->recv_space))
3235 ? (int)sizeof(rb->recv_space)
3236 : rp->datalen;
3237 do {
3238 buflen = read(fd, (char *)&rb->recv_space, (u_int)i);
3239 } while (buflen < 0 && EINTR == errno);
However, the size is performed by casting the size of the buffer to an integer type and doing an integer comparison. This means that if datalen is negative, then i will be assigned a negative value, resulting in a buffer overflow when it is used as an argument to read at line 3238.
Yves Younan of Cisco Talos