ntpdmakes use of different wrappers around
ctl_putdata()to create name/value
ntpq(mode 6) response strings. For example,
ctl_putstr()is usually used to send string data (variable names or string data). The formatting code was missing a length check for variable names. If somebody explicitly created any unusually long variable names in
ntpd(longer than 200-512 bytes, depending on the type of variable), then if any of these variables are added to the response list it would overflow a buffer.
setvarvariable names longer than 200-512 bytes in your
ntpdinstances, and auto-restart
-g) if it stops running.