CVE-2015-7849
An exploitable use-after-free vulnerability exists in the password management functionality of the Network Time Protocol. A specially crafted key file could cause a buffer overflow resulting in memory corruption. An attacker could provide a malicious password file to trigger this vulnerability.
ntp 4.2.8p2
The function authdelkeys() will free all the keys that are used for user authentication. In the case of normal keys, they will also be removed from the list of keys. However in the case of trusted keys, the memory holding the keys will be freed but the pointer to that memory location will not be set to NULL.
This is the code at line 598 in authkeys.c:
if (KEY_TRUSTED & sk->flags) {
if (sk->secret != NULL) {
memset(sk->secret, '\0', sk->secretsize);
free(sk->secret);
}
sk->secretsize = 0;
sk->lifetime = 0;
} else {
Since the key is still in the linked list it will simply be copied to at line 541 in authkeys.c:
for (sk = *bucket; sk != NULL; sk = sk->hlink) {
if (keyno == sk->keyid) {
sk->type = (u_short)keytype;
secretsize = len;
sk->secretsize = (u_short)secretsize;
#ifndef DISABLE_BUG1243_FIX
memcpy(sk->secret, key, secretsize);
Reuse of a previous buffer can lead to inconsistencies in authentication tokens or memory corruption.
Yves Younan of Cisco Talos