Security context

What an agent needs to avoid regressing past fixes and find the next vuln in this repo.

ntp-project/ntp
stable @ 82d1f21
149
Fixes
0
CVEs
CRITICAL
Peak severity
Highlights
Denial of Service: 53 prior fixes. Scrutinize any change in this area.
ntpd/ntp_crypto.c: most-fixed (39 issues). Treat as high-risk during review.
60 high-severity fixes in this history; regressions here are high-impact.
Recurring patterns

The bug types that recur here, drawn from past fixes, not open vulnerabilities.

Buffer Overflow: Unbounded remote configuration commands and control query parsing allowed severe stack-based and heap-based buffer overflows via unsafe memory copy operations. Maintaining strict input limits on incoming queries and configurations is vital.
Auth Bypass: The symmetric association validation mechanism was vulnerable to complete authentication bypass (the 'NAK to the Future' vulnerability) where unauthenticated or spoofed crypto-NAK packets could prematurely alter or tear down active peer association states.
Buffer Overflow: Critical stack and heap buffer overflows occurred when handling Autokey extension fields and certificate decryption, where input value lengths (vallen) were trusted without comparing them against physical outer packet size limits.