ctl_getitem() is used by ntpd to process incoming mode 6 packets. A malicious mode 6 packet can be sent to an ntpd instance, and if the ntpd instance is from 4.2.8p6 thru 4.2.8p10, that will cause ctl_getitem() to read past the end of its buffer. References: http://support.ntp.org/bin/view/Main/NtpBug3412
Created ntp tracking bugs for this issue: Affects: fedora-all [bug 1550228]