[ntp:bugs] [Bug 1746] New: Segfault on startup if the machine has more than 512 IPs

bugzilla at ntp.org bugzilla at ntp.org
Thu Dec 9 18:39:29 UTC 2010 

https://bugs.ntp.org/show_bug.cgi?id=1746

           Summary: Segfault on startup if the machine has more than 512
                    IPs
           Product: ntp
           Version: 4.2.2
          Platform: PC
        OS/Version: All
            Status: NEW
          Severity: major
          Priority: P5
         Component: ntpd
        AssignedTo: stenn at ntp.org
        ReportedBy: rlrevell at appnexus.com
                CC: bugs at ntp.org
   Estimated Hours: 0.0


There is no bounds checking of the inter_list array in create_sockets().  If a
machine has more than MAXINTERFACES IPs, ntpd will crash on startup.

This was found by Debian in 2006 apparently via code inspection.  But we are
hitting this in practice.

 Core was generated by `/usr/sbin/ntpd -n'.
Program terminated with signal 11, Segmentation fault.
#0  0x00002b5952a311dc in init_io () at ntp_io.c:786
786                inter_list[idx].ignore_packets = ISC_FALSE;
(gdb) list
781             * bind to it. This prevents other apps binding to it
782             * and potentially causing problems with more than one
783             * process fiddling with the clock
784             */
785            if (address_okay(&isc_if) == ISC_TRUE) {
786                inter_list[idx].ignore_packets = ISC_FALSE;
787            }
788            else {
789                inter_list[idx].ignore_packets = ISC_TRUE;
790            }
(gdb) p inter_list[560]
$1 = {fd = -1, bfd = -1, sin = {ss_family = 2, __ss_align = 0, __ss_padding =
'\0' <repeats 111 times>}, bcast = {ss_family = 2, 
   __ss_align = 0, __ss_padding = '\0' <repeats 111 times>}, mask = {ss_family
= 2, __ss_align = 0, 
   __ss_padding = '\0' <repeats 111 times>}, name = "eth1.2068", '\0' <repeats
22 times>, family = 2, flags = 25, last_ttl = 0, 
 addr_refid = 0, num_mcast = 0, received = 0, sent = 0, notsent = 0, ifindex =
0, scopeid = 0, ignore_packets = isc_boolean_false}
(gdb) p inter_list[561]
Cannot access memory at address 0x2b5952d2ae88
(gdb) 
[1]+  Stopped                 gdb /usr/lib/debug/usr/sbin/ntpd.debug
/var/cores/ntpd.17920
[root at 053.webc-r2.nym1.appnexus.net ~]
# grep -rIi MAXINTERFACES /usr/src/debug/ntp-4.2.2p1/
/usr/src/debug/ntp-4.2.2p1/ntpd/ntp_io.c:struct interface
inter_list[MAXINTERFACES]; /* Interface list */
/usr/src/debug/ntp-4.2.2p1/ntpd/ntp_io.c:    if (ind < 0 && ninterfaces >=
MAXINTERFACES)
/usr/src/debug/ntp-4.2.2p1/include/ntp.h:#define MAXINTERFACES    512    /* max
number of interfaces */
[root at 053.webc-r2.nym1.appnexus.net ~]
#

-- 
Configure bugmail: https://bugs.ntp.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

More information about the bugs mailing list