[ntp:security] [Bug 527] ntpd frequently crashes on Windows systems

bugzilla at ntp.isc.org bugzilla at ntp.isc.org
Wed Nov 16 01:36:28 PST 2005


http://bugs.ntp.isc.org/show_bug.cgi?id=527


heiko.gerstung at meinberg.de changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|security at ntp.isc.org        |bugs at ntp.isc.org,
                   |                            |martin.burnicki at meinberg.de
            Summary|the bug...                  |ntpd frequently crashes on
                   |                            |Windows systems


----------------------------------------------------------------------------
Additional Comments From heiko.gerstung at meinberg.de (Heiko Gerstung)
Submitted on 2005-11-16 09:36
It seems that recent ntp-dev versions of ntpd are crashing on Windows machines
after running for 1-3 days under almost zero load or after 1-5 seconds under
high load (stress testing).

After the crash ntpd is unresponsive, in most cases a "Unhandled Exception -
Access Violation 0xC0000005" trap was reported by the OS but there were also
cases where ntpd just died silently without further notice.

One machine (a dual P3 SMP) did not crash when running the debug version of ntpd
under Windows 2000, but every other machine did not even stand for 3 seconds
when several hundreds of packets per second arrived. 

Here are our test results so far:
==================================

Machine A:
OS=W2K
CPU=2xP3(SMP)
DEBUG=NO CRASH
RELEASE=CRASHED

Machine B:
OS=W2K
CPU=P4(No HT)
RELEASE=CRASHED

Machine C:
OS=WXP
CPU=P4(HT)
DEBUG (with HT enabled)=CRASHED
DEBUG (with HT disabled)=CRASHED
RELEASE(with HT enabled)=CRASHED
RELEASE(with HT disabled)=CRASHED

Machine D:
OS=WXP
CPU=P4(HT)
RELEASE=CRASHED

Machine E:
OS=WXP
CPU=P3
RELEASE=CRASHED

DEBUG/RELEASE means we run the debug version in debug mode or the release version 



Some information we collected with the VC6 debugger:
====================================================

Trap:
-----
Unhandled exception C0000005


Stack trace window:
-------------------
00000010()
00bbff0c()    (Martin's comment: in HeapFree)
OnWriteComplete(unsigned long 4795568, IoCompletionInfo * 0x00371ff0,
unsigned long 48) line 390 + 21 bytes
iocompletionthread(void * 0x00000000) line 93 + 17 bytes
_threadstart(void * 0x00364ba0) line 187 + 13 bytes
KERNEL32! 7c80b50b()


Relevant pieces of the source code:
-----------------------------------
static int
OnWriteComplete(DWORD Key, IoCompletionInfo *lpo, DWORD Bytes)
{
	transmitbuf *buff = NULL;
	(void) Bytes;
	(void) Key;

	buff = (struct transmitbuf *) lpo->buff;

	free_transmit_buffer(buff);
	/* Clear the heap */
	if (lpo != NULL)
->		HeapFree(hHeapHandle, 0, lpo);
	return 1;
}



a piece of iocompletionthread:
		switch(lpo->request_type)
		{
		case CLOCK_READ:
			OnIoReadComplete(Key, lpo, BytesTransferred);
			break;
		case SOCK_RECV:
			OnSocketRecv(Key, lpo, BytesTransferred);
			break;
		case SOCK_SEND:
		case CLOCK_WRITE:
->			OnWriteComplete(Key, lpo, BytesTransferred);
			break;
		default:

I've marked the associated source code lines above with "->".

This bug has been marked security relevant because it make DOS or DDOS attacks
possible for all ntpd versions since september. The exact version where this
bug/vulnerability has been introduced has not been detected so far. 

Kind regards,
Heiko


-- 
Heiko Gerstung <heiko.gerstung at meinberg.de>



------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.


More information about the security mailing list