[ntp:security] memory leak

kevin.mcgrath at no.abb.com kevin.mcgrath at no.abb.com
Fri Dec 21 10:27:35 UTC 2007

Hi all,

we appreciate the time spent by everyone in trying to identify the issue 
here. As of yesterday, I am out of the office and will respond to you in 
early january on this subject. 
Wishing you and yours a Merry Christmas and a peaceful 2008

Kind Regards

Heiko Gerstung <heiko.gerstung at meinberg.de> 
12/21/2007 08:48 AM

mayer at ntp.isc.org
Kevin McGrath/NOABB/ABB at ABB, security at ntp.org, Kai Hansen/NOCRC/ABB at ABB, 
Geir Guldstein/NOINA/ABB at ABB, Martin Burnicki 
<martin.burnicki at meinberg.de>, Frank Kardel <kardel at ntp.org>
Re: [ntp:security] memory leak

Hi Guys,

I installed a trial version of Rational Purify 7 from IBM on my laptop and 
NTPD in debug mode on it. As Danny correctly described, it runs a lot 
slower in 
this environment and all I got out of it was ~600 req/s (compared to 
req/s running the release version without Purify).

Purify revealed that a library called BMNET.DLL shows a memory leak. After 
investigation I found out that this DLL belongs to the driver suite of my 
UMTS data card and is produced by Byte Mobile ("BM"). It is hooked into 
the IP 
stack of Windows ("LSP") and redirects Windows system API calls (one of 
being "BMGetPeer").

I did not want to uninstall my whole data card stuff therefore I renamed 
library (which causes all TCP/IP connections to fail, NTPD will not start 
because it cannot bind to the wildcard interface and Firefox simply does 
return anything when you try to access any web page). I then ran LSPfix 
(http://www.cexx.org/lspfix.htm), a small tool that finds problems in the 
winsock protocol stack. It immediately detected the missing DLL and 
removed it 
from the stack (fixing the registry). That restored my IP stack and I was 
to access the net and start ntpd.

When I now fire up NTPLOAD I get around 30,000 req/s and the memory leak 
is not 
there anymore.

Kevin, could you please check if you have such a library in your SYSTEM32\ 
If not, I would suggest to download and install the trial version of 
Purify 7 from IBM (http://www.ibm.com/developerworks/downloads/r/rpp/) and 
run a 
debug version of ntpd within it (if you need a binary version of the 
with debugging enabled, please let me know).

So, after all it seems that this memory leak you see is caused by 
something else 
in the Windows IP stack.

I am available via email throughout the holidays in case of emergency.

Wishing all of you at ABB Norway (especially Dr. Hansen who I met last 
year in 
Oslo )and (of course!) Danny

a Merry Christmas and a Happy New Year,


Danny Mayer schrieb:
> Heiko Gerstung wrote:
>> Danny Mayer schrieb:
>>> Heiko Gerstung wrote:
>>>> Danny et al,
>>>> I can confirm a memory leak with 4.2.4p4, penetrating it with ntpload 
>>>> 33000 req/s results in ~0.5M/s increased memory consumption rate 
>>>> is not freed as it seems. I did not crash it, but this would be the
>>>> result if I just let ntpload do its ugly job :-)
>>> Heiko,
>>> Can you test this with the build, as is, from the tarball. I know you
>>> still have made some minor changes to your build and I want to make 
>>> that those changes are not affecting this. 
>> No, we were using a vanilla ntpd in the 4.2.4p4 version (AKA "Modena")
>> of the installer.
>>> Just remember that the
>>> recvbuf list expands to accommodate the incoming influx of packets and
>>> does not release them. There used to be a limit and I had removed it 
>>> that's true of the Unix version as well. The version I have has barely
>>> changed its footprint since I started to run ntpload (from another
>>> system) against it. The current syntax I'm using is:
>>> ntpload-2.2\Release>ntpload -c -t 10 -u 200
>>> and I'm running debug mode which does slow things down somewhat.
>> Today I checked again and found out that the memory leak seems to be
>> appearing on my laptop (which I used for my tests so far) but not on my
>> desktop machine, which I use for testing and building the installer and
>> the included ntpd and openssl. That seems to indicate that this memory
>> leak is somehow related to different hardware or software platforms.
>> Both my machines run XP Professional SP2 and patches are up to date
>> (last patch installed is KB944653). The laptop has IE7 installed and 
>> desktop still runs IE6, while I am typing this I am installing IE7 on
>> the desktop machine to find out if this has something to do with it.
> Nothing about IE should make a difference to ntp. I'm also running an
> Oracle DB, tomcat, IIS, Firefox and IE, antivirus, VS 2005, pidgin,
> Acrobat reader, named, Microsoft Office products all at the same time on
> my system.
>> There is nothing special with the network interfaces of both systems, I
>> have GigE connections on both of them (Intel chip on the desktop,
>> Marvell Yukon on the lappy) and they both are connected to the same
>> switch and subnet plus they use the same DHCP, DNS and other servers.
> None of which should make a difference.
>> I will keep you posted. We are trying to analyze the memory leak with
>> some special debugger (Rational Purify) in order to hunt it down.
> Purify works best if ntpd is built with debug. That also slows it down
> of course.
>> Of course we are open for ideas and if anyone reading this has the
>> chance to test 4.2.4p4-modena on a Windows machine, please do so and 
>> us know the results as well as details regarding hard- and software
>> configuration of that system.
> The security list is a very small closed list that only a few people 
> One thing you might try is adding -U 0 to the command line in case the
> dynamic interface code is causing a problem. We have one bug report on
> HP/UX which indicated a problem that we haven't been able to track down
> yet. Turning off dynamic reconfiguration fixed the problem but we still
> don't know why. See Bug #885 starting with Comment #3.
> Danny


*MEINBERG Funkuhren GmbH & Co. KG*
Lange Wand 9
D-31812 Bad Pyrmont, Germany
Tel.: ++49 (0)5281 9309-25
Fax: ++49 (0)5281 9309-30
eMail: heiko.gerstung at meinberg.de <mailto:heiko.gerstung at meinberg.de>
Internet: www.meinberg.de <http://www.meinberg.de/>


Meinberg radio clocks: 25 years of accurate time worldwide

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.ntp.org/mailman/private/security/attachments/20071221/534b0b15/attachment.html 

More information about the security mailing list