[ntp:security] [Bug 3083] test #2

bugzilla-daemon at ntp.org bugzilla-daemon at ntp.org
Tue Jul 5 10:57:58 UTC 2016


http://bugs.ntp.org/show_bug.cgi?id=3083

--- Comment #1 from Magnus Stubman <magnus at stubman.eu> 2016-07-05 10:57:58 UTC ---
The attached payload will result in an assertion failure in ntpd 4.2.8p8.

resulting in the following valgrind report:

==13614== Memcheck, a memory error detector
==13614== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==13614== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info
==13614== Command: ./ntp-4.2.8p8/ntpd/ntpd -n -I lo -c ntp.conf
==13614== 
28 Jun 21:05:27 ntpd[13614]: ntpd 4.2.8p8 at 1.3265-o Tue Jun 28 14:42:51 UTC 2016
(1): Starting
28 Jun 21:05:27 ntpd[13614]: Command line: ./ntp-4.2.8p8/ntpd/ntpd -n -I lo -c
ntp.conf
28 Jun 21:05:28 ntpd[13614]: proto: precision = 5.780 usec (-17)
28 Jun 21:05:28 ntpd[13614]: switching logging to file /dev/null
28 Jun 21:05:28 ntpd[13614]: Listen and drop on 0 v6wildcard [::]:123
28 Jun 21:05:28 ntpd[13614]: Listen and drop on 1 v4wildcard 0.0.0.0:123
28 Jun 21:05:28 ntpd[13614]: Listen normally on 2 lo 127.0.0.1:123
28 Jun 21:05:28 ntpd[13614]: Listen normally on 3 lo [::1]:123
28 Jun 21:05:28 ntpd[13614]: Listening on routing socket on fd #20 for
interface updates
28 Jun 21:05:30 ntpd[13614]: decodenetnum.c:38: REQUIRE(num != ((void *)0))
failed
28 Jun 21:05:30 ntpd[13614]: exiting (due to assertion failure)
==13614== 
==13614== HEAP SUMMARY:
==13614==     in use at exit: 121,145 bytes in 2,697 blocks
==13614==   total heap usage: 2,874 allocs, 177 frees, 415,150 bytes allocated
==13614== 
==13614== LEAK SUMMARY:
==13614==    definitely lost: 0 bytes in 0 blocks
==13614==    indirectly lost: 0 bytes in 0 blocks
==13614==      possibly lost: 992 bytes in 1 blocks
==13614==    still reachable: 120,153 bytes in 2,696 blocks
==13614==         suppressed: 0 bytes in 0 blocks
==13614== Rerun with --leak-check=full to see details of leaked memory
==13614== 
==13614== For counts of detected and suppressed errors, rerun with: -v
==13614== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)


The following ntp.conf was used:

# Use the local clock
server 127.127.1.0 prefer
fudge  127.127.1.0 stratum 10
driftfile /var/lib/ntp/drift
broadcastdelay 0.008

logfile /dev/null
#logfile /tmp/ntp.log

# Give localhost full access rights
#restrict 127.0.0.1

# Given local machine access to query
#restrict 172.16.59.179 mask 255.255.255.255 nomodify notrap
#restrict 10.0.1.24 mask 255.255.255.255 nomodify notrap
restrict 127.0.0.1 mask 255.255.255.255 nomodify notrap

-- 
Configure bugmail: http://bugs.ntp.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.


More information about the security mailing list