https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=285065
Bug ID: 285065
Summary: NULL pointer deference in ntpd
Product: Base System
Version: Unspecified
Hardware: Any
OS: Any
Status: New
Severity: Affects Only Me
Priority: ---
Component: bin
Assignee: b...@freebsd.org
Reporter: free...@dev.thsi.be
Hello,
In contrib/ntp/ntpd/ntp_io.c the function update_interfaces deferences
the ep pointer which is NULL in the else branch, in here:
L1906:
for (ep2 = newaddrs; ep2 != NULL; ep2 = next_ep) {
next_ep = ep2->elink;
ep2->elink = NULL;
ep = create_interface(port, ep2);
if (ep != NULL) {
ifi.action = IFS_CREATED;
ifi.ep = ep;
if (receiver != NULL) {
(*receiver)(data, &ifi);
}
new_interface_found = TRUE;
DPRINT_INTERFACE(3,
(ep, "updating ", " new - created\n"));
}
else {
DPRINT_INTERFACE(3,
(ep, "updating ", " new - FAILED"));
msyslog(LOG_ERR,
"cannot bind address %s",
stoa(&ep->sin));
}
free(ep2);
}
The bug is present in all branches.
It manifests in a crash of ntpd.
(lldb) bt
* thread #1, name = 'ntpd', stop reason = signal SIGSEGV
* frame #0: 0x000bbb18 ntpd`socktoa(sock=0x00000018) at socktoa.c:46:10
frame #1: 0x00060d28 ntpd`update_interfaces(port=123,
receiver=<unavailable>, data=<unavailable>) at ntp_io.c:1926:5
frame #2: 0x0005fb7c ntpd`io_open_sockets [inlined]
create_sockets(port=123) at ntp_io.c:2036:2
frame #3: 0x0005f760 ntpd`io_open_sockets at ntp_io.c:513:2
frame #4: 0x0004bc14 ntpd`config_ntpd(ptree=0x208a90c0,
input_from_files=<unavailable>) at ntp_config.c:5036:2
frame #5: 0x00049964
ntpd`save_and_apply_config_tree(input_from_file=<unavailable>) at
ntp_config.c:5276:2 [artificial]
frame #6: 0x00049aec ntpd`getconfig(argc=<unavailable>, argv=<unavailable>)
at ntp_config.c:5212:2
frame #7: 0x0007f2f8 ntpd`ntpdmain(argc=0, argv=0xbfbfed4c) at
ntpd.c:1141:2
frame #8: 0x0007eaf0 ntpd`main(argc=<unavailable>, argv=<unavailable>) at
ntpd.c:445:9
(lldb)
--
You are receiving this mail because:
You are the assignee for the bug.
