NetBSD-Bugs archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
bin/44052: chrooted ntpd refers freed memory
>Number: 44052
>Category: bin
>Synopsis: chrooted ntpd refers freed memory
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: bin-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sat Nov 06 01:00:00 +0000 2010
>Originator: Takahiro HAYASHI
>Release: NetBSD-current 5.99.39 checked out on 2010-11-04 22:02:24 UTC
>Organization:
>Environment:
System: NetBSD halt 5.99.39 NetBSD 5.99.39 (HALT) #1: Fri Nov 5 21:35:09 JST
2010 root@halt:/usr/build2/obj.i386/sys/arch/i386/compile/HALT i386
Architecture: i386
Machine: i386
>Description:
ntpd(8) can drop privileges by specifying chrootdir or running as
an unprivileged user. In that case (disable_dynamic_updates != 0)
ntpd will close routing socket and free its handler structure
itself in function process_routing_msgs(), then refers the freed
memory as next handler in function input_handler().
This causes SIGSEGV if /etc/malloc.conf -> J.
>How-To-Repeat:
start ntpd in chrooted jail or under unprivileged user
>Fix:
Please apply this patch.
Index: external/bsd/ntp/dist/ntpd/ntp_io.c
===================================================================
RCS file: /cvsroot/src/external/bsd/ntp/dist/ntpd/ntp_io.c,v
retrieving revision 1.2
diff -u -r1.2 ntp_io.c
--- external/bsd/ntp/dist/ntpd/ntp_io.c 14 Dec 2009 00:43:58 -0000 1.2
+++ external/bsd/ntp/dist/ntpd/ntp_io.c 5 Nov 2010 22:10:49 -0000
@@ -3355,11 +3355,13 @@
asyncio_reader = asyncio_reader_list;
while (asyncio_reader != NULL) {
+ struct asyncio_reader *next = asyncio_reader->link;
+
if (FD_ISSET(asyncio_reader->fd, &fds)) {
++select_count;
(asyncio_reader->receiver)(asyncio_reader);
}
- asyncio_reader = asyncio_reader->link;
+ asyncio_reader = next;
}
#endif /* HAS_ROUTING_SOCKET */
--
Takahiro HAYASHI <hash at abox3 dot so-net dot ne dot jp>
Home |
Main Index |
Thread Index |
Old Index