Bug#795315: /usr/sbin/ntpd: ntpd segfaults in input_handler at ntp_io.c:3642

Wed, 12 Aug 2015 15:13:19 -0700 

Package: ntp
Version: 1:4.2.6.p5+dfsg-7
Followup-For: Bug #795315

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dear Maintainer,

well, that was easy.  This bug was fixed by upstream several
years ago.  Attaching patch from upstream.


Bjørn

- -- System Information:
Debian Release: 8.1
  APT prefers stable
  APT policy: (990, 'stable'), (500, 'stable-updates')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages ntp depends on:
ii  adduser      3.113+nmu3
ii  dpkg         1.17.25
ii  libc6        2.19-18
ii  libcap2      1:2.24-8
ii  libedit2     3.1-20140620-2
ii  libopts25    1:5.18.4-3
ii  libssl1.0.0  1.0.1k-3+deb8u1
ii  lsb-base     4.1+Debian13+nmu1
ii  netbase      5.3

Versions of packages ntp recommends:
ii  perl  5.20.2-3+deb8u1

Versions of packages ntp suggests:
pn  ntp-doc  <none>

- -- Configuration Files:
/etc/ntp.conf changed [not included]

- -- no debconf information

-----BEGIN PGP SIGNATURE-----

iEYEARECAAYFAlXLw9QACgkQ10rqkowbIskAXACeJcdIVpJBVuVoDRuwk5I/7sff
EAYAn04Af0j2CuYoMbN4JSQp/nHdl+MV
=LXax
-----END PGP SIGNATURE-----

>From d6df9d309116be7b14fd8d33703d5c4b46655d89 Mon Sep 17 00:00:00 2001
From:  <daveh...@dlh-7551.ad.hartbrothers.com>
Date: Mon, 11 Jun 2012 17:22:29 +0000
Subject: [PATCH] [Bug 2224] Use-after-free in routing socket code after
 dropping root.

---
 ChangeLog     | 3 ++-
 ntpd/ntp_io.c | 9 ++++++---
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 388c48d..b8e1ad8 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,8 +1,9 @@
+* [Bug 2224] Use-after-free in routing socket code after dropping root.
 (4.2.7p279) 2012/06/10 Released by Harlan Stenn <st...@ntp.org>
 * [Bug 2211] findbcastinter(): possibly undefined variable iface used.
 * [Bug 2220] Incorrect check for maximum association id in ntpq.
 (4.2.7p278) 2012/06/03 Released by Harlan Stenn <st...@ntp.org>
-* [Bug 2204] [Bug 2204] Build with --enable-getifaddrs=glibc fails.
+* [Bug 2204] Build with --enable-getifaddrs=glibc fails.
 * [Bug 2178] refclock_tsyncpci.c reach register fails to shift.
 * [Bug 2191] dcfd -Y y2kcheck on CentOS 6.2 x86_64 breaks make check.
 (4.2.7p277) 2012/05/25 Released by Harlan Stenn <st...@ntp.org>
diff --git a/ntpd/ntp_io.c b/ntpd/ntp_io.c
index 9df2f27..79828ed 100644
--- a/ntpd/ntp_io.c
+++ b/ntpd/ntp_io.c
@@ -3355,7 +3355,8 @@ input_handler(
 	const char *	clk;
 #endif
 #ifdef HAS_ROUTING_SOCKET
-	struct asyncio_reader *asyncio_reader;
+	struct asyncio_reader *	asyncio_reader;
+	struct asyncio_reader *	next_asyncio_reader;
 #endif
 
 	handler_calls++;
@@ -3487,11 +3488,13 @@ input_handler(
 	asyncio_reader = asyncio_reader_list;
 
 	while (asyncio_reader != NULL) {
+		/* callback may unlink and free asyncio_reader */
+		next_asyncio_reader = asyncio_reader->link;
 		if (FD_ISSET(asyncio_reader->fd, &fds)) {
 			++select_count;
-			(asyncio_reader->receiver)(asyncio_reader);
+			(*asyncio_reader->receiver)(asyncio_reader);
 		}
-		asyncio_reader = asyncio_reader->link;
+		asyncio_reader = next_asyncio_reader;
 	}
 #endif /* HAS_ROUTING_SOCKET */
 	
-- 
2.1.4

Reply via email to