In FreeBSD 8.0-RC3 the ntpd core dumps with stack corruption due to a buffer overflow. The exists in both FreeBSD-8.0-RC3 and ntp-4.2.4p7. I am submitting this to both groups. In ntp/ntpd/relclock_oncore.c: FILE *fd; char *cp, *cc, *ca, line[100], units[2], device[20], Msg[160], **cpp; char *dirs[] = { "/etc/ntp", "/etc", 0 }; int i, sign, lat_flg, long_flg, ht_flg, mode, mask; double f1, f2, f3; fd = NULL; /* just to shutup gcc complaint */ for (cpp=dirs; *cpp; cpp++) { cp = *cpp; sprintf(device, "%s/ntp.oncore.%d", cp, instance->unit); /* try "ntp.oncore.0 */ if ((fd=fopen(device, "r"))) break; sprintf(device, "%s/ntp.oncore%d", cp, instance->unit); /* try "ntp.oncore0" */ if ((fd=fopen(device, "r"))) break; sprintf(device, "%s/ntp.oncore", cp); /* and finally "ntp.oncore" */ if ((fd=fopen(device, "r"))) break; } In the first interation of the for loop the first assigned value of device is "/etc/ntp/ntp.oncore.0" (assuming unit number 0) which including the null charactor takes 22 bytes to represent. The size of device is 20 bytes. The follow patch increases the size of device to 32 charactors which corrects the problem. --- ntp-4.2.4p7/ntpd/refclock_oncore.c.orig 2008-08-22 11:58:00.000000000 -0400 +++ ntp-4.2.4p7/ntpd/refclock_oncore.c 2009-11-20 17:25:26.000000000 -0500 _at__at_ -1127,7 +1127,7 _at__at_ */ FILE *fd; - char *cp, *cc, *ca, line[100], units[2], device[20], Msg[160], **cpp; + char *cp, *cc, *ca, line[100], units[2], device[32], Msg[160], **cpp; char *dirs[] = { "/etc/ntp", "/etc", 0 }; int i, sign, lat_flg, long_flg, ht_flg, mode, mask; double f1, f2, f3;Received on Sat Nov 21 2009 - 00:01:38 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:39:58 UTC