From owner-freebsd-current@FreeBSD.ORG Sat Nov 21 01:01:38 2009 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 51D0B1065676 for ; Sat, 21 Nov 2009 01:01:38 +0000 (UTC) (envelope-from rjy@cmu.edu) Received: from smtp.andrew.cmu.edu (SMTP.ANDREW.CMU.EDU [128.2.11.61]) by mx1.freebsd.org (Postfix) with ESMTP id 036AB8FC12 for ; Sat, 21 Nov 2009 01:01:37 +0000 (UTC) Received: from WHITE (pool-74-111-104-106.pitbpa.fios.verizon.net [74.111.104.106]) (user=rjy mech=LOGIN (0 bits)) by smtp.andrew.cmu.edu (8.14.3/8.14.3) with ESMTP id nAL0Ua7H005507 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT) for ; Fri, 20 Nov 2009 19:30:36 -0500 From: "Russell J. Yount" To: Date: Fri, 20 Nov 2009 19:30:32 -0500 Message-ID: <000001ca6a41$da3a41f0$8eaec5d0$@edu> MIME-Version: 1.0 X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AcpqQcmTlJIBNGIyQ5eLh9oKiayhdA== Content-Language: en-us x-cr-hashedpuzzle: Av6d DMQ1 EVfM EaW3 EjnB Ev+2 E3BM FH7x FJwf FLRA FM38 Jqwp LP7w L0Gh MAJy MQkv; 1; ZgByAGUAZQBiAHMAZAAtAGMAdQByAHIAZQBuAHQAQABmAHIAZQBlAGIAcwBkAC4AbwByAGcA; Sosha1_v1; 7; {9AB316A3-8388-45DF-8DAA-61FA89B3722A}; cgBqAHkAQABjAG0AdQAuAGUAZAB1AA==; Sat, 21 Nov 2009 00:30:29 GMT; RgByAGUAZQBCAFMARAAgADgALgAwAC0AUgBDADMAIABuAHQAcABkACAAYwBvAHIAZQAgAGQAdQBtAHAAIAB3AGgAZQBuACAAbwBuAGMAbwByAGUAIABjAGwAbwBjAGsAIABpAHMAIABpAG4AIAB1AHMAZQA= x-cr-puzzleid: {9AB316A3-8388-45DF-8DAA-61FA89B3722A} X-PMX-Version: 5.5.5.374460, Antispam-Engine: 2.7.1.369594, Antispam-Data: 2009.11.21.2122 X-SMTP-Spam-Clean: 8% ( HTML_50_70 0.1, FORGED_MUA_OUTLOOK 0, FROM_EDU_TLD 0, INVALID_MSGID_NO_FQDN 0, RDNS_GENERIC_POOLED 0, RDNS_POOLED 0, RDNS_SUSP 0, RDNS_SUSP_GENERIC 0, RDNS_SUSP_SPECIFIC 0, TO_NO_NAME 0, __CT 0, __CTYPE_HAS_BOUNDARY 0, __CTYPE_MULTIPART 0, __CTYPE_MULTIPART_ALT 0, __HAS_HTML 0, __HAS_MSGID 0, __HAS_X_MAILER 0, __HTML_FONT_BLUE 0, __HTML_MSWORD 0, __MIME_HTML 0, __MIME_VERSION 0, __OUTLOOK_MUA 0, __OUTLOOK_MUA_1 0, __RDNS_POOLED_9 0, __SANE_MSGID 0, __STYLE_RATWARE_2 0, __TAG_EXISTS_HTML 0, __TO_MALFORMED_2 0, __USER_AGENT_MS_GENERIC 0) X-SMTP-Spam-Score: 8% X-Scanned-By: MIMEDefang 2.60 on 128.2.11.61 X-Mailman-Approved-At: Sat, 21 Nov 2009 03:37:10 +0000 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: FreeBSD 8.0-RC3 ntpd core dump when oncore clock is in use X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Nov 2009 01:01:38 -0000 In FreeBSD 8.0-RC3 the ntpd core dumps with stack corruption due to a buffer overflow. The exists in both FreeBSD-8.0-RC3 and ntp-4.2.4p7. I am submitting this to both groups. In ntp/ntpd/relclock_oncore.c: FILE *fd; char *cp, *cc, *ca, line[100], units[2], device[20], Msg[160], **cpp; char *dirs[] = { "/etc/ntp", "/etc", 0 }; int i, sign, lat_flg, long_flg, ht_flg, mode, mask; double f1, f2, f3; fd = NULL; /* just to shutup gcc complaint */ for (cpp=dirs; *cpp; cpp++) { cp = *cpp; sprintf(device, "%s/ntp.oncore.%d", cp, instance->unit); /* try "ntp.oncore.0 */ if ((fd=fopen(device, "r"))) break; sprintf(device, "%s/ntp.oncore%d", cp, instance->unit); /* try "ntp.oncore0" */ if ((fd=fopen(device, "r"))) break; sprintf(device, "%s/ntp.oncore", cp); /* and finally "ntp.oncore" */ if ((fd=fopen(device, "r"))) break; } In the first interation of the for loop the first assigned value of device is "/etc/ntp/ntp.oncore.0" (assuming unit number 0) which including the null charactor takes 22 bytes to represent. The size of device is 20 bytes. The follow patch increases the size of device to 32 charactors which corrects the problem. --- ntp-4.2.4p7/ntpd/refclock_oncore.c.orig 2008-08-22 11:58:00.000000000 -0400 +++ ntp-4.2.4p7/ntpd/refclock_oncore.c 2009-11-20 17:25:26.000000000 -0500 @@ -1127,7 +1127,7 @@ */ FILE *fd; - char *cp, *cc, *ca, line[100], units[2], device[20], Msg[160], **cpp; + char *cp, *cc, *ca, line[100], units[2], device[32], Msg[160], **cpp; char *dirs[] = { "/etc/ntp", "/etc", 0 }; int i, sign, lat_flg, long_flg, ht_flg, mode, mask; double f1, f2, f3;