[Bug 285065] NULL pointer deference in ntpd

Reply: bugzilla-noreply_a_freebsd.org: "[Bug 285065] NULL pointer dereference in ntpd"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 285065] NULL pointer dereference in ntpd"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 285065] NULL pointer dereference in ntpd"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Thu, 27 Feb 2025 08:36:44 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=285065

            Bug ID: 285065
           Summary: NULL pointer deference in ntpd
           Product: Base System
           Version: Unspecified
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: bin
          Assignee: bugs@FreeBSD.org
          Reporter: freebsd@dev.thsi.be

Hello,

In contrib/ntp/ntpd/ntp_io.c the function update_interfaces deferences
the ep pointer which is NULL in the else branch, in here:

L1906:
        for (ep2 = newaddrs; ep2 != NULL; ep2 = next_ep) {
                next_ep = ep2->elink;
                ep2->elink = NULL;
                ep = create_interface(port, ep2);
                if (ep != NULL) {
                        ifi.action = IFS_CREATED;
                        ifi.ep = ep;
                        if (receiver != NULL) {
                                (*receiver)(data, &ifi);
                        }
                        new_interface_found = TRUE;
                        DPRINT_INTERFACE(3,
                                (ep, "updating ", " new - created\n"));
                }
                else {
                        DPRINT_INTERFACE(3,
                                (ep, "updating ", " new - FAILED"));

                        msyslog(LOG_ERR,
                                "cannot bind address %s",
                                stoa(&ep->sin));
                }
                free(ep2);
        }

The bug is present in all branches.
It manifests in a crash of ntpd.

(lldb) bt
* thread #1, name = 'ntpd', stop reason = signal SIGSEGV
  * frame #0: 0x000bbb18 ntpd`socktoa(sock=0x00000018) at socktoa.c:46:10
    frame #1: 0x00060d28 ntpd`update_interfaces(port=123,
receiver=<unavailable>, data=<unavailable>) at ntp_io.c:1926:5
    frame #2: 0x0005fb7c ntpd`io_open_sockets [inlined]
create_sockets(port=123) at ntp_io.c:2036:2
    frame #3: 0x0005f760 ntpd`io_open_sockets at ntp_io.c:513:2
    frame #4: 0x0004bc14 ntpd`config_ntpd(ptree=0x208a90c0,
input_from_files=<unavailable>) at ntp_config.c:5036:2
    frame #5: 0x00049964
ntpd`save_and_apply_config_tree(input_from_file=<unavailable>) at
ntp_config.c:5276:2 [artificial]
    frame #6: 0x00049aec ntpd`getconfig(argc=<unavailable>, argv=<unavailable>)
at ntp_config.c:5212:2
    frame #7: 0x0007f2f8 ntpd`ntpdmain(argc=0, argv=0xbfbfed4c) at
ntpd.c:1141:2
    frame #8: 0x0007eaf0 ntpd`main(argc=<unavailable>, argv=<unavailable>) at
ntpd.c:445:9
(lldb)

-- 
You are receiving this mail because:
You are the assignee for the bug.