[pkg-ntp-maintainers] Bug#795315: /usr/sbin/ntpd: ntpd segfaults in input_handler at ntp_io.c:3642

Bjørn Mork bjorn at mork.no
Wed Aug 12 21:56:34 UTC 2015 

Package: ntp
Version: 1:4.2.6.p5+dfsg-7
Followup-For: Bug #795315

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dear Maintainer,

looking a bit further at the code, I believe I now understand what
goes wrong: The process_routing_msgs(), which is called indirectly
inside the list loopi, could end up deleting and freeing(!) the
list entry currently being processed ("reader" points to it):

	if (disable_dynamic_updates) {
		/*
		 * discard ourselves if we are not needed any more
		 * usually happens when running unprivileged
		 */
		remove_asyncio_reader(reader);
		delete_asyncio_reader(reader);
		return;
	}

	cnt = read(reader->fd, buffer, sizeof(buffer));
	
	if (cnt < 0) {
		msyslog(LOG_ERR,
			"i/o error on routing socket %m - disabling");
		remove_asyncio_reader(reader);
		delete_asyncio_reader(reader);
		return;
	}


Correlating that with my logs, I see that this is exactly what happened
to me:

Aug 12 14:55:49 canardo ntpd[31599]: i/o error on routing socket No buffer space available - disabling
Aug 12 17:11:49 canardo ntpd[4566]: i/o error on routing socket No buffer space available - disabling
Aug 12 17:36:49 canardo ntpd[15501]: i/o error on routing socket No buffer space available - disabling
Aug 12 21:08:49 canardo ntpd[19058]: i/o error on routing socket No buffer space available - disabling
Aug 12 21:32:49 canardo ntpd[2638]: i/o error on routing socket No buffer space available - disabling


I don't know exactly how to fix this mess, but it is quite obvious that you
cannot free the "reader" element and then try to dereference it...



Bjørn

- -- System Information:
Debian Release: 8.1
  APT prefers stable
  APT policy: (990, 'stable'), (500, 'stable-updates')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages ntp depends on:
ii  adduser      3.113+nmu3
ii  dpkg         1.17.25
ii  libc6        2.19-18
ii  libcap2      1:2.24-8
ii  libedit2     3.1-20140620-2
ii  libopts25    1:5.18.4-3
ii  libssl1.0.0  1.0.1k-3+deb8u1
ii  lsb-base     4.1+Debian13+nmu1
ii  netbase      5.3

Versions of packages ntp recommends:
ii  perl  5.20.2-3+deb8u1

Versions of packages ntp suggests:
pn  ntp-doc  <none>

- -- Configuration Files:
/etc/ntp.conf changed [not included]

- -- no debconf information

-----BEGIN PGP SIGNATURE-----

iEYEARECAAYFAlXLwQ8ACgkQ10rqkowbIsl8mQCgida4+XWdNx5i1e17cTPuYstV
x8cAn2D2t4u0bFIf7qW2AB84Q/6iiDiK
=gn0n
-----END PGP SIGNATURE-----

More information about the pkg-ntp-maintainers mailing list