FreeBSD 8.0-RC3 ntpd core dump when oncore clock is in use
Russell J. Yount
overflow.
The exists in both FreeBSD-8.0-RC3 and ntp-4.2.4p7. I am submitting this to
both groups.
In ntp/ntpd/relclock_oncore.c:
FILE *fd;
char *cp, *cc, *ca, line[100], units[2], device[20], Msg[160],
**cpp;
char *dirs[] = { "/etc/ntp", "/etc", 0 };
int i, sign, lat_flg, long_flg, ht_flg, mode, mask;
double f1, f2, f3;
fd = NULL; /* just to shutup gcc complaint */
for (cpp=dirs; *cpp; cpp++) {
cp = *cpp;
sprintf(device, "%s/ntp.oncore.%d", cp, instance->unit); /*
try "ntp.oncore.0 */
if ((fd=fopen(device, "r")))
break;
sprintf(device, "%s/ntp.oncore%d", cp, instance->unit); /*
try "ntp.oncore0" */
if ((fd=fopen(device, "r")))
break;
sprintf(device, "%s/ntp.oncore", cp); /* and finally
"ntp.oncore" */
if ((fd=fopen(device, "r")))
break;
}
In the first interation of the for loop the first assigned value of device
is
"/etc/ntp/ntp.oncore.0" (assuming unit number 0) which including the null
charactor
takes 22 bytes to represent. The size of device is 20 bytes.
The follow patch increases the size of device to 32 charactors which
corrects the problem.
--- ntp-4.2.4p7/ntpd/refclock_oncore.c.orig 2008-08-22
11:58:00.000000000 -0400
+++ ntp-4.2.4p7/ntpd/refclock_oncore.c 2009-11-20 17:25:26.000000000 -0500
@@ -1127,7 +1127,7 @@
*/
FILE *fd;
- char *cp, *cc, *ca, line[100], units[2], device[20], Msg[160],
**cpp;
+ char *cp, *cc, *ca, line[100], units[2], device[32], Msg[160],
**cpp;
char *dirs[] = { "/etc/ntp", "/etc", 0 };
int i, sign, lat_flg, long_flg, ht_flg, mode, mask;
double f1, f2, f3;
_______________________________________________
freebsd...@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-curre...@freebsd.org"
chr.p...@gmail.com
There is still this bug in RELENG-8.3. Regards,