Bug 1165141

Summary: ntp: mreadvar command crash in ntpq
Product: Red Hat Enterprise Linux 6 Reporter: pradeep roy <ambopua>
Component: ntpAssignee: Miroslav Lichvar <mlichvar>
Status: CLOSED ERRATA QA Contact: Vaclav Danek <vdanek>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.5CC: fweimer, ovasik, psklenar, vdanek
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: ntp-4.2.6p5-3.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1180721 1180722 (view as bug list) Environment:
Last Closed: 2015-07-22 07:00:03 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Output when running ntpq with the bug reproducing command-line.
none
Changes to that fix the bug none

Description pradeep roy 2014-11-18 12:27:13 UTC 
Created attachment 958545 [details]
Output when running ntpq with the bug reproducing command-line.

Description of problem:

ntpq crashes on CentOS 6.5. I believe this would happen also on RHEL 6.5 because RHEL is the upstream provider for CentOS.

Version-Release number of selected component (if applicable):

$ rpm -q -i ntp

Name        : ntp                          Relocations: (not relocatable)
Version     : 4.2.6p5                           Vendor: CentOS
Release     : 1.el6.centos                  Build Date: Sat 23 Nov 2013 11:51:55 PM IST
Install Date: Tue 18 Nov 2014 02:04:53 PM IST      Build Host: c6b9.bsys.dev.centos.org
Group       : System Environment/Daemons    Source RPM: ntp-4.2.6p5-1.el6.centos.src.rpm
Size        : 1706943                          License: (MIT and BSD and BSD with advertising) and GPLv2
Signature   : RSA/SHA1, Mon 25 Nov 2013 01:02:50 AM IST, Key ID 0946fca2c105b9de
Packager    : CentOS BuildSystem <http://bugs.centos.org>
URL         : http://www.ntp.org
Summary     : The NTP daemon and utilities

-- snipped --

How reproducible:

Always.

Steps to Reproduce:

1. Install ntp.

$ sudo yum install ntp

2. Start the ntp service.

$ sudo service ntpd start

3. Run the following command-line:

$ ntpq -n -c raw -c associations -c  "mreadvar &1 &65535" 127.0.0.1


Actual results:

See, "ntpq-backtrace.txt" for the output and the backtrace.

Expected results:

ntpq should exit without crashing.


Additional info:
Comment 1 pradeep roy 2014-11-18 12:43:42 UTC 
Created attachment 958560 [details]
Changes to that fix the bug

I downloaded ntp's SRPM from here:

http://vault.centos.org/6.5/os/Source/SPackages/ntp-4.2.6p5-1.el6.centos.src.rpm

The ntpq binary was built after enabling debugging symbols. Using gdb, it was found that free() was being called on a stack variable in the mreadvar(), function in ntpq-subs.c. The solution is to initialize the variable so that free() no longer returned error. Attached is the fix.
Comment 7 errata-xmlrpc 2015-07-22 07:00:03 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-1459.html