+++ This bug was initially created as a clone of Bug #1165141 +++

Description of problem:

ntpq crashes on CentOS 6.5. I believe this would happen also on RHEL 6.5 because RHEL is the upstream provider for CentOS.

Version-Release number of selected component (if applicable):

$ rpm -q -i ntp

Name        : ntp                          Relocations: (not relocatable)
Version     : 4.2.6p5                           Vendor: CentOS
Release     : 1.el6.centos                  Build Date: Sat 23 Nov 2013 11:51:55 PM IST
Install Date: Tue 18 Nov 2014 02:04:53 PM IST      Build Host: c6b9.bsys.dev.centos.org
Group       : System Environment/Daemons    Source RPM: ntp-4.2.6p5-1.el6.centos.src.rpm
Size        : 1706943                          License: (MIT and BSD and BSD with advertising) and GPLv2
Signature   : RSA/SHA1, Mon 25 Nov 2013 01:02:50 AM IST, Key ID 0946fca2c105b9de
Packager    : CentOS BuildSystem <http://bugs.centos.org>
URL         : http://www.ntp.org
Summary     : The NTP daemon and utilities

-- snipped --

How reproducible:

Always.

Steps to Reproduce:

1. Install ntp.

$ sudo yum install ntp

2. Start the ntp service.

$ sudo service ntpd start

3. Run the following command-line:

$ ntpq -n -c raw -c associations -c  "mreadvar &1 &65535" 127.0.0.1


Actual results:

See, "ntpq-backtrace.txt" for the output and the backtrace.

Expected results:

ntpq should exit without crashing.


Additional info:

--- Additional comment from pradeep roy on 2014-11-18 13:43:42 CET ---

I downloaded ntp's SRPM from here:

http://vault.centos.org/6.5/os/Source/SPackages/ntp-4.2.6p5-1.el6.centos.src.rpm

The ntpq binary was built after enabling debugging symbols. Using gdb, it was found that free() was being called on a stack variable in the mreadvar(), function in ntpq-subs.c. The solution is to initialize the variable so that free() no longer returned error. Attached is the fix.