Bug 285065

Summary: NULL pointer dereference in ntpd
Product: Base System Reporter: Benjamin Jacobs <freebsd>
Component: binAssignee: Cy Schubert <cy>
Status: Closed FIXED    
Severity: Affects Only Me CC: cy, freebsd, markj, mp, ziaee
Priority: ---    
Version: Unspecified   
Hardware: Any   
OS: Any   

Description Benjamin Jacobs 2025-02-27 08:36:44 UTC 
Hello,

In contrib/ntp/ntpd/ntp_io.c the function update_interfaces deferences
the ep pointer which is NULL in the else branch, in here:

L1906:
	for (ep2 = newaddrs; ep2 != NULL; ep2 = next_ep) {
		next_ep = ep2->elink;
		ep2->elink = NULL;
		ep = create_interface(port, ep2);
		if (ep != NULL) {
			ifi.action = IFS_CREATED;
			ifi.ep = ep;
			if (receiver != NULL) {
				(*receiver)(data, &ifi);
			}
			new_interface_found = TRUE;
			DPRINT_INTERFACE(3,
				(ep, "updating ", " new - created\n"));
		}
		else {
			DPRINT_INTERFACE(3,
				(ep, "updating ", " new - FAILED"));

			msyslog(LOG_ERR,
				"cannot bind address %s",
				stoa(&ep->sin));
		}
		free(ep2);
	}

The bug is present in all branches.
It manifests in a crash of ntpd.

(lldb) bt
* thread #1, name = 'ntpd', stop reason = signal SIGSEGV
  * frame #0: 0x000bbb18 ntpd`socktoa(sock=0x00000018) at socktoa.c:46:10
    frame #1: 0x00060d28 ntpd`update_interfaces(port=123, receiver=<unavailable>, data=<unavailable>) at ntp_io.c:1926:5
    frame #2: 0x0005fb7c ntpd`io_open_sockets [inlined] create_sockets(port=123) at ntp_io.c:2036:2
    frame #3: 0x0005f760 ntpd`io_open_sockets at ntp_io.c:513:2
    frame #4: 0x0004bc14 ntpd`config_ntpd(ptree=0x208a90c0, input_from_files=<unavailable>) at ntp_config.c:5036:2
    frame #5: 0x00049964 ntpd`save_and_apply_config_tree(input_from_file=<unavailable>) at ntp_config.c:5276:2 [artificial]
    frame #6: 0x00049aec ntpd`getconfig(argc=<unavailable>, argv=<unavailable>) at ntp_config.c:5212:2
    frame #7: 0x0007f2f8 ntpd`ntpdmain(argc=0, argv=0xbfbfed4c) at ntpd.c:1141:2
    frame #8: 0x0007eaf0 ntpd`main(argc=<unavailable>, argv=<unavailable>) at ntpd.c:445:9
(lldb)
Comment 1 Mark Peek freebsd_committer freebsd_triage 2025-02-28 01:18:38 UTC 
Similar issue filed upstream:
https://bugs.ntp.org/show_bug.cgi?id=3939
Comment 2 commit-hook freebsd_committer freebsd_triage 2025-02-28 15:54:37 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=628715fdcc9f2226bfe0f4ebe381aaa7761cb6cc

commit 628715fdcc9f2226bfe0f4ebe381aaa7761cb6cc
Author:     Cy Schubert <cy@FreeBSD.org>
AuthorDate: 2025-02-28 15:46:23 +0000
Commit:     Cy Schubert <cy@FreeBSD.org>
CommitDate: 2025-02-28 15:53:22 +0000

    ntp: NULL pointer deref when create_interface() fails

    Fix NULL pointer dereference when create_interface() fails in
    update_interfaces(). The upstream bug report says a typo was introduced
    by https://bk.ntp.org/ntp-dev/ntpd/ntp_io.c?PAGE=diffs&REV=66175036PETA6g__fON8oNrjL54Ttw. ep should have been ep2.

    Fix obtained from upstream bug report.

    PR:             285065
    Upstream bug:   https://bugs.ntp.org/show_bug.cgi?id=3939
    MFC after:      1 minute

 contrib/ntp/ntpd/ntp_io.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 3 commit-hook freebsd_committer freebsd_triage 2025-02-28 15:59:39 UTC 
A commit in branch stable/14 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=859aa726fb8642d8f329c7a34c51356c4eaeae88

commit 859aa726fb8642d8f329c7a34c51356c4eaeae88
Author:     Cy Schubert <cy@FreeBSD.org>
AuthorDate: 2025-02-28 15:46:23 +0000
Commit:     Cy Schubert <cy@FreeBSD.org>
CommitDate: 2025-02-28 15:59:00 +0000

    ntp: NULL pointer deref when create_interface() fails

    Fix NULL pointer dereference when create_interface() fails in
    update_interfaces(). The upstream bug report says a typo was introduced
    by https://bk.ntp.org/ntp-dev/ntpd/ntp_io.c?PAGE=diffs&REV=66175036PETA6g__fON8oNrjL54Ttw. ep should have been ep2.

    Fix obtained from upstream bug report.

    PR:             285065
    Upstream bug:   https://bugs.ntp.org/show_bug.cgi?id=3939

    (cherry picked from commit 628715fdcc9f2226bfe0f4ebe381aaa7761cb6cc)

 contrib/ntp/ntpd/ntp_io.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 4 commit-hook freebsd_committer freebsd_triage 2025-02-28 15:59:41 UTC 
A commit in branch stable/13 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=a3d32f9e6033a9083a22b7c9f25633430372e5b4

commit a3d32f9e6033a9083a22b7c9f25633430372e5b4
Author:     Cy Schubert <cy@FreeBSD.org>
AuthorDate: 2025-02-28 15:46:23 +0000
Commit:     Cy Schubert <cy@FreeBSD.org>
CommitDate: 2025-02-28 15:58:54 +0000

    ntp: NULL pointer deref when create_interface() fails

    Fix NULL pointer dereference when create_interface() fails in
    update_interfaces(). The upstream bug report says a typo was introduced
    by https://bk.ntp.org/ntp-dev/ntpd/ntp_io.c?PAGE=diffs&REV=66175036PETA6g__fON8oNrjL54Ttw. ep should have been ep2.

    Fix obtained from upstream bug report.

    PR:             285065
    Upstream bug:   https://bugs.ntp.org/show_bug.cgi?id=3939

    (cherry picked from commit 628715fdcc9f2226bfe0f4ebe381aaa7761cb6cc)

 contrib/ntp/ntpd/ntp_io.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 5 Cy Schubert freebsd_committer freebsd_triage 2025-02-28 16:00:04 UTC 
Fixed. Thanks for pointing this out.
Comment 6 Helge Oldach 2025-02-28 17:26:40 UTC 
As ep is NULL in this else branch, shouldn't the &ep->sin (parameter to msyslog) be corrected similarly?