Path: utzoo!utgpu!watserv1!watmath!att!pacbell.com!ucsd!ucbvax!TRANSARC.COM!Ted_Anderson
From: Ted_Anderson@TRANSARC.COM
Newsgroups: comp.protocols.time.ntp
Subject: bug fix for ntp.3.4.1.9, patchlevel 13
Message-ID: <cbKejDj0BwwC1INXZy@transarc.com>
Date: 3 Dec 90 19:47:27 GMT
Sender: daemon@ucbvax.BERKELEY.EDU
Distribution: inet
Organization: The Internet
Lines: 23

I found a bug that affects the query_mode procedure when you are using
a local clock (read_local.c).  The problem is that the peer->sock is
set to getdtablesize() and (at least on AIX3.1) this is 2000.  In the
query_mode procedure it uses this number to index into the addrs table
after only checking to make sure sock is >= 0.  This index by 2000 was
enough to give me a segfault.  The fix is to bounds check with nintf:

query_mode(dst, ntp, sock)
        struct sockaddr_in *dst;
        struct ntpdata *ntp;
        int sock;             /* which socket packet arrived on */
{
 <<< 19 lines deleted >>>
        while (peer != NULL) {
               cip->net_address = peer->src.sin_addr.s_addr;
               if ((peer->sock < 0) || (peer->sock >= nintf))
/* instead of: if (peer->sock < 0) */
                      cip->my_address = htonl(0);
               else
                      cip->my_address = addrs[peer->sock].sin.sin_addr.s_addr;
                cip->port = peer->src.sin_port; /* already in network order */

Ted Anderson