cmdmon: fix initialization of allocated reply slots

When allocating memory to save unacknowledged replies to authenticated
command requests, the last "next" pointer was not initialized to NULL.
When all allocated reply slots were used, the next reply could be
written to an invalid memory instead of allocating a new slot for it.

An attacker that has the command key and is allowed to access cmdmon
(only localhost is allowed by default) could exploit this to crash
chronyd or possibly execute arbitrary code with the privileges of the
chronyd process.

diff --git a/cmdmon.c b/cmdmon.c
index 58a6c90b2870796140adab957ebf43e45d9d4a0f..343baf406274d7f9c2134b31eb54a3cedc2d0fae 100644 (file)
--- a/cmdmon.c
+++ b/cmdmon.c
@@ -566,6 +566,7 @@ get_more_replies(void)
     for (i=1; i<REPLY_EXTEND_QUANTUM; i++) {
       new_replies[i-1].next = new_replies + i;
     }
+    new_replies[REPLY_EXTEND_QUANTUM - 1].next = NULL;
     free_replies = new_replies;
   }
 }