From: Dave Hart Date: Thu, 7 May 2009 22:15:41 +0000 (+0000) Subject: ntp_io.c: do not use FD_SET beyond FD_SETSIZE, watch for corruption of inter_list... X-Git-Tag: NTP_4_2_4P7_RC6~4 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0c7c10208ed111338ff0f6f75fd5d12c025e1b9e;p=thirdparty%2Fntp.git ntp_io.c: do not use FD_SET beyond FD_SETSIZE, watch for corruption of inter_list.head bk: 4a035d8dTpU6i_KA2lKSNW32jjPNTA --- diff --git a/ChangeLog b/ChangeLog index f98dbb1f5..ec51d67ad 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,9 @@ * [Bug 784] Make --enable-linuxcaps the default when available * Updated JJY reference clock driver from Takao abe +* Log a message and exit before trying to use FD_SET with a descriptor + larger than FD_SETSIZE, which will corrupt memory beyond the fd_set +* On corruption of the iface list head in add_interface, log and exit --- (4.2.4p7-RC5) 2009/05/02 Released by Harlan Stenn diff --git a/ntpd/ntp_io.c b/ntpd/ntp_io.c index 45bfde9bc..102c22484 100644 --- a/ntpd/ntp_io.c +++ b/ntpd/ntp_io.c @@ -755,6 +755,24 @@ delete_interface(struct interface *interface) static void add_interface(struct interface *interface) { + static struct interface *listhead = NULL; + + /* + * For ntpd, the first few interfaces (wildcard, localhost) + * will never be removed. This means inter_list.head is + * unchanging once initialized. Take advantage of that to + * watch for changes and catch corruption earlier. This + * helped track down corruption caused by using FD_SET with + * a descriptor numerically larger than FD_SETSIZE. + */ + if (NULL == listhead) + listhead = inter_list.head; + + if (listhead != inter_list.head) { + msyslog(LOG_ERR, "add_interface inter_list.head corrupted: was %p now %p", + listhead, inter_list.head); + exit(1); + } /* * Calculate the address hash */ @@ -3660,6 +3678,11 @@ add_fd_to_list(SOCKET fd, enum desc_type type) { * I/O Completion Ports don't care about the select and FD_SET */ #ifndef HAVE_IO_COMPLETION_PORT + if (fd < 0 || fd >= FD_SETSIZE) { + msyslog(LOG_ERR, "Too many sockets in use, FD_SETSIZE %d exceeded", + FD_SETSIZE); + exit(1); + } /* * keep activefds in sync */