From: Miroslav Lichvar <mlichvar@redhat.com>
Date: Mon, 30 Mar 2015 13:13:27 +0000 (+0200)
Subject: cmdmon: fix initialization of allocated reply slots
X-Git-Tag: 1.31.1~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=79eacdb7e694c7e6681b68006425df3faca51aec;p=thirdparty%2Fchrony.git

cmdmon: fix initialization of allocated reply slots

When allocating memory to save unacknowledged replies to authenticated
command requests, the last "next" pointer was not initialized to NULL.
When all allocated reply slots were used, the next reply could be
written to an invalid memory instead of allocating a new slot for it.

An attacker that has the command key and is allowed to access cmdmon
(only localhost is allowed by default) could exploit this to crash
chronyd or possibly execute arbitrary code with the privileges of the
chronyd process.
---

diff --git a/cmdmon.c b/cmdmon.c
index 58a6c90b..343baf40 100644
--- a/cmdmon.c
+++ b/cmdmon.c
@@ -566,6 +566,7 @@ get_more_replies(void)
     for (i=1; i<REPLY_EXTEND_QUANTUM; i++) {
       new_replies[i-1].next = new_replies + i;
     }
+    new_replies[REPLY_EXTEND_QUANTUM - 1].next = NULL;
     free_replies = new_replies;
   }
 }