From Nicholas_Briggs.PARC@xerox.com Sun Jun 16 03:33:29 1996
X-NS-Transport-ID: 0000AA008EE70CC43566
Date: Sun, 26 May 1996 18:05:20 PDT
From: Nicholas_Briggs.PARC@xerox.com
Subject: Re:  bug in ntpq
In-Reply-to: "Mills@huey.udel:edu:Xerox's message of Fri, 24 May 1996 18:16:33 PDT"
To: Mills@huey.udel.edu
cc: Nicholas_Briggs.PARC@xerox.com, Briggs.PARC@xerox.com

It's tock.usno.navy.mil that is provoking the problem -- the refid, you'll
notice below, is '"USN'.

The bug is in nextvar, which assumes that it can parse "datalen" bytes, but
doesn't check for values that exceed the MAXVALLEN as it copies them into the
"static char value[MAXVALLEN]" string.   As a result, it smashes memory, which
just happens to show up as a SIGSEGV when the system "exit" tries to clean up
the open files.

Who was it who said "Parsing is the Vietnam of Computer Science" ?

					\nick

current host set to tock.usno.navy.mil
ntpq> pe
     remote           refid      st t when poll reach   delay   offset    disp
==============================================================================

Breakpoint 1, doprintpeers (pvl=0x12e84, associd=17388, rstatus=37908,
datalen=608,
    data=0x15900 "srcadr=127.127.16.0, srcport=123, dstadr=127.0.0.1,
dstport=123,\r\nkeyid=0, stratum=0, precision=-21, rootdelay=0.00,
rootdispersion=0.00,\r\nrefid=\"USN, reftime=0xb55362d5.010b1000, delay=0.00,
offset=0"...,
    fp=0x154ac) at ntpq_ops.c:1280

current host set to tick.usno.navy.mil
ntpq> pe
     remote           refid      st t when poll reach   delay   offset    disp
==============================================================================

Breakpoint 1, doprintpeers (pvl=0x12e84, associd=11196, rstatus=37908,
datalen=605,
    data=0x15900 "srcadr=127.127.16.0, srcport=123, dstadr=127.0.0.1,
dstport=123,\r\nkeyid=0, stratum=0, precision=-21, rootdelay=0.00,
rootdispersion=0.00,\r\nrefid=, reftime=0xb5536347.bdf14000, delay=0.00,
offset=-0.01"..., fp=0x154ac)
    at ntpq_ops.c:1280


					\nick

