diff -Nru ntp-4.2.6.p5+dfsg/debian/changelog ntp-4.2.6.p5+dfsg/debian/changelog --- ntp-4.2.6.p5+dfsg/debian/changelog 2015-04-13 09:01:15.000000000 -0400 +++ ntp-4.2.6.p5+dfsg/debian/changelog 2015-09-02 09:58:27.000000000 -0400 @@ -1,3 +1,15 @@ +ntp (1:4.2.6.p5+dfsg-3ubuntu7) wily; urgency=medium + + * Fix use-after-free in routing socket code (closes: #795315) + - debian/patches/use-after-free-in-routing-socket.patch + fix logic in ntpd/ntp_io.c + + * Fix to ignore ENOBUFS on routing netlink socket + - debian/patches/ignore-ENOBUFS-on-routing-netlink-socket.patch + fix logic in ntpd/ntp_io.c + + -- Eric Desrochers Wed, 02 Sep 2015 09:57:16 -0400 + ntp (1:4.2.6.p5+dfsg-3ubuntu6) vivid; urgency=medium * SECURITY UPDATE: ntp-keygen infinite loop or lack of randonmess on big diff -Nru ntp-4.2.6.p5+dfsg/debian/patches/ignore-ENOBUFS-on-routing-netlink-socket.patch ntp-4.2.6.p5+dfsg/debian/patches/ignore-ENOBUFS-on-routing-netlink-socket.patch --- ntp-4.2.6.p5+dfsg/debian/patches/ignore-ENOBUFS-on-routing-netlink-socket.patch 1969-12-31 19:00:00.000000000 -0500 +++ ntp-4.2.6.p5+dfsg/debian/patches/ignore-ENOBUFS-on-routing-netlink-socket.patch 2015-09-02 09:55:55.000000000 -0400 @@ -0,0 +1,32 @@ +Description: [Bug 2890] Ignore ENOBUFS on routing netlink socket. + +Recv from netlink socket can return ENOBUFS if kernel failed to allocate buffer +for broadcast message. This happens from time-time on high-loaded systems with +a lot of interface and huge routing tables. + +Bug : http://bugs.ntp.org/show_bug.cgi?id=2890 +Author: +Index: ntp-4.2.6.p5+dfsg/ntpd/ntp_io.c +=================================================================== +--- ntp-4.2.6.p5+dfsg.orig/ntpd/ntp_io.c ++++ ntp-4.2.6.p5+dfsg/ntpd/ntp_io.c +@@ -4433,10 +4433,15 @@ process_routing_msgs(struct asyncio_read + cnt = read(reader->fd, buffer, sizeof(buffer)); + + if (cnt < 0) { +- msyslog(LOG_ERR, +- "i/o error on routing socket %m - disabling"); +- remove_asyncio_reader(reader); +- delete_asyncio_reader(reader); ++ if (errno == ENOBUFS) { ++ msyslog(LOG_ERR, ++ "routing socket reports: %m"); ++ } else { ++ msyslog(LOG_ERR, ++ "routing socket reports: %m - disabling"); ++ remove_asyncio_reader(reader); ++ delete_asyncio_reader(reader); ++ } + return; + } + diff -Nru ntp-4.2.6.p5+dfsg/debian/patches/series ntp-4.2.6.p5+dfsg/debian/patches/series --- ntp-4.2.6.p5+dfsg/debian/patches/series 2015-04-13 08:58:47.000000000 -0400 +++ ntp-4.2.6.p5+dfsg/debian/patches/series 2015-09-02 09:53:02.000000000 -0400 @@ -19,3 +19,5 @@ CVE-2015-1798.patch CVE-2015-1799.patch ntp-keygen-endless-loop.patch +use-after-free-in-routing-socket.patch +ignore-ENOBUFS-on-routing-netlink-socket.patch diff -Nru ntp-4.2.6.p5+dfsg/debian/patches/use-after-free-in-routing-socket.patch ntp-4.2.6.p5+dfsg/debian/patches/use-after-free-in-routing-socket.patch --- ntp-4.2.6.p5+dfsg/debian/patches/use-after-free-in-routing-socket.patch 1969-12-31 19:00:00.000000000 -0500 +++ ntp-4.2.6.p5+dfsg/debian/patches/use-after-free-in-routing-socket.patch 2015-09-02 09:52:17.000000000 -0400 @@ -0,0 +1,33 @@ +Description: Fix use-after-free in routing socket code. +Origin: backport, https://bugs.ntp.org/attachment.cgi?id=883 +Bug: http://bugs.ntp.org/2224 +Index: ntp-4.2.6.p5+dfsg/ntpd/ntp_io.c +=================================================================== +--- ntp-4.2.6.p5+dfsg.orig/ntpd/ntp_io.c ++++ ntp-4.2.6.p5+dfsg/ntpd/ntp_io.c +@@ -3534,7 +3534,8 @@ input_handler( + int select_count = 0; + endpt *ep; + #if defined(HAS_ROUTING_SOCKET) +- struct asyncio_reader *asyncio_reader; ++ struct asyncio_reader * asyncio_reader; ++ struct asyncio_reader * next_asyncio_reader; + #endif + + handler_calls++; +@@ -3637,11 +3638,13 @@ input_handler( + asyncio_reader = asyncio_reader_list; + + while (asyncio_reader != NULL) { ++ /* callback may unlink and free asyncio_reader */ ++ next_asyncio_reader = asyncio_reader->link; + if (FD_ISSET(asyncio_reader->fd, &fds)) { + ++select_count; +- (asyncio_reader->receiver)(asyncio_reader); ++ (*asyncio_reader->receiver)(asyncio_reader); + } +- asyncio_reader = asyncio_reader->link; ++ asyncio_reader = next_asyncio_reader; + } + #endif /* HAS_ROUTING_SOCKET */ +