Ted_Anderson@TRANSARC.COM (12/04/90)
I found a bug that affects the query_mode procedure when you are using
a local clock (read_local.c). The problem is that the peer->sock is
set to getdtablesize() and (at least on AIX3.1) this is 2000. In the
query_mode procedure it uses this number to index into the addrs table
after only checking to make sure sock is >= 0. This index by 2000 was
enough to give me a segfault. The fix is to bounds check with nintf:
query_mode(dst, ntp, sock)
struct sockaddr_in *dst;
struct ntpdata *ntp;
int sock; /* which socket packet arrived on */
{
<<< 19 lines deleted >>>
while (peer != NULL) {
cip->net_address = peer->src.sin_addr.s_addr;
if ((peer->sock < 0) || (peer->sock >= nintf))
/* instead of: if (peer->sock < 0) */
cip->my_address = htonl(0);
else
cip->my_address = addrs[peer->sock].sin.sin_addr.s_addr;
cip->port = peer->src.sin_port; /* already in network order */
Ted Anderson