cmdmon: fix initialization of allocated reply slots
When allocating memory to save unacknowledged replies to authenticated command requests, the last "next" pointer was not initialized to NULL. When all allocated reply slots were used, the next reply could be written to an invalid memory instead of allocating a new slot for it. An attacker that has the command key and is allowed to access cmdmon (only localhost is allowed by default) could exploit this to crash chronyd or possibly execute arbitrary code with the privileges of the chronyd process.
This commit is contained in:
Miroslav Lichvar
parent
cf19042ecb
commit
79eacdb7e6
1 changed files with 1 additions and 0 deletions
1
cmdmon.c
1
cmdmon.c
|
|
@ -566,6 +566,7 @@ get_more_replies(void)
|
|||
for (i=1; i<REPLY_EXTEND_QUANTUM; i++) {
|
||||
new_replies[i-1].next = new_replies + i;
|
||||
}
|
||||
new_replies[REPLY_EXTEND_QUANTUM - 1].next = NULL;
|
||||
free_replies = new_replies;
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue