From 79eacdb7e694c7e6681b68006425df3faca51aec Mon Sep 17 00:00:00 2001
From: Miroslav Lichvar <mlichvar@redhat.com>
Date: Mon, 30 Mar 2015 15:13:27 +0200
Subject: [PATCH] cmdmon: fix initialization of allocated reply slots

When allocating memory to save unacknowledged replies to authenticated
command requests, the last "next" pointer was not initialized to NULL.
When all allocated reply slots were used, the next reply could be
written to an invalid memory instead of allocating a new slot for it.

An attacker that has the command key and is allowed to access cmdmon
(only localhost is allowed by default) could exploit this to crash
chronyd or possibly execute arbitrary code with the privileges of the
chronyd process.
---
 cmdmon.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/cmdmon.c b/cmdmon.c
index 58a6c90..343baf4 100644
--- a/cmdmon.c
+++ b/cmdmon.c
@@ -566,6 +566,7 @@ get_more_replies(void)
     for (i=1; i<REPLY_EXTEND_QUANTUM; i++) {
       new_replies[i-1].next = new_replies + i;
     }
+    new_replies[REPLY_EXTEND_QUANTUM - 1].next = NULL;
     free_replies = new_replies;
   }
 }