From: Harlan Stenn <stenn@ntp.org>
Date: Wed, 4 Nov 2015 08:39:12 +0000 (+0000)
Subject: [Sec 2956] small-step/big-step.  Close the panic gate earlier.
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=172646dd5b9c5cbd52f36980ed54f66ece8fc66d;p=thirdparty%2Fntp.git

[Sec 2956] small-step/big-step.  Close the panic gate earlier.

bk: 5639c430o8N8--q31B35xMpgxjcwdg
---

diff --git a/ChangeLog b/ChangeLog
index c60c8c660..22e406a21 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,4 +1,6 @@
 ---
+
+* [Sec 2956] small-step/big-step.  Close the panic gate earlier.
 * [Bug 2954] Version 4.2.8p4 crashes on startup with sig fault
   - fixed data race conditions in threaded DNS worker. perlinger@ntp.org
   - limit threading warm-up to linux; FreeBSD bombs on it. perlinger@ntp.org
diff --git a/libntp/systime.c b/libntp/systime.c
index f5eabcd1c..00fd8dda5 100644
--- a/libntp/systime.c
+++ b/libntp/systime.c
@@ -25,6 +25,9 @@
 # include <utmpx.h>
 #endif /* HAVE_UTMPX_H */
 
+/* The next line is from ntpd.h */
+extern int	allow_panic;		/* allow panic correction (-g) */
+extern int	enable_panic_check;	/* Can we check allow_panic's state? */
 
 #ifndef USE_COMPILETIME_PIVOT
 # define USE_COMPILETIME_PIVOT 1
@@ -295,8 +298,13 @@ adj_systime(
 	 * EVNT_NSET adjtime() can be aborted by a tiny adjtime()
 	 * triggered by sys_residual.
 	 */
-	if (0. == now)
+	if (0. == now) {
+		if (enable_panic_check && allow_panic) {
+			msyslog(LOG_ERR, "adj_systime: allow_panic is TRUE!");
+			INSIST(!allow_panic);
+		}
 		return TRUE;
+	}
 
 	/*
 	 * Most Unix adjtime() implementations adjust the system clock
@@ -333,9 +341,15 @@ adj_systime(
 	if (adjtv.tv_sec != 0 || adjtv.tv_usec != 0) {
 		if (adjtime(&adjtv, &oadjtv) < 0) {
 			msyslog(LOG_ERR, "adj_systime: %m");
+			if (enable_panic_check && allow_panic) {
+				msyslog(LOG_ERR, "adj_systime: allow_panic is TRUE!");
+			}
 			return FALSE;
 		}
 	}
+	if (enable_panic_check && allow_panic) {
+		msyslog(LOG_ERR, "adj_systime: allow_panic is TRUE!");
+	}
 	return TRUE;
 }
 #endif
@@ -419,6 +433,9 @@ step_systime(
 	/* now set new system time */
 	if (ntp_set_tod(&timetv, NULL) != 0) {
 		msyslog(LOG_ERR, "step-systime: %m");
+		if (enable_panic_check && allow_panic) {
+			msyslog(LOG_ERR, "step_systime: allow_panic is TRUE!");
+		}
 		return FALSE;
 	}
 
@@ -445,7 +462,7 @@ step_systime(
 	 *	   long    ut_time;
 	 * };
 	 * and appends line="|", name="date", host="", time for the OLD
-	 * and appends line="{", name="date", host="", time for the NEW
+	 * and appends line="{", name="date", host="", time for the NEW // }
 	 * to _PATH_WTMP .
 	 *
 	 * Some OSes have utmp, some have utmpx.
@@ -564,6 +581,10 @@ step_systime(
 #endif /* UPDATE_WTMPX */
 
 	}
+	if (enable_panic_check && allow_panic) {
+		msyslog(LOG_ERR, "step_systime: allow_panic is TRUE!");
+		INSIST(!allow_panic);
+	}
 	return TRUE;
 }
 
diff --git a/ntpd/ntp_loopfilter.c b/ntpd/ntp_loopfilter.c
index 42c30de56..1c06daba1 100644
--- a/ntpd/ntp_loopfilter.c
+++ b/ntpd/ntp_loopfilter.c
@@ -155,6 +155,7 @@ int	ext_enable;		/* external clock enabled */
 int	pps_stratum;		/* pps stratum */
 int	kernel_status;		/* from ntp_adjtime */
 int	allow_panic = FALSE;	/* allow panic correction (-g) */
+int	enable_panic_check = TRUE;	/* Can we check allow_panic's state? */
 int	force_step_once = FALSE; /* always step time once at startup (-G) */
 int	mode_ntpdate = FALSE;	/* exit on first clock set (-q) */
 int	freq_cnt;		/* initial frequency clamp */
@@ -464,11 +465,10 @@ local_clock(
 	 * monitor and record the offsets anyway in order to determine
 	 * the open-loop response and then go home.
 	 */
-#ifdef LOCKCLOCK
+#ifndef LOCKCLOCK
+	if (!ntp_enable)
+#endif /* not LOCKCLOCK */
 	{
-#else
-	if (!ntp_enable) {
-#endif /* LOCKCLOCK */
 		record_loop_stats(fp_offset, drift_comp, clock_jitter,
 		    clock_stability, sys_poll);
 		return (0);
@@ -493,6 +493,8 @@ local_clock(
 		return (-1);
 	}
 
+	allow_panic = FALSE;
+
 	/*
 	 * This section simulates ntpdate. If the offset exceeds the
 	 * step threshold (128 ms), step the clock to that time and
@@ -538,12 +540,8 @@ local_clock(
 		else
 			dtemp = (peer->delay - sys_mindly) / 2;
 		fp_offset += dtemp;
-#ifdef DEBUG
-		if (debug)
-			printf(
-		    "local_clock: size %d mindly %.6f huffpuff %.6f\n",
-			    sys_hufflen, sys_mindly, dtemp);
-#endif
+		DPRINTF(1, ("local_clock: size %d mindly %.6f huffpuff %.6f\n",
+			    sys_hufflen, sys_mindly, dtemp));
 	}
 
 	/*
@@ -694,7 +692,6 @@ local_clock(
 		 * startup until the initial transient has subsided.
 		 */
 		default:
-			allow_panic = FALSE;
 			if (freq_cnt == 0) {
 
 				/*
@@ -921,15 +918,11 @@ local_clock(
 	 */
 	record_loop_stats(clock_offset, drift_comp, clock_jitter,
 	    clock_stability, sys_poll);
-#ifdef DEBUG
-	if (debug)
-		printf(
-		    "local_clock: offset %.9f jit %.9f freq %.3f stab %.3f poll %d\n",
+	DPRINTF(1, ("local_clock: offset %.9f jit %.9f freq %.3f stab %.3f poll %d\n",
 		    clock_offset, clock_jitter, drift_comp * 1e6,
-		    clock_stability * 1e6, sys_poll);
-#endif /* DEBUG */
+		    clock_stability * 1e6, sys_poll));
 	return (rval);
-#endif /* LOCKCLOCK */
+#endif /* not LOCKCLOCK */
 }
 
 
@@ -1005,7 +998,10 @@ adj_host_clock(
 	 * but does not automatically stop slewing when an offset
 	 * has decayed to zero.
 	 */
+	DEBUG_INSIST(enable_panic_check == TRUE);
+	enable_panic_check = FALSE;
 	adj_systime(offset_adj + freq_adj);
+	enable_panic_check = TRUE;
 #endif /* LOCKCLOCK */
 }
 
@@ -1019,12 +1015,9 @@ rstclock(
 	double	offset		/* new offset */
 	)
 {
-#ifdef DEBUG
-	if (debug > 1)
-		printf("local_clock: mu %lu state %d poll %d count %d\n",
+	DPRINTF(2, ("rstclock: mu %lu state %d poll %d count %d\n",
 		    current_time - clock_epoch, trans, sys_poll,
-		    tc_counter);
-#endif
+		    tc_counter));
 	if (trans != state && trans != EVNT_FSET)
 		report_event(trans, NULL, NULL);
 	state = trans;
@@ -1236,10 +1229,7 @@ loop_config(
 	int	i;
 	double	ftemp;
 
-#ifdef DEBUG
-	if (debug > 1)
-		printf("loop_config: item %d freq %f\n", item, freq);
-#endif
+	DPRINTF(2, ("loop_config: item %d freq %f\n", item, freq));
 	switch (item) {
 
 	/*
diff --git a/ntpdate/ntpdate.c b/ntpdate/ntpdate.c
index 9831929c4..823a57f77 100644
--- a/ntpdate/ntpdate.c
+++ b/ntpdate/ntpdate.c
@@ -198,6 +198,9 @@ int verbose = 0;
 int always_step = 0;
 int never_step = 0;
 
+int allow_panic = FALSE;	/* glue for bug 2956 */
+int enable_panic_check = TRUE;	/* Can we check allow_panic's state? */
+
 int 	ntpdatemain (int, char **);
 
 static	void	transmit	(struct server *);
diff --git a/ntpsnmpd/ntpsnmpd.c b/ntpsnmpd/ntpsnmpd.c
index d96ad3af4..57c94fee5 100644
--- a/ntpsnmpd/ntpsnmpd.c
+++ b/ntpsnmpd/ntpsnmpd.c
@@ -43,6 +43,9 @@ stop_server(int a) {
  * wait for SNMP requests coming from the master agent 
  */
 
+int allow_panic = FALSE;	/* Glue for Bug 2956 */
+int enable_panic_check = TRUE;	/* Can we check allow_panic's state? */
+
 int
 main (int argc, char **argv) {
   int background = 0; /* start as background process */
diff --git a/sntp/main.c b/sntp/main.c
index 870db9350..3dacd89f0 100644
--- a/sntp/main.c
+++ b/sntp/main.c
@@ -17,6 +17,9 @@
 #include "libntp.h"
 
 
+int allow_panic = FALSE;	/* Glue for bug 2956 */
+int enable_panic_check = TRUE;	/* Can we check allow_panic's state? */
+
 int shutting_down;
 int time_derived;
 int time_adjusted;