From: Harlan Stenn Date: Thu, 14 Jan 2016 07:56:32 +0000 (+0000) Subject: Merge psp-at1.ntp.org:/home/perlinger/ntp-stable-2948 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9225512c3842bccf5b24e648a9559d41772cbba6;p=thirdparty%2Fntp.git Merge psp-at1.ntp.org:/home/perlinger/ntp-stable-2948 into psp-at1.ntp.org:/a/local/amd/amd.stage/thump2-g3/export/ntp/home/stenn/ntp-stable-p6 bk: 569754b00BdWIv82qQAzGbUV-96uLA --- 9225512c3842bccf5b24e648a9559d41772cbba6 diff --cc ChangeLog index c0aa1db4a,55d152ef4..264da8e63 --- a/ChangeLog +++ b/ChangeLog @@@ -1,95 -1,8 +1,96 @@@ --- -* [Bug 2948] Potential Infinite Loop in ntpq ( and ntpdc) perlinger@ntp.org + +* [Sec 2935] Deja Vu: Replay attack on authenticated broadcast mode. HStenn. +* [Sec 2937] ntpq: nextvar() missing length check. perlinger@ntp.org +* [Sec 2938] ntpq saveconfig command allows dangerous characters + in filenames. perlinger@ntp.org +* [Sec 2939] reslist NULL pointer dereference. perlinger@ntp.org +* [Sec 2940] Stack exhaustion in recursive traversal of restriction + list. perlinger@ntp.org +* [Sec 2945] Zero Origin Timestamp Bypass. perlinger@ntp.org ++* [Sec 2948] Potential Infinite Loop in ntpq ( and ntpdc) perlinger@ntp.org +* Make leapsec_query debug messages less verbose. Harlan Stenn. + +--- +(4.2.8p5) 2016/01/07 Released by Harlan Stenn + +* [Sec 2956] small-step/big-step. Close the panic gate earlier. HStenn. +* CID 1339955: Free allocated memory in caljulian test. HStenn. +* CID 1339962: Explicitly initialize variable in caljulian test. HStenn. +* CID 1341527: Quiet a CHECKED_RETURN in sntp/tests/t-log.c. HStenn. +* CID 1341533: Missing assertion in sntp/tests/t-log.c. HStenn. +* CID 1341534: Resource leak in tests/ntpd/t-ntp_signd.c. HStenn. +* CID 1341535: Resource leak in tests/ntpd/t-ntp_signd.c. HStenn. +* CID 1341536: Resource leak in tests/ntpd/t-ntp_signd.c. HStenn. +* CID 1341537: Resource leak in tests/ntpd/t-ntp_signd.c. HStenn. +* CID 1341538: Memory leak in tests/ntpd/ntp_prio_q.c:262. HStenn. +* CID 1341677: Nits in sntp/tests/keyFile.c. HStenn. +* CID 1341678: Nits in sntp/tests/keyFile.c. HStenn. +* CID 1341679: Nits in sntp/tests/keyFile.c. HStenn. +* CID 1341680: Nits in sntp/tests/keyFile.c. HStenn. +* CID 1341681: Nits in sntp/tests/keyFile.c. HStenn. +* CID 1341682: Nit in libntp/authreadkeys.c. HStenn. +* CID 1341684: Nit in tests/ntpd/t-ntp_signd.c. HStenn. +* [Bug 2829] Look at pipe_fds in ntpd.c (did so. perlinger@ntp.org) +* [Bug 2887] stratum -1 config results as showing value 99 + - fudge stratum should only accept values [0..16]. perlinger@ntp.org +* [Bug 2932] Update leapsecond file info in miscopt.html. CWoodbury, HStenn. +* [Bug 2934] tests/ntpd/t-ntp_scanner.c has a magic constant wired in. HMurray +* [Bug 2944] errno is not preserved properly in ntpdate after sendto call. + - applied patch by Christos Zoulas. perlinger@ntp.org +* [Bug 2952] Symmetric active/passive mode is broken. HStenn. +* [Bug 2954] Version 4.2.8p4 crashes on startup with sig fault + - fixed data race conditions in threaded DNS worker. perlinger@ntp.org + - limit threading warm-up to linux; FreeBSD bombs on it. perlinger@ntp.org +* [Bug 2957] 'unsigned int' vs 'size_t' format clash. perlinger@ntp.org + - accept key file only if there are no parsing errors + - fixed size_t/u_int format clash + - fixed wrong use of 'strlcpy' +* [Bug 2958] ntpq: fatal error messages need a final newline. Craig Leres. +* [Bug 2962] truncation of size_t/ptrdiff_t on 64bit targets. perlinger@ntp.org + - fixed several other warnings (cast-alignment, missing const, missing prototypes) + - promote use of 'size_t' for values that express a size + - use ptr-to-const for read-only arguments + - make sure SOCKET values are not truncated (win32-specific) + - format string fixes +* [Bug 2965] Local clock didn't work since 4.2.8p4. Martin Burnicki. +* [Bug 2967] ntpdate command suffers an assertion failure + - fixed ntp_rfc2553.c to return proper address length. perlinger@ntp.org +* [Bug 2969] Seg fault from ntpq/mrulist when looking at server with + lots of clients. perlinger@ntp.org +* [Bug 2971] ntpq bails on ^C: select fails: Interrupted system call + - changed stacked/nested handling of CTRL-C. perlinger@ntp.org +* Unity cleanup for FreeBSD-6.4. Harlan Stenn. +* Unity test cleanup. Harlan Stenn. +* Libevent autoconf pthread fixes for FreeBSD-10. Harlan Stenn. +* Header cleanup in tests/sandbox/uglydate.c. Harlan Stenn. +* Header cleanup in tests/libntp/sfptostr.c. Harlan Stenn. +* Quiet a warning from clang. Harlan Stenn. +* Update the NEWS file. Harlan Stenn. +* Update scripts/calc_tickadj/Makefile.am. Harlan Stenn. + --- -(4.2.8p4-RC1) 2015/10/06 Released by Harlan Stenn +* [Sec 2899] CVE-2014-9297 perlinger@ntp.org +* [Sec 2901] Drop invalid packet before checking KoD. Check for all KoD's. + Danny Mayer. Log incoming packets that fail TEST2. Harlan Stenn. +* [Sec 2902] configuration directives "pidfile" and "driftfile" + should be local-only. perlinger@ntp.org (patch by Miroslav Lichvar) +* [Sec 2909] added missing call to 'free()' in ntp_crypto.c. perlinger@ntp.org +* [Sec 2913] TALOS-CAN-0052: crash by loop counter underrun. perlinger@ntp.org +* [Sec 2916] TALOS-CAN-0054: memory corruption in password store. JPerlinger +* [Sec 2917] TALOS-CAN-0055: Infinite loop if extended logging enabled and + the logfile and keyfile are the same. perlinger@ntp.org +* [Sec 1918] TALOS-CAN-0062: prevent directory traversal for VMS, too, when + using 'saveconfig' command. perlinger@ntp.org +* [Bug 2919] TALOS-CAN-0063: avoid buffer overrun in ntpq. perlinger@ntp.org +* [Sec 2020] TALOS-CAN-0064: signed/unsiged clash could lead to buffer overun + and memory corruption. perlinger@ntp.org +* [Sec 2921] TALOS-CAN-0065: password length memory corruption. JPerlinger. +* [Sec 2922] decodenetnum() will ASSERT botch instead of returning FAIL + on some bogus values. Harlan Stenn. +* [Sec 2941] NAK to the Future: Symmetric association authentication + bypass via crypto-NAK. Patch applied. perlinger@ntp.org * [Bug 2332] (reopened) Exercise thread cancellation once before dropping privileges and limiting resources in NTPD removes the need to link forcefully against 'libgcc_s' which does not always work. J.Perlinger diff --cc ntpdc/ntpdc.c index bef9ca365,797eacda4..8a79d0b50 --- a/ntpdc/ntpdc.c +++ b/ntpdc/ntpdc.c @@@ -628,9 -631,11 +633,10 @@@ getresponse tvo = tvout; else tvo = tvsout; + tospan = (uint32_t)tvo.tv_sec + (tvo.tv_usec != 0); FD_SET(sockfd, &fds); - n = select(sockfd+1, &fds, (fd_set *)0, (fd_set *)0, &tvo); - + n = select(sockfd+1, &fds, NULL, NULL, &tvo); if (n == -1) { warning("select fails"); return -1; @@@ -780,10 -795,12 +797,12 @@@ } /* - * So far, so good. Copy this data into the output array. + * So far, so good. Copy this data into the output array. Bump + * the timeout base, in case we expect more data. */ + tobase = (uint32_t)time(NULL); if ((datap + datasize + (pad * items)) > (pktdata + pktdatasize)) { - int offset = datap - pktdata; + size_t offset = datap - pktdata; growpktdata(); *rdata = pktdata; /* might have been realloced ! */ datap = pktdata + offset; diff --cc ntpq/ntpq.c index 5ee0bfd5b,6fa6a5c0a..e51a9daf6 --- a/ntpq/ntpq.c +++ b/ntpq/ntpq.c @@@ -872,9 -875,11 +878,10 @@@ getresponse tvo = tvout; else tvo = tvsout; + tospan = (uint32_t)tvo.tv_sec + (tvo.tv_usec != 0); FD_SET(sockfd, &fds); - n = select(sockfd + 1, &fds, NULL, NULL, &tvo); - + n = select(sockfd+1, &fds, NULL, NULL, &tvo); if (n == -1) { warning("select fails"); return -1;