Fix ntp multiple vulnerabilities.

Approved by: so
author: delphij <delphij@FreeBSD.org> 2016-04-29 08:02:31 +0000
committer: delphij <delphij@FreeBSD.org> 2016-04-29 08:02:31 +0000
commit: 39baf3a8165fd1fa06257b6812862e7113c5b905 (patch)
tree: 70bef1566f92531ce181ed768429104db003a1fa /contrib/ntp/ntpdate/ntpdate.c
parent: b62280e683e2d7abd347a4549c51e086b1b8911a (diff)
download: FreeBSD-src-39baf3a8165fd1fa06257b6812862e7113c5b905.zip
FreeBSD-src-39baf3a8165fd1fa06257b6812862e7113c5b905.tar.gz
1 files changed, 9 insertions, 5 deletions
diff --git a/contrib/ntp/ntpdate/ntpdate.c b/contrib/ntp/ntpdate/ntpdate.c
index a427160..be39cb0 100644
--- a/contrib/ntp/ntpdate/ntpdate.c
+++ b/contrib/ntp/ntpdate/ntpdate.c
@@ -1247,7 +1247,6 @@ static int
 clock_adjust(void)
 {
 	register struct server *sp, *server;
-	s_fp absoffset;
 	int dostep;
 
 	for (sp = sys_servers; sp != NULL; sp = sp->next_server)
@@ -1270,10 +1269,15 @@ clock_adjust(void)
 	} else if (never_step) {
 		dostep = 0;
 	} else {
-		absoffset = server->soffset;
-		if (absoffset < 0)
-			absoffset = -absoffset;
-		dostep = (absoffset >= NTPDATE_THRESHOLD || absoffset < 0);
+		/* [Bug 3023] get absolute difference, avoiding signed
+		 * integer overflow like hell.
+		 */
+		u_fp absoffset;
+		if (server->soffset < 0)
+			absoffset = 1u + (u_fp)(-(server->soffset + 1));
+		else
+			absoffset = (u_fp)server->soffset;
+		dostep = (absoffset >= NTPDATE_THRESHOLD);
 	}
 
 	if (dostep) {
author	delphij <delphij@FreeBSD.org>	2016-04-29 08:02:31 +0000
committer	delphij <delphij@FreeBSD.org>	2016-04-29 08:02:31 +0000
commit	39baf3a8165fd1fa06257b6812862e7113c5b905 (patch)
tree	70bef1566f92531ce181ed768429104db003a1fa /contrib/ntp/ntpdate/ntpdate.c
parent	b62280e683e2d7abd347a4549c51e086b1b8911a (diff)
download	FreeBSD-src-39baf3a8165fd1fa06257b6812862e7113c5b905.zip FreeBSD-src-39baf3a8165fd1fa06257b6812862e7113c5b905.tar.gz