diff options
author | delphij <delphij@FreeBSD.org> | 2016-01-22 07:32:39 +0000 |
---|---|---|
committer | delphij <delphij@FreeBSD.org> | 2016-01-22 07:32:39 +0000 |
commit | 51765b7c6f50b7a90576344f7623019de4f88d5d (patch) | |
tree | 99811aace67dff7ddd2c157e5659a28d88a3405b /contrib/ntp/ntpdc/ntpdc.c | |
parent | 3e83d3a20344f0535767a5d9cb110d3e9571c049 (diff) | |
parent | a835b8ff526b5ef2c37fdb4f48180c215f58bb53 (diff) | |
download | FreeBSD-src-51765b7c6f50b7a90576344f7623019de4f88d5d.zip FreeBSD-src-51765b7c6f50b7a90576344f7623019de4f88d5d.tar.gz |
MFV r294491: ntp 4.2.8p6.
Security: CVE-2015-7973, CVE-2015-7974, CVE-2015-7975
Security: CVE-2015-7976, CVE-2015-7977, CVE-2015-7978
Security: CVE-2015-7979, CVE-2015-8138, CVE-2015-8139
Security: CVE-2015-8140, CVE-2015-8158
With hat: so
Diffstat (limited to 'contrib/ntp/ntpdc/ntpdc.c')
-rw-r--r-- | contrib/ntp/ntpdc/ntpdc.c | 23 |
1 files changed, 21 insertions, 2 deletions
diff --git a/contrib/ntp/ntpdc/ntpdc.c b/contrib/ntp/ntpdc/ntpdc.c index bef9ca3..8a79d0b 100644 --- a/contrib/ntp/ntpdc/ntpdc.c +++ b/contrib/ntp/ntpdc/ntpdc.c @@ -605,7 +605,11 @@ getresponse( int seq; fd_set fds; ssize_t n; - size_t pad; + int pad; + /* absolute timeout checks. Not 'time_t' by intention! */ + uint32_t tobase; /* base value for timeout */ + uint32_t tospan; /* timeout span (max delay) */ + uint32_t todiff; /* current delay */ /* * This is pretty tricky. We may get between 1 and many packets @@ -622,12 +626,14 @@ getresponse( lastseq = 999; /* too big to be a sequence number */ ZERO(haveseq); FD_ZERO(&fds); + tobase = (uint32_t)time(NULL); again: if (firstpkt) tvo = tvout; else tvo = tvsout; + tospan = (uint32_t)tvo.tv_sec + (tvo.tv_usec != 0); FD_SET(sockfd, &fds); n = select(sockfd+1, &fds, NULL, NULL, &tvo); @@ -635,6 +641,17 @@ getresponse( warning("select fails"); return -1; } + + /* + * Check if this is already too late. Trash the data and fake a + * timeout if this is so. + */ + todiff = (((uint32_t)time(NULL)) - tobase) & 0x7FFFFFFFu; + if ((n > 0) && (todiff > tospan)) { + n = recv(sockfd, (char *)&rpkt, sizeof(rpkt), 0); + n = 0; /* faked timeout return from 'select()'*/ + } + if (n == 0) { /* * Timed out. Return what we have @@ -780,8 +797,10 @@ getresponse( } /* - * So far, so good. Copy this data into the output array. + * So far, so good. Copy this data into the output array. Bump + * the timeout base, in case we expect more data. */ + tobase = (uint32_t)time(NULL); if ((datap + datasize + (pad * items)) > (pktdata + pktdatasize)) { size_t offset = datap - pktdata; growpktdata(); |