[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[stalk:00301] Re: ntpd =< 4.0.99k remote buffer overflow
- To: security-talk@xxxxxxxxxxxxxxxxxxxx
- Subject: [stalk:00301] Re: ntpd =< 4.0.99k remote buffer overflow
- From: KOJIMA Hajime / 小島肇 <kjm@xxxxxxxxxxxxxxxxxx>
- Date: Fri, 13 Apr 2001 11:03:20 +0900
<200104130134.AA00126@xxxxxxxxxxxxxxxxxxxxx>において
Seiichi Nakashima さんがおっしゃるには:
| William D. Colburn (aka Schlake) さんは書きました:
| >The package is newer as of today. David Mills has no idea how to make a
| >new version number, so he just replaced kept the same version number.
| >The package is deffinitely different.
|
| ということで、ntp-4.0.99k23は同じFile名でUpdateされています(要確認)。
| ntp-4.0.99k23.tar.gz 11-Apr-2001 12:40 1.9M
diff とってみました。14k 程度。
diff -ur ntp-4.0.99k23.old/include/ntpd.h ntp-4.0.99k23/include/ntpd.h
--- ntp-4.0.99k23.old/include/ntpd.h Fri Mar 30 13:39:17 2001
+++ ntp-4.0.99k23/include/ntpd.h Wed Apr 11 06:08:41 2001
@@ -286,11 +286,13 @@
extern int allow_step; /* allow step correction */
extern int allow_panic; /* allow panic correction */
extern int mode_ntpdate; /* exit on first clock set */
+extern int peer_ntpdate; /* count of ntpdate peers */
/*
* Clock state machine variables
*/
-extern u_char sys_poll; /* log2 of system poll interval */
+extern u_char sys_poll; /* system poll interval (log2 s) */
+extern u_char sys_minpoll; /* min system poll interval (log2 s) */
extern int state; /* clock discipline state */
extern int tc_counter; /* poll-adjust counter */
extern u_long last_time; /* time of last clock update (s) */
diff -ur ntp-4.0.99k23.old/ntpd/ntp_config.c ntp-4.0.99k23/ntpd/ntp_config.c
--- ntp-4.0.99k23.old/ntpd/ntp_config.c Mon Mar 26 11:58:55 2001
+++ ntp-4.0.99k23/ntpd/ntp_config.c Tue Apr 10 00:09:06 2001
@@ -2037,7 +2037,7 @@
}
#endif
- (void)fprintf(res_fp, "%s %d %d %d %d %d %d %08x %s\n", name,
+ (void)fprintf(res_fp, "%s %d %d %d %d %d %d %d %s\n", name,
mode, version, minpoll, maxpoll, flags, ttl, keyid, keystr);
#ifdef DEBUG
if (debug > 1)
diff -ur ntp-4.0.99k23.old/ntpd/ntp_control.c ntp-4.0.99k23/ntpd/ntp_control.c
--- ntp-4.0.99k23.old/ntpd/ntp_control.c Fri Apr 6 06:43:30 2001
+++ ntp-4.0.99k23/ntpd/ntp_control.c Tue Apr 10 05:19:56 2001
@@ -1868,9 +1868,11 @@
}
if (cp < reqend)
cp++;
- *tp = '\0';
- while (isspace((int)(*(tp-1))))
- *(--tp) = '\0';
+ while (tp > buf) {
+ *tp-- = '\0';
+ if (!isspace((int)(*tp)))
+ break;
+ }
reqpt = cp;
*data = buf;
return (v);
diff -ur ntp-4.0.99k23.old/ntpd/ntp_crypto.c ntp-4.0.99k23/ntpd/ntp_crypto.c
--- ntp-4.0.99k23.old/ntpd/ntp_crypto.c Sat Mar 31 05:18:53 2001
+++ ntp-4.0.99k23/ntpd/ntp_crypto.c Tue Apr 10 06:24:32 2001
@@ -881,6 +881,7 @@
break;
}
peer->flash &= ~TEST10;
+ peer->flags &= ~FLAG_AUTOKEY;
peer->assoc = ntohl(pkt[i + 1]);
peer->pcookie.tstamp = tstamp;
if (temp != peer->pcookie.key) {
diff -ur ntp-4.0.99k23.old/ntpd/ntp_loopfilter.c ntp-4.0.99k23/ntpd/ntp_loopfilter.c
--- ntp-4.0.99k23.old/ntpd/ntp_loopfilter.c Sat Mar 31 11:20:59 2001
+++ ntp-4.0.99k23/ntpd/ntp_loopfilter.c Wed Apr 11 06:23:46 2001
@@ -124,7 +124,8 @@
/*
* Clock state machine variables
*/
-u_char sys_poll; /* log2 of system poll interval */
+u_char sys_poll = NTP_MINPOLL; /* system poll interval (log2 s) */
+u_char sys_minpoll = NTP_MINPOLL; /* min system poll interval (log2 s) */
int state; /* clock discipline state */
int tc_counter; /* poll-adjust counter */
u_long last_time; /* time of last clock update (s) */
@@ -210,13 +211,13 @@
NLOG(NLOG_SYNCEVENT|NLOG_SYSEVENT)
msyslog(LOG_NOTICE, "time reset %.6f s",
fp_offset);
- printf("ntpd: time reset %.6f s\n", fp_offset);
+ printf("ntpd: time reset %.6fs\n", fp_offset);
} else {
adj_systime(fp_offset);
NLOG(NLOG_SYNCEVENT|NLOG_SYSEVENT)
msyslog(LOG_NOTICE, "time slew %.6f s",
fp_offset);
- printf("ntpd: time slew %.6f s\n", fp_offset);
+ printf("ntpd: time slew %.6fs\n", fp_offset);
}
record_loop_stats();
exit(0);
@@ -697,7 +698,7 @@
* measurements.
*/
case S_FREQ:
- sys_poll = NTP_MINDPOLL;
+ sys_poll = sys_minpoll;
allan_xpt = CLOCK_ALLAN;
last_time = current_time;
break;
@@ -706,7 +707,7 @@
* Synchronized mode. Discipline the poll interval.
*/
case S_SYNC:
- sys_poll = NTP_MINDPOLL;
+ sys_poll = sys_minpoll;
allan_xpt = CLOCK_ALLAN;
tc_counter = 0;
break;
@@ -723,7 +724,7 @@
* the time reference for future frequency updates.
*/
default:
- sys_poll = NTP_MINDPOLL;
+ sys_poll = sys_minpoll;
allan_xpt = CLOCK_ALLAN;
last_time = current_time;
last_offset = clock_offset = 0;
@@ -819,12 +820,22 @@
drift_comp = -NTP_MAXFREQ;
#ifdef KERNEL_PLL
+ /*
+ * Sanity check. If the kernel is enabled, load the
+ * frequency and light up the loop. If not, set the
+ * kernel frequency to zero and leave the loop dark. In
+ * either case set the time to zero to cancel any
+ * previous nonsense.
+ */
if (pll_control) {
memset((char *)&ntv, 0, sizeof ntv);
- ntv.modes = MOD_FREQUENCY;
- if (kern_enable)
+ ntv.modes = MOD_OFFSET | MOD_FREQUENCY;
+ if (kern_enable) {
+ ntv.modes |= MOD_STATUS;
+ ntv.status = STA_PLL;
ntv.freq = (int32)(drift_comp *
65536e6);
+ }
(void)ntp_adjtime(&ntv);
}
break;
diff -ur ntp-4.0.99k23.old/ntpd/ntp_peer.c ntp-4.0.99k23/ntpd/ntp_peer.c
--- ntp-4.0.99k23.old/ntpd/ntp_peer.c Sat Mar 31 07:12:59 2001
+++ ntp-4.0.99k23/ntpd/ntp_peer.c Wed Apr 11 06:21:15 2001
@@ -484,6 +484,8 @@
*/
peer = newpeer(srcadr, dstadr, hmode, version, minpoll, maxpoll,
flags | FLAG_CONFIG, cast_flags, ttl, key);
+ if (peer->minpoll > sys_minpoll)
+ sys_minpoll = peer->minpoll;
return (peer);
}
@@ -547,6 +549,8 @@
peer->keyid = key;
peer->precision = sys_precision;
peer_clear(peer);
+ if (mode_ntpdate)
+ peer_ntpdate++;
/*
* Assign an association ID and increment the system variable.
diff -ur ntp-4.0.99k23.old/ntpd/ntp_proto.c ntp-4.0.99k23/ntpd/ntp_proto.c
--- ntp-4.0.99k23.old/ntpd/ntp_proto.c Fri Apr 6 08:39:07 2001
+++ ntp-4.0.99k23/ntpd/ntp_proto.c Wed Apr 11 11:20:38 2001
@@ -54,6 +54,8 @@
keyid_t sys_private; /* private value for session seed */
int sys_manycastserver; /* respond to manycast client pkts */
u_int sys_survivors; /* truest of the truechimers */
+int mode_ntpdate; /* simulate ntpdate */
+int peer_ntpdate; /* active peers in ntpdate mode */
#ifdef AUTOKEY
char *sys_hostname; /* gethostname() name */
#endif /* AUTOKEY */
@@ -198,13 +200,12 @@
clock_filter(peer, 0., 0., MAXDISPERSE);
clock_select();
}
- if (peer->unreach == NTP_UNREACH &&
- ((peer->stratum > 1 && peer->refid ==
+ if ((peer->stratum > 1 && peer->refid ==
peer->dstadr->sin.sin_addr.s_addr) ||
- peer->stratum >= STRATUM_UNSPEC ||
- (root_distance(peer) >= MAXDISTANCE + 2 *
- clock_phi * ULOGTOD(sys_poll))))
+ peer->stratum >= STRATUM_UNSPEC)
hpoll++;
+ else
+ hpoll = sys_poll;
if (peer->flags & FLAG_BURST)
peer->burst = NTP_SHIFT;
}
@@ -226,7 +227,16 @@
}
poll_update(peer, hpoll);
clock_select();
+
+ /*
+ * If ntpdate mode and the clock has not been
+ * set and all peers have completed the burst,
+ * we declare a successful failure.
+ */
if (mode_ntpdate) {
+ peer_ntpdate--;
+ if (peer_ntpdate > 0)
+ return;
NLOG(NLOG_SYNCEVENT|NLOG_SYSEVENT)
msyslog(LOG_NOTICE,
"no reply; clock not set");
@@ -1058,19 +1068,12 @@
NLOG(NLOG_SYNCSTATUS)
msyslog(LOG_INFO, "synchronisation lost");
sys_peer = NULL;
- sys_poll = NTP_MINDPOLL;
+ sys_poll = sys_minpoll;
sys_stratum = STRATUM_UNSPEC;
report_event(EVNT_CLOCKRESET, (struct peer *)0);
break;
/*
- * Clock was set; emulating ntpdate
- */
- case 2:
- exit(0);
- /*NOTREACHED*/;
-
- /*
* Update the system stratum, leap bits, root delay, root
* dispersion, reference ID and reference time. We also update
* select dispersion and max frequency error. If the leap
@@ -1106,39 +1109,27 @@
int hpoll
)
{
- int xpoll;
#ifdef AUTOKEY
int oldpoll;
#endif /* AUTOKEY */
-#ifdef AUTOKEY
- oldpoll = peer->kpoll;
-#endif /* AUTOKEY */
-
/*
* A little foxtrot to determine what controls the poll
- * interval. If the peer is reachable, but but the last four
- * polls have not been answered, use the minimum. If declared
+ * interval. If the peer is reachable, but the last four polls
+ * have not been answered, use the minimum. If declared
* truechimer, use the system poll interval. This allows each
* association to ramp up the poll interval for useless sources
* and to clamp it to the minimum when first starting up.
*/
- xpoll = hpoll;
- if (peer->reach) {
- if (!(peer->reach & 0x0f))
- xpoll = peer->minpoll;
- else if (peer->flags & FLAG_SYSPEER)
- xpoll = sys_poll;
-#ifdef PUBKEY
- } else if (peer->crypto && !(peer->flags & FLAG_AUTOKEY)) {
- xpoll = peer->minpoll;
-#endif /* PUBKEY */
- }
- if (xpoll > peer->maxpoll)
- xpoll = peer->maxpoll;
- else if (xpoll < peer->minpoll)
- xpoll = peer->minpoll;
- peer->hpoll = xpoll;
+#ifdef AUTOKEY
+ oldpoll = peer->kpoll;
+#endif /* AUTOKEY */
+ if (hpoll > peer->maxpoll)
+ peer->hpoll = peer->maxpoll;
+ else if (hpoll < peer->minpoll)
+ peer->hpoll = peer->minpoll;
+ else
+ peer->hpoll = hpoll;
/*
* Bit of adventure here. If during a burst and not timeout,
@@ -1158,7 +1149,7 @@
if (peer->burst > 0) {
if (peer->nextdate != current_time)
return;
- if (peer->flags & FLAG_REFCLOCK)
+ else if (peer->flags & FLAG_REFCLOCK)
peer->nextdate++;
else if (peer->reach & 0x1)
peer->nextdate += RANDPOLL(BURST_INTERVAL2);
@@ -1206,6 +1197,7 @@
)
{
register int i;
+ u_long u_rand;
/*
* If cryptographic credentials have been acquired, toss them to
@@ -1241,11 +1233,11 @@
* clock_select(), since the perp has already been voted off
* the island at this point.
*/
- peer->flags &= ~(FLAG_AUTOKEY | FLAG_ASSOC);
if (peer->cast_flags & MDF_BCLNT) {
peer->flags |= FLAG_MCAST;
peer->hmode = MODE_CLIENT;
}
+ peer->flags &= ~(FLAG_AUTOKEY | FLAG_ASSOC);
peer->estbdelay = sys_bdelay;
peer->hpoll = peer->kpoll = peer->minpoll;
peer->ppoll = peer->maxpoll;
@@ -1259,9 +1251,14 @@
peer->filter_disp[i] = MAXDISPERSE;
peer->filter_epoch[i] = current_time;
}
+
+ /*
+ * Randomize the first poll over 1-16s to avoid bunching.
+ */
peer->update = peer->outdate = current_time;
- peer->nextdate = peer->outdate + (RANDOM & (1 <<
- BURST_INTERVAL1));
+ u_rand = RANDOM;
+ peer->nextdate = current_time + (u_rand & ((1 <<
+ BURST_INTERVAL1) - 1)) + 1;
}
@@ -1277,7 +1274,7 @@
double sample_disp
)
{
- register int i, j, k, n;
+ register int i, j, k, m, n;
register u_char *ord;
double off, dly, dsp, jit, dtemp, etemp;
@@ -1350,6 +1347,7 @@
off = dly = jit = dtemp = 0;
peer->disp = 0;
k = ord[0];
+ m = 0;
for (i = NTP_SHIFT - 1; i >= 0; i--) {
double xtemp, ytemp;
@@ -1360,6 +1358,7 @@
peer->filter_disp[j];
if (i >= n || etemp >= MAXDISTANCE)
continue;
+ m++;
xtemp = 2 * fabs(peer->filter_offset[j] -
peer->filter_offset[k]);
ytemp = max(peer->filter_delay[j] -
@@ -1372,8 +1371,8 @@
peer->filter_offset[k]);
#ifdef DEBUG
if (debug > 1)
- printf("xxx %.6f %.6f %.6f\n", xtemp, ytemp,
- etemp);
+ printf("clock_filter: %d %.6f %.6f %.6f\n",
+ j, xtemp, ytemp, etemp);
#endif
}
@@ -1383,14 +1382,14 @@
* normalize the offset, delay and jitter averages. Note the
* jitter must not be less than the system precision.
*/
- if (n == 0)
+ if (m == 0)
return;
peer->epoch = current_time;
etemp = peer->offset;
peer->offset = off / dtemp;
peer->delay = dly / dtemp;
- if (n > 1)
- jit /= n - 1;
+ if (m > 1)
+ jit /= m - 1;
peer->jitter = max(jit, SQUARE(LOGTOD(sys_precision)));
/*
@@ -1412,13 +1411,13 @@
* the last update is less than twice the system poll interval,
* consider the update a popcorn spike and ignore it.
*/
- if (fabs(peer->offset - etemp) > SQRT(peer->jitter) *
+ if (m > 1 && fabs(peer->offset - etemp) > SQRT(peer->jitter) *
CLOCK_SGATE && peer->filter_epoch[k] - peer->epoch <
(1 << (sys_poll + 1))) {
#ifdef DEBUG
if (debug)
- printf("clock_filter: popcorn spike %.6f jitter %.6f\n",
- peer->offset, SQRT(peer->jitter));
+ printf("clock_filter: samples %d popcorn spike %.6f jitter %.6f\n",
+ m, peer->offset, SQRT(peer->jitter));
#endif
return;
}
@@ -1646,7 +1645,7 @@
nlist = 1;
} else {
if (osys_peer != NULL) {
- sys_poll = NTP_MINDPOLL;
+ sys_poll = sys_minpoll;
report_event(EVNT_PEERSTCHG,
(struct peer *)0);
NLOG(NLOG_SYNCSTATUS)
diff -ur ntp-4.0.99k23.old/ntpd/refclock_atom.c ntp-4.0.99k23/ntpd/refclock_atom.c
--- ntp-4.0.99k23.old/ntpd/refclock_atom.c Mon Mar 26 12:42:39 2001
+++ ntp-4.0.99k23/ntpd/refclock_atom.c Tue Apr 10 11:48:35 2001
@@ -40,7 +40,7 @@
* pin 8 (DCD) of a serial port. This requires a level converter and
* may require a one-shot flipflop to lengthen the pulse. The other is
* to connect the PPS signal directly to pin 10 (ACK) of a PC paralell
- * port.
+ * port. These methods are architecture dependent.
*
* Both methods require a modified device driver and kernel interface
* compatible with the Pulse-per-Second API for Unix-like Operating
@@ -59,11 +59,17 @@
* device(s) must be placed before the PPS driver(s) in the
* configuration file.
*
+ * This driver normally uses the PLL/FLL clock discipline implemented in
+ * the ntpd code. If kernel support is available, the kernel PLL/FLL
+ * clock discipline is used instead. The default configuration is not to
+ * use the kernel PPS discipline, if present. The kernel PPS discipline
+ * can be enabled using the pps command.
+ *
* Fudge Factors
*
* There are no special fudge factors other than the generic. The fudge
* time1 parameter can be used to compensate for miscellaneous device
- * driver and OS delays.
+ * driver and OS delays.
*/
/*
* Interface definitions
@@ -188,7 +194,7 @@
"refclock_atom: time_pps_create failed: %m");
return (0);
}
- return(atom_ppsapi(peer, pps_assert, pps_hardpps));
+ return (atom_ppsapi(peer, pps_assert, pps_hardpps));
#else /* HAVE_PPSAPI */
return (1);
#endif /* HAVE_PPSAPI */
@@ -394,7 +400,7 @@
peer = pps_peer;
if (peer == 0) /* nobody home */
- return 1;
+ return (1);
pp = peer->procptr;
/*
----
// 木下是雄「理科系の作文技術」中公新書 624 を読もう!!
小島 肇 - KOJIMA Hajime
[Office] kjm@xxxxxxxxxxxxxxxxxx, http://www.st.ryukoku.ac.jp/~kjm/
Phone: 077-543-7414 Fax: 077-543-0706
--
- このメイリングリストに関する質問・問い合せ等は
- <security-talk@xxxxxxxxxx>までお知らせください
--
------------------------------------------------------------------------
◆ダイエットの味方カプサイシン、何のことだか説明できる?
http://www.infoseek.co.jp/GHome?pg=gn_top.html&svx=971122