diff -U0 ntp-4.2.6p5/ChangeLog.cve-2015-8158 ntp-4.2.6p5/ChangeLog
diff -up ntp-4.2.6p5/ntpdc/ntpdc.c.cve-2015-8158 ntp-4.2.6p5/ntpdc/ntpdc.c
--- ntp-4.2.6p5/ntpdc/ntpdc.c.cve-2015-8158 2016-01-20 14:06:21.035659659 +0100
+++ ntp-4.2.6p5/ntpdc/ntpdc.c 2016-01-20 14:25:39.734622168 +0100
@@ -657,6 +657,10 @@ getresponse(
fd_set fds;
int n;
int pad;
+ /* absolute timeout checks. Not 'time_t' by intention! */
+ uint32_t tobase; /* base value for timeout */
+ uint32_t tospan; /* timeout span (max delay) */
+ uint32_t todiff; /* current delay */
/*
* This is pretty tricky. We may get between 1 and many packets
@@ -673,12 +677,14 @@ getresponse(
lastseq = 999; /* too big to be a sequence number */
memset(haveseq, 0, sizeof(haveseq));
FD_ZERO(&fds);
+ tobase = (uint32_t)time(NULL);
again:
if (firstpkt)
tvo = tvout;
else
tvo = tvsout;
+ tospan = (uint32_t)tvo.tv_sec + (tvo.tv_usec != 0);
FD_SET(sockfd, &fds);
n = select(sockfd+1, &fds, (fd_set *)0, (fd_set *)0, &tvo);
@@ -687,6 +693,17 @@ getresponse(
warning("select fails", "", "");
return -1;
}
+
+ /*
+ * Check if this is already too late. Trash the data and fake a
+ * timeout if this is so.
+ */
+ todiff = (((uint32_t)time(NULL)) - tobase) & 0x7FFFFFFFu;
+ if ((n > 0) && (todiff > tospan)) {
+ n = recv(sockfd, (char *)&rpkt, sizeof(rpkt), 0);
+ n = 0; /* faked timeout return from 'select()'*/
+ }
+
if (n == 0) {
/*
* Timed out. Return what we have
@@ -831,8 +848,10 @@ getresponse(
}
/*
- * So far, so good. Copy this data into the output array.
+ * So far, so good. Copy this data into the output array. Bump
+ * the timeout base, in case we expect more data.
*/
+ tobase = (uint32_t)time(NULL);
if ((datap + datasize + (pad * items)) > (pktdata + pktdatasize)) {
int offset = datap - pktdata;
growpktdata();
diff -up ntp-4.2.6p5/ntpq/ntpq.c.cve-2015-8158 ntp-4.2.6p5/ntpq/ntpq.c
--- ntp-4.2.6p5/ntpq/ntpq.c.cve-2015-8158 2016-01-20 14:06:21.493660755 +0100
+++ ntp-4.2.6p5/ntpq/ntpq.c 2016-01-20 14:13:56.132819820 +0100
@@ -836,6 +836,10 @@ getresponse(
int len;
int first;
char *data;
+ /* absolute timeout checks. Not 'time_t' by intention! */
+ uint32_t tobase; /* base value for timeout */
+ uint32_t tospan; /* timeout span (max delay) */
+ uint32_t todiff; /* current delay */
/*
* This is pretty tricky. We may get between 1 and MAXFRAG packets
@@ -852,6 +856,8 @@ getresponse(
numfrags = 0;
seenlastfrag = 0;
+ tobase = (uint32_t)time(NULL);
+
FD_ZERO(&fds);
/*
@@ -864,7 +870,8 @@ getresponse(
tvo = tvout;
else
tvo = tvsout;
-
+ tospan = (uint32_t)tvo.tv_sec + (tvo.tv_usec != 0);
+
FD_SET(sockfd, &fds);
n = select(sockfd + 1, &fds, NULL, NULL, &tvo);
@@ -872,6 +879,17 @@ getresponse(
warning("select fails", "", "");
return -1;
}
+
+ /*
+ * Check if this is already too late. Trash the data and
+ * fake a timeout if this is so.
+ */
+ todiff = (((uint32_t)time(NULL)) - tobase) & 0x7FFFFFFFu;
+ if ((n > 0) && (todiff > tospan)) {
+ n = recv(sockfd, (char *)&rpkt, sizeof(rpkt), 0);
+ n = 0; /* faked timeout return from 'select()'*/
+ }
+
if (n == 0) {
/*
* Timed out. Return what we have
@@ -1166,10 +1184,13 @@ getresponse(
}
/*
- * Copy the data into the data buffer.
+ * Copy the data into the data buffer, and bump the
+ * timout base in case we need more.
*/
memcpy((char *)pktdata + offset, rpkt.data, count);
+ tobase = (uint32_t)time(NULL);
+
/*
* If we've seen the last fragment, look for holes in the sequence.
* If there aren't any, we're done.