diff -U0 ntp-4.2.6p5/ChangeLog.cve-2015-8158 ntp-4.2.6p5/ChangeLog diff -up ntp-4.2.6p5/ntpdc/ntpdc.c.cve-2015-8158 ntp-4.2.6p5/ntpdc/ntpdc.c --- ntp-4.2.6p5/ntpdc/ntpdc.c.cve-2015-8158 2016-01-20 14:06:21.035659659 +0100 +++ ntp-4.2.6p5/ntpdc/ntpdc.c 2016-01-20 14:25:39.734622168 +0100 @@ -657,6 +657,10 @@ getresponse( fd_set fds; int n; int pad; + /* absolute timeout checks. Not 'time_t' by intention! */ + uint32_t tobase; /* base value for timeout */ + uint32_t tospan; /* timeout span (max delay) */ + uint32_t todiff; /* current delay */ /* * This is pretty tricky. We may get between 1 and many packets @@ -673,12 +677,14 @@ getresponse( lastseq = 999; /* too big to be a sequence number */ memset(haveseq, 0, sizeof(haveseq)); FD_ZERO(&fds); + tobase = (uint32_t)time(NULL); again: if (firstpkt) tvo = tvout; else tvo = tvsout; + tospan = (uint32_t)tvo.tv_sec + (tvo.tv_usec != 0); FD_SET(sockfd, &fds); n = select(sockfd+1, &fds, (fd_set *)0, (fd_set *)0, &tvo); @@ -687,6 +693,17 @@ getresponse( warning("select fails", "", ""); return -1; } + + /* + * Check if this is already too late. Trash the data and fake a + * timeout if this is so. + */ + todiff = (((uint32_t)time(NULL)) - tobase) & 0x7FFFFFFFu; + if ((n > 0) && (todiff > tospan)) { + n = recv(sockfd, (char *)&rpkt, sizeof(rpkt), 0); + n = 0; /* faked timeout return from 'select()'*/ + } + if (n == 0) { /* * Timed out. Return what we have @@ -831,8 +848,10 @@ getresponse( } /* - * So far, so good. Copy this data into the output array. + * So far, so good. Copy this data into the output array. Bump + * the timeout base, in case we expect more data. */ + tobase = (uint32_t)time(NULL); if ((datap + datasize + (pad * items)) > (pktdata + pktdatasize)) { int offset = datap - pktdata; growpktdata(); diff -up ntp-4.2.6p5/ntpq/ntpq.c.cve-2015-8158 ntp-4.2.6p5/ntpq/ntpq.c --- ntp-4.2.6p5/ntpq/ntpq.c.cve-2015-8158 2016-01-20 14:06:21.493660755 +0100 +++ ntp-4.2.6p5/ntpq/ntpq.c 2016-01-20 14:13:56.132819820 +0100 @@ -836,6 +836,10 @@ getresponse( int len; int first; char *data; + /* absolute timeout checks. Not 'time_t' by intention! */ + uint32_t tobase; /* base value for timeout */ + uint32_t tospan; /* timeout span (max delay) */ + uint32_t todiff; /* current delay */ /* * This is pretty tricky. We may get between 1 and MAXFRAG packets @@ -852,6 +856,8 @@ getresponse( numfrags = 0; seenlastfrag = 0; + tobase = (uint32_t)time(NULL); + FD_ZERO(&fds); /* @@ -864,7 +870,8 @@ getresponse( tvo = tvout; else tvo = tvsout; - + tospan = (uint32_t)tvo.tv_sec + (tvo.tv_usec != 0); + FD_SET(sockfd, &fds); n = select(sockfd + 1, &fds, NULL, NULL, &tvo); @@ -872,6 +879,17 @@ getresponse( warning("select fails", "", ""); return -1; } + + /* + * Check if this is already too late. Trash the data and + * fake a timeout if this is so. + */ + todiff = (((uint32_t)time(NULL)) - tobase) & 0x7FFFFFFFu; + if ((n > 0) && (todiff > tospan)) { + n = recv(sockfd, (char *)&rpkt, sizeof(rpkt), 0); + n = 0; /* faked timeout return from 'select()'*/ + } + if (n == 0) { /* * Timed out. Return what we have @@ -1166,10 +1184,13 @@ getresponse( } /* - * Copy the data into the data buffer. + * Copy the data into the data buffer, and bump the + * timout base in case we need more. */ memcpy((char *)pktdata + offset, rpkt.data, count); + tobase = (uint32_t)time(NULL); + /* * If we've seen the last fragment, look for holes in the sequence. * If there aren't any, we're done.