Commit Graph

59 Commits

Author SHA1 Message Date
delphij
b102c46490 MFC r265465:
Don't reply monlist request when it's not enabled.
2014-05-20 00:57:00 +00:00
delphij
c152bbe479 MFC r260637:
Disable 'monitor' feature in ntpd by default.

Security:	FreeBSD-SA-14:02.ntpd
Approved by:	so
2014-01-14 19:04:33 +00:00
pfg
245e35ae97 Clean some 'svn:executable' properties in the tree.
Submitted by:	Christoph Mallon
MFC after:	3 days
2013-01-26 22:08:21 +00:00
eadler
0af88b7eae Clean up hardcoded ar(1) flags in the tree to use the global ARFLAGS in
share/mk/sys.mk instead.

This is part of a medium term project to permit deterministic builds of
FreeBSD.

Submitted by:	Erik Cederstrand <erik@cederstrand.dk>
Reviewed by:	imp, toolchain@
Approved by:	cperciva
MFC after:	2 weeks
2012-12-06 01:31:25 +00:00
emaste
ba92a7914a Remove extraneous log message
When ntp switched between PLL and FLL mode it produced a log message
"kernel time sync status change %04x".  This issue is reported in ntp
bug 452[1] which claims that this behaviour is normal and the log
message isn't necessary.  I'm not sure exactly when it was removed, but
it's gone in the latest ntp release (4.2.6p5).

[1] http://bugs.ntp.org/show_bug.cgi?id=452

Approved by:    roberto
2012-03-12 01:06:29 +00:00
bz
385c8843b3 In case ntp cannot resolve a hostname on startup it will queue the entry
for resolving by a child process that, upon success, will add the entry
to the config of the running running parent process.

Unfortunately there are a couple of bugs with this, fixed in various
later versions of upstream in potentially different ways due to other
code changes:

1) Upon server [-46] <FQDN> the [-46] are used as FQDN for later resolving
   which does not work.  Make sure we always pass the name (or IP there).

2) The intermediate file to carry the information to the child process
   does not know about -4/-6 restrictions, so that a dual-stacked host
   could resolve to an IPv6 address but that might be unreachable (see
   r223626) leading to no working synchronization ignoring a IPv4 record.
   Thus alter the intermediate format to also pass the address family
   (AF_UNSPEC (default), AF_INET or AF_INET6) to the child process
   depending on -4 or -6.

3) Make the child process to parse the new intermediate file format and
   save the address family for getaddrinfo() hints flags.

4) Change child to always reload resolv.conf calling res_init() before
   trying to resolve names.  This will pick up resolv.conf changes or
   new resolv.confs should they have not existed or been empty or
   unusable on ntp startup.  This fix is more conditional in upstream
   versions but given FreeBSD has res_init there is no need for the
   configure logic as well.

Approved by:	roberto
Sponsored by:	Sandvine Incorporated
MFC after:	9 days
2011-06-29 13:01:10 +00:00
bz
5eb4e348c8 Compare port numbers correctly. They are stored by SRCPORT()
in host byte order, so we need to compare them as such.
Properly compare IPv6 addresses as well.

This allows the, by default, 8 badaddrs slots per address
family to work correctly and only print sendto() errors once.

The change is no longer applicable to any latest upstream versions.

Approved by:	roberto
Sponsored by:	Sandvine Incorporated
MFC after:	1 week
2011-06-28 09:46:25 +00:00
bz
5cb7c50357 The argument to setsockopt for IP_MULTICAST_LOOP depends on operating
system and is decided upon by configure and could be an u_int or a
u_char.  For FreeBSD it is a u_char.

For IPv6 however RFC 3493, 5.2 defines the argument to
IPV6_MULTICAST_LOOP to be an unsigned integer so make sure we always
use that using a second variable for the IPV6 case.
This is to get rid of these error messages every 5 minutes on some
systems:
ntpd[1530]: setsockopt IPV6_MULTICAST_LOOP failure: Invalid argument
  on socket 22, addr fe80::... for multicast address ff02::101

While here also fix the copy&paste error in the log message for
IPV6_MULTICAST_LOOP.

Reviewed by:	roberto
Sponsored by:	The FreeBSD Foundation
Sponsored by:	iXsystems
MFC after:	10 days
Filed as:	Bug 1936 on ntp.org
2011-05-29 07:40:48 +00:00
roberto
230e76b538 Merge 4.2.4p8 into contrib (r200452 & r200454).
Subversion is being difficult here so take a hammer and get it in.

MFC after:		2 weeks
Security:		CVE-2009-3563
2009-12-15 14:58:10 +00:00
ume
a3e767ede4 Don't try to bind to an anycast addeess. The KAME IPv6 stack doesn't
allow bind to an anycast addeess.  It does away with an annoying
message.

Reviewed by:	bz, roberto
MFC after:	2 weeks
2009-12-01 16:07:50 +00:00
cperciva
45e5ee4e4a Remove build timestamps from the following files:
/boot/kernel/hptrr.ko
/etc/mail/*.cf
/lib/libcrypto.so.5
/usr/bin/ntpq
/usr/sbin/amd
/usr/sbin/iasl
/usr/sbin/ntpd
/usr/sbin/ntpdate
/usr/sbin/ntpdc

There does not appear to be any purpose to having these timestamps, and
they have the irritating consequence that the aforementioned files will
be different every time they are rebuilt.

After this commit, the only remaining build timestamps are in the kernel,
the boot loaders, /usr/include/osreldate.h (the year in the copyright
notice), and lib*.a (the timestamps on all of the included .o files).

Reviewed by:	scottl (hptrr), gshapiro (sendmail), simon (openssl),
		roberto (ntp), jkim (acpica)
Approved by:	re (kib)
2009-07-11 22:30:37 +00:00
cperciva
632fa45574 Prevent integer overflow in direct pipe write code from circumventing
virtual-to-physical page lookups. [09:09]

Add missing permissions check for SIOCSIFINFO_IN6 ioctl. [09:10]

Fix buffer overflow in "autokey" negotiation in ntpd(8). [09:11]

Approved by:	so (cperciva)
Approved by:	re (not really, but SVN wants this...)
Security:	FreeBSD-SA-09:09.pipe
Security:	FreeBSD-SA-09:10.ipv6
Security:	FreeBSD-SA-09:11.ntpd
2009-06-10 10:31:11 +00:00
roberto
d0b7303e63 Merge r191298 into HEAD.
Prevent a buffer overflow in ntpq.  Patch taken from the PR database
after being committed to the official ntp tree and present in 4.2.4p7-rc2.

It will be MFH to the upcoming 7.2 pending re approval.

Obtained from:  https://support.ntp.org/bugs/show_bug.cgi?id=1144
MFC after:      3 days
Security:       http://www.securityfocus.com/bid/34481
                CVE-2009-0159
2009-04-20 09:59:08 +00:00
simon
49eb227b50 Correct ntpd(8) cryptographic signature bypass [SA-09:04].
Correct BIND DNSSEC incorrect checks for malformed signatures
[SA-09:04].

Security:	FreeBSD-SA-09:03.ntpd
Security:	FreeBSD-SA-09:04.bind
Obtained from:	ISC [SA-09:04]
Approved by:	so (simon)
2009-01-13 21:19:27 +00:00
roberto
acc06a9e28 Merge from vendor/ntp/dist: r182856:
Apply updated patch from bin/92839 to avoid two possible buffer overflows.

PR:		bin/92839
Submitted by:	Helge Oldach <freebsdntpd@oldach.net>
2008-09-07 22:15:41 +00:00
roberto
b85c7169a7 Merge ntpd & friends 4.2.4p5 from vendor/ntp/dist into head. Next commit
will update usr.sbin/ntp to match this.

MFC after:	2 weeks
2008-08-22 15:58:00 +00:00
roberto
d0e3d12c54 Move FREEBSD-upgrade as well. 2008-08-18 14:37:44 +00:00
roberto
2638b58e2d Move FREEBSD-Xlist in a more proper location. 2008-08-18 14:36:57 +00:00
roberto
4ded1c1fa0 Flatten the dist and various 4.n.n trees in preparation of future ntp imports. 2008-08-17 17:37:33 +00:00
roberto
8b5a86d4fd Fix compilation with gcc 4.1. This is imported on the vendor branch as it
was applied in the mainstream source and a later complete import of
4.2.2p3 will complete the fix.

Submitted by:	kan
2006-09-28 16:02:34 +00:00
roberto
2ab556f91b This commit was generated by cvs2svn to compensate for changes in r162735,
which included commits to RCS files with non-trunk default branches.
2006-09-28 16:02:34 +00:00
roberto
25b467e3d9 Merge from the main BK repository for ntp: put two midly annoying messages
under #ifdef DEBUG. Merge of revision 1.45 by H. Stenn.

Done on the vendor branch to minimise future imports.

Reminded by:	obrien
2004-12-06 14:33:29 +00:00
roberto
930ad3d9dc This commit was generated by cvs2svn to compensate for changes in r138451,
which included commits to RCS files with non-trunk default branches.
2004-12-06 14:33:29 +00:00
roberto
515bd10243 The following patch has been taken from the ntp-stable vendor branch.
Put everything OpenSSL related between #ifdef OPENSSL..#endif.

This also fixes bugs #252, #275 & #293.

See
<http://ntp.bkbits.net:8080/ntp-stable/hist/util/ntp-keygen.c?nav=index.html|src/+|src/util>
for reference.

Submitted by:	Marius Strobl <marius@alchemy.franken.de>
2004-07-22 09:16:04 +00:00
roberto
828910ece4 This commit was generated by cvs2svn to compensate for changes in r132536,
which included commits to RCS files with non-trunk default branches.
2004-07-22 09:16:04 +00:00
roberto
bdb274fee2 Remove an extra '}'. 2004-07-20 15:51:00 +00:00
roberto
66b0c5ee10 Update information on build/import. 2004-07-20 15:25:19 +00:00
roberto
52f0477edd Merge conflicts.
Lots of added files, some removed and quite a large number of renames :(
2004-07-20 15:19:51 +00:00
roberto
4155ac9f07 Merge conflicts (see also previous commit).
Reinsert our local changes to ntp_control.c:

1.4:    Do not log every potential exploit attempt since a denial-of-service
        may result
1.5:    int -> unsigned char fixes
2004-07-20 15:18:31 +00:00
roberto
cdfc2f45fe Revert this file to the vendor version, we don't need to have our own
version of it.  Will help further upgrades.
2004-07-20 15:15:00 +00:00
roberto
118e757284 Virgin import of ntpd 4.2.0 2004-07-20 15:01:56 +00:00
roberto
929f0d3746 This commit was generated by cvs2svn to compensate for changes in r132451,
which included commits to RCS files with non-trunk default branches.
2004-07-20 15:01:56 +00:00
roberto
ad0bca971a Merge conflicts.
MFC after:	1 month
2002-11-04 19:38:46 +00:00
roberto
a85d9ae25e Virgin import of ntpd 4.1.1b 2002-11-04 19:36:11 +00:00
roberto
8f8f22cd2a This commit was generated by cvs2svn to compensate for changes in r106424,
which included commits to RCS files with non-trunk default branches.
2002-11-04 19:36:11 +00:00
roberto
dfb2a670f7 Update for 4.1.1a.
Tested on:	Sparc64 (panther), Alpha (beast) & i386
2002-10-29 20:30:43 +00:00
roberto
8d541346f2 Remove files not present in 4.1.1a import. 2002-10-29 20:11:45 +00:00
roberto
83149da41b This commit was generated by cvs2svn to compensate for changes in r106167,
which included commits to RCS files with non-trunk default branches.
2002-10-29 20:11:45 +00:00
roberto
c3ce66cde9 Merge conflicts.
MFC after:	1 month
2002-10-29 20:04:27 +00:00
roberto
f77146900e Virgin import of ntpd 4.1.1a 2002-10-29 19:58:12 +00:00
roberto
a925fb398b This commit was generated by cvs2svn to compensate for changes in r106163,
which included commits to RCS files with non-trunk default branches.
2002-10-29 19:58:12 +00:00
roberto
8a8eed52b9 Merge after 4.1.0 import. 2001-08-29 15:15:59 +00:00
roberto
e3ef210a6f Update for 4.1.0 import. 2001-08-29 15:02:12 +00:00
roberto
fc8a76dcfc Redo the int -> unsigned changes jedgar did. It should have been submitted
back but it was off the vendor branch anyway so...
2001-08-29 15:01:06 +00:00
roberto
40b8e415eb Virgin import of ntpd 4.1.0 2001-08-29 14:35:15 +00:00
roberto
edc758be46 This commit was generated by cvs2svn to compensate for changes in r82498,
which included commits to RCS files with non-trunk default branches.
2001-08-29 14:35:15 +00:00
jedgar
e90c8b37cf Do not log every potential exploit attempt since a denial-of-service
may result.
2001-04-06 14:34:15 +00:00
jedgar
10d702b26e - Correct off-by-one error and buffer underflow from previous fix
- int -> unsigned char fixes

Submitted by:	ache, dillon, Mark Andrews, et.al. (on -security)
2001-04-06 14:15:38 +00:00
phk
e1c6e50d72 Fix a potential ROOT-exploit in NTPD.
PR:		26358
Reviewed by:	dima
2001-04-04 23:07:22 +00:00
roberto
a5a8dc6136 Fix potential alignement problems on Alpha + IPv6.
This is done on the vendor branch to avoid spamming the tree. It has been
sent to the NTP maintainers already.

Submitted by:	shin
2000-03-03 17:06:31 +00:00