The busybox NTP implementation doesn't check the NTP mode of packets
received on the server port and responds to any packet with the right
size. This includes responses from another NTP server. An attacker can
send a packet with a spoofed source address in order to create an
infinite loop of responses between two busybox NTP servers. Adding
more packets to the loop increases the traffic between the servers
until one of them has a fully loaded CPU and/or network.
Signed-off-by: Miroslav Lichvar <mlichvar@redhat.com>
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
This resolves the following use case problem:
"I start ntpd by default from /etc/init.d
There might be no working network connection (not configured properly for
whatever reason, hardware problems, whatelse).
With busybox 1.25 ntpd seems to loop forever if now NTP servers are found,
blocking the boot process and I never get a login to solve a possible pb or
to do a first time configuration."
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
Some users start ntpd on boot, and don't babysit it. If it dies because
DNS is not yet up and therefore NTP servers can't be found, users are
not happy.
Example behavior with a peer name which can't be resolved:
ntpd: bad address 'qwe.rty.ghj.kl'
...5 sec...
ntpd: bad address 'qwe.rty.ghj.kl'
ntpd: bad address 'qwe.rty.ghj.kl'
ntpd: bad address 'qwe.rty.ghj.kl'
ntpd: bad address 'qwe.rty.ghj.kl'
ntpd: bad address 'qwe.rty.ghj.kl'
ntpd: bad address 'qwe.rty.ghj.kl'
ntpd: bad address 'qwe.rty.ghj.kl'
ntpd: bad address 'qwe.rty.ghj.kl'
ntpd: bad address 'qwe.rty.ghj.kl'
...
Based on the patch by Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi>
function old new delta
resolve_peer_hostname - 81 +81
ntpd_main 1130 1061 -69
------------------------------------------------------------------------------
(add/remove: 1/0 grow/shrink: 0/1 up/down: 81/-69) Total: 12 bytes
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
This speeds up syncing - now happens only just
two replies from a peer. Especially useful for "ntpd -q".
Shouldn't have ill effects: if we chose a bad peer,
we will discover it later and switch to another one.
The code is even smaller this way.
Suggested by Miroslav Lichvar <mlichvar@redhat.com>
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
OpenNTPd is licensed under ISC-style license so it's good idea to keep
ntpd applet under same license to avoid mess, instead of having
our changes to be under GPL.
Names of original code's authors are added.
Signed-off-by: Adam Tkac <vonsch@gmail.com>
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
The offset to jitter ratio is now calculated before updating
jitter to make the test more sensitive.
function old new delta
ntp_init 460 474 +14
update_local_clock 752 764 +12
------------------------------------------------------------------------------
(add/remove: 0/0 grow/shrink: 2/0 up/down: 26/0) Total: 26 bytes
Signed-off-by: Miroslav Lichvar <mlichvar@redhat.com>
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
To avoid polling servers frequently slowly increase the interval up
to BIGPOLL when
- no replies are received from a peer
- no source can be selected
- peer claims to be unsynchronized (e.g. we are polling it too
frequently)
When recv() returns with an error, drop code to try to continue
on network errors: I'm not convinced those cases happen in real life.
function old new delta
recv_and_process_peer_pkt 919 838 -81
Signed-off-by: Miroslav Lichvar <mlichvar@redhat.com>
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
* on step, poll interval drops to 8.5 mins instead of 32 seconds
* on total loss of all replies (no replies from any peer
for last 8 requests), also drop poll interval to 8.5 mins
instead of 32 seconds
* on send abd recv errors, RETRY_INTERVAL is now 32 seconds,
not 5 seconds
* on timing out listening to reply, instead of unconditional
shortening poll interval by x4, clamp it to NOREPLY_INTERVAL
(512 seconds)
* if a largish offset is seen, clamp nexp poll interval
to 128 seconds, not 64 seconds
function old new delta
clamp_pollexp_and_set_MAXSTRAT - 37 +37
recv_and_process_peer_pkt 861 869 +8
poll_interval 52 48 -4
update_local_clock 762 752 -10
ntpd_main 1063 1050 -13
------------------------------------------------------------------------------
(add/remove: 1/0 grow/shrink: 1/3 up/down: 45/-27) Total: 18 bytes
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
The burst mode needs to be stopped even when no replies are received.
Signed-off-by: Miroslav Lichvar <mlichvar@redhat.com>
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
Before this cahnge, sometimes they were used after the next packet
from another peer was received, because we did updare some peer stats
from high delay packet before dropping it.
function old new delta
recv_and_process_peer_pkt 922 966 +44
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
rand() is the most standard C library function,
and on uclibc they are the same. I guess
they are the same in most todays' libc...
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
GCC complained about since_last_update being set but not used.
Signed-off-by: Bartosz Golaszewski <bartekgola@gmail.com>
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
Used to set p->filter_datapoint[i].d_dispersion = MAXDISP
and clear reachable bits, but this proved to be too agressive:
after step (tested with suspinding laptop for ~30 secs),
this caused all previous data to be considered invalid,
making us needing to collect full ~8 datapoins per peer
after step in order to start trusting them.
In turn, this was making poll interval decrease even after
step was done. (Poll interval decreases already before step
in this scenario, because we see large offsets and end up with
no good peer to select).
function old new delta
reset_peer_stats 157 139 -18
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
When using busybox ntpd with an NTPv3 client and NTPv4 server (or vice
versa), the version numbers can be incorrectly ORed together, yielding
the bogus value of "NTPv7". This makes ntpd unusable with clients
such as Chrony and Windows "Internet Time".
This patch avoids the version mangling, by copying only the Leap
Indicator bits from the server's status field.
Signed-off-by: Paul Marks <paul@pmarks.net>
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
We set a default path for the directory where pidfiles are create
when FEATURE_PIDFILE is selected. The default has no effect on
applets which must specify a pidfile path on the command line to
run, and it can be overridden by applets which optionally allow
the user to specify the pidfile path.
We also add pidfile write/remove support for klogd, ntpd and watchdog.
For syslogd, we add a missing remove_pidfile() for better cleanup
on daemon exit.
Signed-off-by: Anthony G. Basile <blueness@gentoo.org>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
We use functions from sys/resource.h in misc applets, but don't include
the header. This breaks building with newer glibc versions, so add the
include where needed.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
