Replied: Thu, 29 Jan 1998 23:34:09 -0500
Replied: "Vincent Smeets <smeets@cci.de> mills@udel.edu"
Received: from huey2.ee.udel.edu by mail.eecis.udel.edu id aa24132;
          29 Jan 1998 04:29 EST
Received: from copland.udel.edu by huey.udel.edu id aa27836;
          29 Jan 1998 04:29 EST
Received: from ccigate.cci.de (ccigate.cci.de [193.103.165.1])
	by copland.udel.edu (8.8.8/8.8.8) with SMTP id EAA26067
	for <MILLS@UDEL.EDU>; Thu, 29 Jan 1998 04:29:34 -0500 (EST)
Received:  by ccigate.cci.de (4.1/04-otm)
	id AA23359; Thu Jan 29 10:29:01 1998
Received: from avgate.cci.de(192.54.66.61) by ccigate.cci.de via smap (V1.3)
	id sma023344; Thu Jan 29 10:28:35 1998
Received: from frigg_cci-altbau.cci.de by avgate; Do 29 Jan 98 10:25:50 +0100 (MET)
Received: from emsland.cci.de by frigg.cci.de (SMI-8.6/SMI-SVR4)
	id KAA09665; Thu, 29 Jan 1998 10:27:52 +0100
Received: from emsland by emsland.cci.de (SMI-8.6/SMI-SVR4)
	id KAA12124; Thu, 29 Jan 1998 10:27:51 +0100
Sender: smeets@cci.de.remove_me
Message-Id: <34D04B94.2518@cci.de.REMOVE_ME>
Date: Thu, 29 Jan 1998 10:27:48 +0100
From: Vincent Smeets <smeets@cci.de.remove_me>
Organization: Competence Center Informatik GmbH
X-Mailer: Mozilla 3.03C (X11; I; SunOS 5.6 sun4m)
Mime-Version: 1.0
Newsgroups: comp.protocols.time.ntp
To: mills@udel.edu
Subject: Re: leap more than month away: 319488
References: <34CDBFC4.292C@cci.de.REMOVE_ME>
Content-Type: multipart/mixed; boundary="------------43E219701862"

This is a multi-part message in MIME format.

--------------43E219701862
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Hello,

I've found the bug for this problem. AFAIK does it concern all
configurations.

Vincent Smeets wrote:
> 
> Hello,
> 
> I've been looking at xntp 3.4y (from Sun) and 3-5.92. I see that the
> field "leap more than month away:" in the version 3.4y is giving the
> number of calls to the leap process. In version 3-5.92, it's a strange
> number. In hex it looks like 0x4E000. Can it be that the number is
> shifted and that only the first 16 bits must be displayed?
> 
> I would expect that the fields only can have the values TRUE (1) and
> FALSE (0).
> 
> xntpdc> version
> xntpdc 3-5.92 Fri Jan 23 14:24:35 MET 1998 (1)
> xntpdc> leapinfo
> sys.leap:       00 (no leap second scheduled)
> leap.indicator: 00 (leap controlled by lower stratum)
> leap.warning:   00 (leap controlled by lower stratum)
> leap.bits:      00 (no leap second scheduled)
> time to next leap interrupt: 10086 s
> date of next leap interrupt: Tue, Jan 27 1998 14:37:22
> calls to leap process: 4
> leap more than month away: 319488
> leap less than month away: 0
> leap less than day away:   0
> leap in less than 2 hours: 0
> leap happened:             0

The bug is that the global variable sys_authdly is declared as:
	u_long  sys_authdly[1];
but everywhere it is used as sys_authdly[0] and sys_authdly[1]. There is
not enough memory reserved for sys_authdly so, writing to sys_authdly[1]
means overwriting the next variable in memory. In my case it was the
variable leap_notclose. In an other configuration (or link) it can be an
other variable that will be overwritten.

A solution for the problem is to declare sys_authdly as:
	u_long sys_authdly[2];
I've attached a patch to this mail.

Vincent

--  Vincent Smeets                 Competence Center Informatik GmbH
--  Tel. : +49-5931-805461         Postfach 1225
--  Fax  : +49-5931-842461         49702 Meppen, Germany
--  EMail: smeets@cci.de.REMOVE_ME http://www.cci.de/

--------------43E219701862
Content-Type: text/plain; charset=us-ascii; name="xntp3-5.92-export.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline; filename="xntp3-5.92-export.patch"

diff -cNpr xntp3-5.92-export.orig/xntpd/ntp_proto.c xntp3-5.92-export/xntpd/ntp_proto.c
*** xntp3-5.92-export.orig/xntpd/ntp_proto.c	Fri Oct 10 03:36:48 1997
--- xntp3-5.92-export/xntpd/ntp_proto.c	Thu Jan 29 09:36:19 1998
*************** s_fp	sys_bdelay;		/* broadcast client de
*** 52,58 ****
  int	sys_authenticate;	/* authenticate time used for syncing */
  u_char	consensus_leap;		/* mitigated leap bits */
  l_fp	sys_authdelay;		/* authentication delay */
! u_long	sys_authdly[1];		/* authentication delay shift reg */
  u_char	leap_consensus;		/* consensus of survivor leap bits */
  
  /*
--- 52,58 ----
  int	sys_authenticate;	/* authenticate time used for syncing */
  u_char	consensus_leap;		/* mitigated leap bits */
  l_fp	sys_authdelay;		/* authentication delay */
! u_long	sys_authdly[2];		/* authentication delay shift reg */
  u_char	leap_consensus;		/* consensus of survivor leap bits */
  
  /*

--------------43E219701862--

