Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

bin/45257: ping(8) prints bogus round-trip times after Year 2038

7 views
Skip to first unread message

Izumi Tsutsui

unread,
Aug 15, 2011, 3:55:01 AM8/15/11
to
>Number: 45257
>Category: bin
>Synopsis: ping(8) prints bogus round-trip times after Year 2038
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: bin-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Mon Aug 15 07:55:00 +0000 2011
>Originator: Izumi Tsutsui
>Release: NetBSD 5.99.55
>Organization:
>Environment:
System: NetBSD 5.99.55 (GENERIC) #246: Tue Aug 9 00:26:31 JST 2011
Architecture: m68k
Machine: hp300
but affects all ports
>Description:
ping(8) prints wrong round-trip times after year 2038
even after 64 bit time_t changes.
On BE machines it occurs after year 2038,
and on LE machines after year ~2106.

>How-To-Repeat:

# uname -prs
NetBSD 5.99.55 m68k
# date
Mon Aug 15 16:26:40 JST 2011
# ping -n -c 1 192.168.20.1
PING 192.168.20.1 (192.168.20.1): 56 data bytes
64 bytes from 192.168.20.1: icmp_seq=0 ttl=255 time=4.292 ms

----192.168.20.1 PING Statistics----
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 4.292/4.292/4.292/0.000 ms
#
# date 203908151627.00
Mon Aug 15 16:27:00 JST 2039
# ping -n -c 1 192.168.20.1
PING 192.168.20.1 (192.168.20.1): 56 data bytes
64 bytes from 192.168.20.1: icmp_seq=0 ttl=255 time=4294967296004.156 ms

----192.168.20.1 PING Statistics----
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 999999999000.000/4294967296004.156/4294967296004.156/0.000 ms
#
# rdate 192.168.20.1
Mon Aug 15 16:27:03 2011
# ping -n -c 1 192.168.20.1
PING 192.168.20.1 (192.168.20.1): 56 data bytes
64 bytes from 192.168.20.1: icmp_seq=0 ttl=255 time=3.288 ms

----192.168.20.1 PING Statistics----
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 3.288/3.288/3.288/0.000 ms
#


>Fix:
The problem is that ping(8) uses 32bit values (as struct tv32)
to send F_TIMING info, but ntohl() and diffsec() don't
handle signedness and width properly:

http://nxr.NetBSD.org/xref/src/sbin/ping/ping.c#993
---
if (pingflags & F_TIMING) {
struct timeval tv;
struct tv32 tv32;

(void) memcpy(&tv32, icp->icmp_data, sizeof(tv32));
tv.tv_sec = ntohl(tv32.tv32_sec);
tv.tv_usec = ntohl(tv32.tv32_usec);
triptime = diffsec(&last_rx, &tv);
---

Note ntohl() and htonl() is no-op on BE machines
and both tv32_sec and tv.tv_sec are signed,
while on LE machines ntohl() implicitly casts its arg to unsigned.

Ryo Shimizu (ryo@) has a patch for this problem.

---


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-...@muc.de

r...@netbsd.org

unread,
Aug 15, 2011, 4:04:21 AM8/15/11
to
Synopsis: ping(8) prints bogus round-trip times after Year 2038

Responsible-Changed-From-To: bin-bug-people->ryo
Responsible-Changed-By: r...@NetBSD.org
Responsible-Changed-When: Mon, 15 Aug 2011 08:04:20 +0000
Responsible-Changed-Why:
mine

Ryo SHIMIZU

unread,
Aug 15, 2011, 4:07:18 AM8/15/11
to

>Fix:

Is this patch ok?

Index: ping.c
===================================================================
RCS file: /cvsroot/src/sbin/ping/ping.c,v
retrieving revision 1.94
diff -a -u -r1.94 ping.c
--- ping.c 9 Aug 2011 12:55:19 -0000 1.94
+++ ping.c 15 Aug 2011 07:26:19 -0000
@@ -137,8 +137,8 @@
#define TST(seq) (A(seq) & B(seq))

struct tv32 {
- int32_t tv32_sec;
- int32_t tv32_usec;
+ uint32_t tv32_sec;
+ uint32_t tv32_usec;
};


@@ -213,6 +213,7 @@
static void fill(void);
static void rnd_fill(void);
static double diffsec(struct timeval *, struct timeval *);
+static double diffsec_tv32(struct timeval *, struct tv32 *);
static void timevaladd(struct timeval *, struct timeval *);
static void sec_to_timeval(const double, struct timeval *);
static double timeval_to_sec(const struct timeval *);
@@ -859,7 +860,7 @@

opack_icmp.icmp_type = ICMP_ECHO;
opack_icmp.icmp_id = ident;
- tv32.tv32_sec = htonl(now.tv_sec);
+ tv32.tv32_sec = htonl((uint32_t)now.tv_sec);
tv32.tv32_usec = htonl(now.tv_usec);
if (pingflags & F_TIMING)
(void) memcpy(&opack_icmp.icmp_data[0], &tv32, sizeof(tv32));
@@ -991,13 +992,13 @@
first_rx = last_rx;
nreceived++;
if (pingflags & F_TIMING) {
- struct timeval tv;


struct tv32 tv32;

(void) memcpy(&tv32, icp->icmp_data, sizeof(tv32));

- tv.tv_sec = ntohl(tv32.tv32_sec);
- tv.tv_usec = ntohl(tv32.tv32_usec);
- triptime = diffsec(&last_rx, &tv);
+ NTOHL(tv32.tv32_sec);
+ NTOHL(tv32.tv32_usec);
+
+ triptime = diffsec_tv32(&last_rx, &tv32);
tsum += triptime;
tsumsq += triptime * triptime;
if (triptime < tmin)
@@ -1246,6 +1247,13 @@
+ (timenow->tv_usec - then->tv_usec)/1000000.0);
}

+static double
+diffsec_tv32(struct timeval *timenow, struct tv32 *then)
+{
+ return (((timenow->tv_sec & 0xffffffff) - then->tv32_sec)) * 1.0 +
+ (timenow->tv_usec - then->tv32_usec) / 1000000.0;
+}
+

static void
timevaladd(struct timeval *t1,


I have tested as below;

myhost# cat t.c
#include <stdio.h>
#include <time.h>

int
main(int argc, char *argv[])
{
time_t t;

time(&t);
printf("time_t = %llu = 0x%llx\n", t, t);
return 0;
}


* FYI: 2106-02-07 15:28 JST is 0xfffffff0 in unixtime.

myhost# date
Mon Aug 15 16:56:06 JST 2011
myhost# date 210602071528
Sun Feb 7 15:28:00 JST 2106
myhost# ./a.out
time_t = 4294967281 = 0xfffffff1
myhost# ping localhost
PING localhost (127.0.0.1): 56 data bytes
64 bytes from 127.0.0.1: icmp_seq=0 ttl=255 time=0.022 ms
64 bytes from 127.0.0.1: icmp_seq=1 ttl=255 time=0.026 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=255 time=0.026 ms
64 bytes from 127.0.0.1: icmp_seq=3 ttl=255 time=0.028 ms
64 bytes from 127.0.0.1: icmp_seq=4 ttl=255 time=0.046 ms
64 bytes from 127.0.0.1: icmp_seq=5 ttl=255 time=0.030 ms
64 bytes from 127.0.0.1: icmp_seq=6 ttl=255 time=0.026 ms
64 bytes from 127.0.0.1: icmp_seq=7 ttl=255 time=0.025 ms
64 bytes from 127.0.0.1: icmp_seq=8 ttl=255 time=0.026 ms
64 bytes from 127.0.0.1: icmp_seq=9 ttl=255 time=0.025 ms
64 bytes from 127.0.0.1: icmp_seq=10 ttl=255 time=0.024 ms
64 bytes from 127.0.0.1: icmp_seq=11 ttl=255 time=0.025 ms
64 bytes from 127.0.0.1: icmp_seq=12 ttl=255 time=0.028 ms
64 bytes from 127.0.0.1: icmp_seq=13 ttl=255 time=0.041 ms
64 bytes from 127.0.0.1: icmp_seq=14 ttl=255 time=0.026 ms
64 bytes from 127.0.0.1: icmp_seq=15 ttl=255 time=0.048 ms
64 bytes from 127.0.0.1: icmp_seq=16 ttl=255 time=0.028 ms
64 bytes from 127.0.0.1: icmp_seq=17 ttl=255 time=0.026 ms
64 bytes from 127.0.0.1: icmp_seq=18 ttl=255 time=0.028 ms
64 bytes from 127.0.0.1: icmp_seq=19 ttl=255 time=0.025 ms
64 bytes from 127.0.0.1: icmp_seq=20 ttl=255 time=0.025 ms
64 bytes from 127.0.0.1: icmp_seq=21 ttl=255 time=0.027 ms
64 bytes from 127.0.0.1: icmp_seq=22 ttl=255 time=0.029 ms
^C
----localhost PING Statistics----
23 packets transmitted, 23 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.022/0.029/0.048/0.007 ms
myhost# ./a.out
time_t = 4294967305 = 0x100000009

--
ryo shimizu

Ryo SHIMIZU

unread,
Aug 15, 2011, 4:10:06 AM8/15/11
to
The following reply was made to PR bin/45257; it has been noted by GNATS.
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
It is loading more messages.
0 new messages