* [Sec 3008] Always check the return value of ctl_getitem().
- initial work by HStenn
- Additional cleanup of ctl_getitem by perlinger@ntp.org
+* [Sec 3020] Refclock impersonation. HStenn.
* [Bug 2858] bool support. Use stdbool.h when available. HStenn.
* [Bug 2879] Improve NTP security against timing attacks. perlinger@ntp.org
- integrated patches by Loganaden Velvidron <logan@ntp.org>
esac
+AC_MSG_CHECKING([if we want the explicit 127.0.0.0/8 martian filter])
+AC_ARG_ENABLE(
+ [bug3020-fix],
+ [AS_HELP_STRING(
+ [--enable-bug3020-fix],
+ [+ Provide the explicit 127.0.0.0/8 martian filter]
+ )],
+ [ans=$enableval],
+ [ans=yes]
+)
+AC_MSG_RESULT([$ans])
+case "$ans" in
+ yes)
+ AC_DEFINE([ENABLE_BUG3020_FIX], [1],
+ [Provide the explicit 127.0.0.0/8 martian filter?])
+esac
+
+
AC_MSG_CHECKING([if we should use the IRIG sawtooth filter])
case "$host" in
DPRINTF(3, ("read_network_packet: fd=%d length %d from %s\n",
fd, buflen, stoa(&rb->recv_srcadr)));
+#ifdef ENABLE_BUG3020_FIX
+ if (ISREFCLOCKADR(&rb->recv_srcadr)) {
+ msyslog(LOG_ERR, "recvfrom(%s) fd=%d: refclock srcadr on a network interface!",
+ stoa(&rb->recv_srcadr), fd);
+ DPRINTF(1, ("read_network_packet: fd=%d dropped (refclock srcadr))\n",
+ fd));
+ packets_dropped++;
+ freerecvbuf(rb);
+ return (buflen);
+ }
+#endif
+
/*
** Bug 2672: Some OSes (MacOSX and Linux) don't block spoofed ::1
*/
projects / thirdparty / ntp.git / commitdiff
