[Sec 2672] On some OSes ::1 can be spoofed, bypassing source IP ACLs

bk: 54922b65gDSbE4G7c3JjkuK1Tv33qQ

diff --git a/ChangeLog b/ChangeLog
index f3765a5ffd0d51db0e57224b36ed3393c5fab0fa..de193864c0f4728322c002364b4c139c4e73519a 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -3,6 +3,7 @@
 * [Sec 2668] buffer overflow in ctl_putdata().
 * [Sec 2669] buffer overflow in configure().
 * [Sec 2670] Missing return; from error clause.
+* [Sec 2672] On some OSes ::1 can be spoofed, bypassing source IP ACLs.
 (4.2.7p485-RC) 2014/12/12 Released by Harlan Stenn <stenn@ntp.org>
 * [Bug 2686] refclock_gpsdjson needs strtoll(), which is not always present.
 (4.2.7p484-RC) 2014/12/11 Released by Harlan Stenn <stenn@ntp.org>

diff --git a/ntpd/ntp_io.c b/ntpd/ntp_io.c
index eb61ead577fa5bc59eba1391058256617d3fd736..aa415ccc1541ac78177df6f12f576a2ed55a9625 100644 (file)
--- a/ntpd/ntp_io.c
+++ b/ntpd/ntp_io.c
@@ -3445,6 +3445,26 @@ read_network_packet(
        DPRINTF(3, ("read_network_packet: fd=%d length %d from %s\n",
                    fd, buflen, stoa(&rb->recv_srcadr)));
 
+       /*
+       ** Bug 2672: Some OSes (MacOSX and Linux) don't block spoofed ::1
+       */
+
+       if (AF_INET6 == itf->family) {
+               DPRINTF(1, ("Got an IPv6 packet, from <%s> to <%s>\n",
+                       stoa(&rb->recv_srcadr), stoa(&itf->sin)));
+       }
+
+       if (   AF_INET6 == itf->family
+           && IN6_IS_ADDR_LOOPBACK(&rb->recv_srcadr)
+           && !IN6_IS_ADDR_LOOPBACK(&itf->sin)
+          ) {
+               packets_dropped++;
+               DPRINTF(1, ("DROPPING that packet\n"));
+               freerecvbuf(rb);
+               return buflen;
+       }
+       DPRINTF(1, ("processing that packet\n"));
+
        /*
         * Got one.  Mark how and when it got here,
         * put it on the full list and do bookkeeping.