ntp: restrict use of sub-second polling intervals

When the local polling interval is adjusted between minpoll and maxpoll
to a sub-second value, check if the source is reachable and the minimum
measured delay is 10 milliseconds or less. If it's not, ignore the
maxpoll value and set the interval to 1 second.

This should prevent clients (mis)configured with an extremely short
minpoll/maxpoll from flooding servers on the Internet.

diff --git a/ntp_core.c b/ntp_core.c
index 1c449f623fdd9dee62a4133f9201c536b96a0a90..fa2f762c9728e42196eed6ae62aa224deae9aac1 100644 (file)
--- a/ntp_core.c
+++ b/ntp_core.c
@@ -268,6 +268,11 @@ static ARR_Instance broadcasts;
 #define MIN_MAXPOLL 0
 #define MAX_POLL 24
 
+/* Enable sub-second polling intervals only when the peer delay is not
+   longer than 10 milliseconds to restrict them to local networks */
+#define MIN_NONLAN_POLL 0
+#define MAX_LAN_PEER_DELAY 0.01
+
 /* Kiss-o'-Death codes */
 #define KOD_RATE 0x52415445UL /* RATE */
 
@@ -742,6 +747,13 @@ adjust_poll(NCR_Instance inst, double adj)
     inst->local_poll = inst->maxpoll;
     inst->poll_score = 1.0;
   }
+
+  /* Don't allow a sub-second polling interval if the source is not reachable
+     or it is not in a local network according to the measured delay */
+  if (inst->local_poll < MIN_NONLAN_POLL &&
+      (!SRC_IsReachable(inst->source) ||
+       SST_MinRoundTripDelay(SRC_GetSourcestats(inst->source)) > MAX_LAN_PEER_DELAY))
+    inst->local_poll = MIN_NONLAN_POLL;
 }
 
 /* ================================================== */