[Sec 1331] DoS with mode 7 packets - CVE-2009-3563.

bk: 4acbefe2GioPCUv-TNpIvmyOyTz4IA

diff --git a/ChangeLog b/ChangeLog
index 3757c47f155884d0a1efa245600deec4fc7dcd8a..ff60adca64e98be9b149e08ec0a3ab00a09459cd 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+---
+
+* [Sec 1331] DoS with mode 7 packets - CVE-2009-3563.
+
 ---
 (4.2.4p7) 2009/05/18 Released by Harlan Stenn <stenn@ntp.org>
 

diff --git a/ntpd/ntp_request.c b/ntpd/ntp_request.c
index 2af0f0bced23dd7f211ed26a7e1dd6aed452651e..f5eed4449d9ad92b9b7c82312c8083b21dd6d76d 100644 (file)
--- a/ntpd/ntp_request.c
+++ b/ntpd/ntp_request.c
@@ -409,6 +409,7 @@ process_private(
        int mod_okay
        )
 {
+       static u_long quiet_until;
        struct req_pkt *inpkt;
        struct req_pkt_tail *tailinpkt;
        struct sockaddr_storage *srcadr;
@@ -444,8 +445,14 @@ process_private(
            || (++ec, INFO_MBZ(inpkt->mbz_itemsize) != 0)
            || (++ec, rbufp->recv_length < REQ_LEN_HDR)
                ) {
-               msyslog(LOG_ERR, "process_private: INFO_ERR_FMT: test %d failed, pkt from %s", ec, stoa(srcadr));
-               req_ack(srcadr, inter, inpkt, INFO_ERR_FMT);
+               NLOG(NLOG_SYSEVENT)
+                       if (current_time >= quiet_until) {
+                               msyslog(LOG_ERR,
+                                       "process_private: drop test %d"
+                                       " failed, pkt from %s",
+                                       ec, stoa(srcadr));
+                               quiet_until = current_time + 60;
+                       }
                return;
        }