[Sec 2672] On some OSes ::1 can be spoofed, bypassing source IP ACLs

bk: 5496213frLaEz5PHLZVhuYjM7Lalkw

diff --git a/ChangeLog b/ChangeLog
index 4d2ea91b0fac30ffee9cc00ac99dfc7b331a7c2a..4e3130910b2b7ef113c0ef09462134009772d6de 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,4 @@
+* [Sec 2672] On some OSes ::1 can be spoofed, bypassing source IP ACLs.
 ---
 (4.2.8) 2014/12/19 Released by Harlan Stenn <stenn@ntp.org>
 

diff --git a/ntpd/ntp_io.c b/ntpd/ntp_io.c
index ae00e55d1d867880fcb07296bdbbefb62395e614..d771cf5d8ae86db23061042fbc32488af48c1ab2 100644 (file)
--- a/ntpd/ntp_io.c
+++ b/ntpd/ntp_io.c
@@ -3450,19 +3450,18 @@ read_network_packet(
        */
 
        // temporary hack...
-#ifndef HAVE_SOLARIS_PRIVS
        if (AF_INET6 == itf->family) {
                DPRINTF(1, ("Got an IPv6 packet, from <%s> (%d) to <%s> (%d)\n",
                        stoa(&rb->recv_srcadr),
-                       IN6_IS_ADDR_LOOPBACK(&rb->recv_srcadr),
+                       IN6_IS_ADDR_LOOPBACK(&rb->recv_srcadr.sa6.sin6_addr),
                        stoa(&itf->sin),
-                       !IN6_IS_ADDR_LOOPBACK(&itf->sin)
+                       !IN6_IS_ADDR_LOOPBACK(&itf->sin.sa6.sin6_addr)
                        ));
        }
 
        if (   AF_INET6 == itf->family
-           && IN6_IS_ADDR_LOOPBACK(&rb->recv_srcadr)
-           && !IN6_IS_ADDR_LOOPBACK(&itf->sin)
+           && IN6_IS_ADDR_LOOPBACK(&rb->recv_srcadr.sa6.sin6_addr)
+           && !IN6_IS_ADDR_LOOPBACK(&itf->sin.sa6.sin6_addr)
           ) {
                packets_dropped++;
                DPRINTF(1, ("DROPPING that packet\n"));
@@ -3470,7 +3469,6 @@ read_network_packet(
                return buflen;
        }
        DPRINTF(1, ("processing that packet\n"));
-#endif
 
        /*
         * Got one.  Mark how and when it got here,