[Sec 3113] Broadcast Mode Poll Interval Enforcement DoS

bk: 58087060DCRnphupdSD9lErtsIGR4w

diff --git a/ChangeLog b/ChangeLog
index 0805467dc6b9b1ce7768a039f6a2d87af37546b9..c2b14f299fda5b0753b0c84e05e2cbf27038d975 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+---
+* [Sec 3113] Broadcast Mode Poll Interval Enforcement DoS <perlinger@ntp.org>
+  - applied fix as suggested by Matthew Van Gundy
+ 
 ---
 (4.2.8p8) 2016/06/02 Released by Harlan Stenn <stenn@ntp.org>
 

diff --git a/include/ntp.h b/include/ntp.h
index 84c30d9feea046bcd134334565d4746e0f17379e..c5a46ef07e7304f8c7018b81d5946620edbe9983 100644 (file)
--- a/include/ntp.h
+++ b/include/ntp.h
@@ -391,7 +391,7 @@ struct peer {
         * Statistic counters
         */
        u_long  timereset;      /* time stat counters were reset */
-       u_long  timelastrec;    /* last packet received time */
+       u_long  timelastrec;    /* last packet received time, incl. trash */
        u_long  timereceived;   /* last (clean) packet received time */
        u_long  timereachable;  /* last reachable/unreachable time */
 

diff --git a/ntpd/ntp_proto.c b/ntpd/ntp_proto.c
index 513b99f683e3db8935e283aadbc5f51ea3f916e5..2dcbb43d7bb1dd0e4a15b5a5ad23a8774ed1ed67 100644 (file)
--- a/ntpd/ntp_proto.c
+++ b/ntpd/ntp_proto.c
@@ -1450,14 +1450,23 @@ receive(
                                ++bail;
                        }
 
-                       /* too early? worth an error, too! */
+                       /* too early? worth an error, too!
+                        *
+                        * [Bug 3113] Ensure that at least one poll
+                        * interval has elapsed since the last **clean**
+                        * packet was received.  We limit the check to
+                        * **clean** packets to prevent replayed packets
+                        * and incorrectly authenticated packets, which
+                        * we'll discard, from being used to create a
+                        * denial of service condition.
+                        */
                        deadband = (1u << pkt->ppoll);
                        if (FLAG_BC_VOL & peer->flags)
                                deadband -= 3;  /* allow greater fuzz after volley */
-                       if ((current_time - peer->timelastrec) < deadband) {
+                       if ((current_time - peer->timereceived) < deadband) {
                                msyslog(LOG_INFO, "receive: broadcast packet from %s arrived after %lu, not %lu seconds!",
                                        stoa(&rbufp->recv_srcadr),
-                                       (current_time - peer->timelastrec),
+                                       (current_time - peer->timereceived),
                                        deadband);
                                ++bail;
                        }