From: Harlan Stenn <stenn@ntp.org>
Date: Mon, 29 Feb 2016 23:01:01 +0000 (+0000)
Subject: [Sec 3020] Refclock impersonation.  HStenn.
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0a5e7991e8c3e069994c851e83b978614ceb113f;p=thirdparty%2Fntp.git

[Sec 3020] Refclock impersonation.  HStenn.

bk: 56d4cdadyjbEtsWIuGaFIpsC0XrP2A
---

diff --git a/ChangeLog b/ChangeLog
index 1276ffaf5..7ab704f2f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -7,6 +7,7 @@
 * [Sec 3008] Always check the return value of ctl_getitem().
   - initial work by HStenn
   - Additional cleanup of ctl_getitem by perlinger@ntp.org
+* [Sec 3020] Refclock impersonation.  HStenn.
 * [Bug 2858] bool support.  Use stdbool.h when available.  HStenn.
 * [Bug 2879] Improve NTP security against timing attacks. perlinger@ntp.org
   - integrated patches by Loganaden Velvidron <logan@ntp.org>
diff --git a/configure.ac b/configure.ac
index 9624f9aee..2a0c1a0d8 100644
--- a/configure.ac
+++ b/configure.ac
@@ -4160,6 +4160,24 @@ case "$ans" in
 esac
 
 
+AC_MSG_CHECKING([if we want the explicit 127.0.0.0/8 martian filter])
+AC_ARG_ENABLE(
+    [bug3020-fix],
+    [AS_HELP_STRING(
+	[--enable-bug3020-fix],
+	[+ Provide the explicit 127.0.0.0/8 martian filter]
+    )],
+    [ans=$enableval],
+    [ans=yes]
+)
+AC_MSG_RESULT([$ans])
+case "$ans" in
+ yes)
+    AC_DEFINE([ENABLE_BUG3020_FIX], [1],
+	[Provide the explicit 127.0.0.0/8 martian filter?])
+esac
+
+
 AC_MSG_CHECKING([if we should use the IRIG sawtooth filter])
 
 case "$host" in
diff --git a/ntpd/ntp_io.c b/ntpd/ntp_io.c
index 95229d6a7..5f5b721b6 100644
--- a/ntpd/ntp_io.c
+++ b/ntpd/ntp_io.c
@@ -3447,6 +3447,18 @@ read_network_packet(
 	DPRINTF(3, ("read_network_packet: fd=%d length %d from %s\n",
 		    fd, buflen, stoa(&rb->recv_srcadr)));
 
+#ifdef ENABLE_BUG3020_FIX
+	if (ISREFCLOCKADR(&rb->recv_srcadr)) {
+		msyslog(LOG_ERR, "recvfrom(%s) fd=%d: refclock srcadr on a network interface!",
+			stoa(&rb->recv_srcadr), fd);
+		DPRINTF(1, ("read_network_packet: fd=%d dropped (refclock srcadr))\n",
+			    fd));
+		packets_dropped++;
+		freerecvbuf(rb);
+		return (buflen);
+	}
+#endif
+
 	/*
 	** Bug 2672: Some OSes (MacOSX and Linux) don't block spoofed ::1
 	*/