From: Harlan Stenn Date: Thu, 18 Dec 2014 01:18:29 +0000 (+0000) Subject: [Sec 2672] On some OSes ::1 can be spoofed, bypassing source IP ACLs X-Git-Tag: NTP_4_2_8~11 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=25f167530f7a36e19812d76206709429f663f82e;p=thirdparty%2Fntp.git [Sec 2672] On some OSes ::1 can be spoofed, bypassing source IP ACLs bk: 54922b65gDSbE4G7c3JjkuK1Tv33qQ --- diff --git a/ChangeLog b/ChangeLog index f3765a5ff..de193864c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,7 @@ * [Sec 2668] buffer overflow in ctl_putdata(). * [Sec 2669] buffer overflow in configure(). * [Sec 2670] Missing return; from error clause. +* [Sec 2672] On some OSes ::1 can be spoofed, bypassing source IP ACLs. (4.2.7p485-RC) 2014/12/12 Released by Harlan Stenn * [Bug 2686] refclock_gpsdjson needs strtoll(), which is not always present. (4.2.7p484-RC) 2014/12/11 Released by Harlan Stenn diff --git a/ntpd/ntp_io.c b/ntpd/ntp_io.c index eb61ead57..aa415ccc1 100644 --- a/ntpd/ntp_io.c +++ b/ntpd/ntp_io.c @@ -3445,6 +3445,26 @@ read_network_packet( DPRINTF(3, ("read_network_packet: fd=%d length %d from %s\n", fd, buflen, stoa(&rb->recv_srcadr))); + /* + ** Bug 2672: Some OSes (MacOSX and Linux) don't block spoofed ::1 + */ + + if (AF_INET6 == itf->family) { + DPRINTF(1, ("Got an IPv6 packet, from <%s> to <%s>\n", + stoa(&rb->recv_srcadr), stoa(&itf->sin))); + } + + if ( AF_INET6 == itf->family + && IN6_IS_ADDR_LOOPBACK(&rb->recv_srcadr) + && !IN6_IS_ADDR_LOOPBACK(&itf->sin) + ) { + packets_dropped++; + DPRINTF(1, ("DROPPING that packet\n")); + freerecvbuf(rb); + return buflen; + } + DPRINTF(1, ("processing that packet\n")); + /* * Got one. Mark how and when it got here, * put it on the full list and do bookkeeping.