From: Harlan Stenn Date: Thu, 14 Apr 2016 01:59:45 +0000 (+0000) Subject: [Sec 2978] Interleave can be partially triggered X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=27ec351cd0350cc25367217f9430e82bf92b916a;p=thirdparty%2Fntp.git [Sec 2978] Interleave can be partially triggered bk: 570ef991qHXRv1LCIXmoOomFNvjm3w --- diff --git a/ChangeLog b/ChangeLog index f1509d699..ee25d22c3 100644 --- a/ChangeLog +++ b/ChangeLog @@ -4,6 +4,7 @@ * [Sec 2936] Skeleton Key: Any system knowing the trusted key can serve time. Include passive servers in this check. HStenn. * [Sec 2945] Additional KoD packet checks. HStenn. +* [Sec 2978] Interleave can be partially triggered. HStenn. * [Sec 3008] Always check the return value of ctl_getitem(). - initial work by HStenn - Additional cleanup of ctl_getitem by perlinger@ntp.org diff --git a/configure.ac b/configure.ac index 2a0c1a0d8..caba8f688 100644 --- a/configure.ac +++ b/configure.ac @@ -4342,6 +4342,28 @@ case "$ntp_ok" in esac AC_MSG_RESULT([$ntp_ok]) +### + +AC_MSG_CHECKING([if we want dynamic interleave support]) +AC_ARG_ENABLE( + [dynamic-interleave], + [AS_HELP_STRING( + [--enable-dynamic-interleave], + [- dynamic interleave support] + )], + [ntp_ok=$enableval], + [ntp_ok=no] +) +ntp_dynamic_interleave=0 +case "$ntp_ok" in + yes) + ntp_dynamic_interleave=1 + ;; +esac +AC_DEFINE_UNQUOTED([DYNAMIC_INTERLEAVE], [$ntp_dynamic_interleave], + [support dynamic interleave?]) +AC_MSG_RESULT([$ntp_ok]) + NTP_UNITYBUILD dnl gtest is needed for our tests subdirs. It would be nice if we could diff --git a/ntpd/ntp_proto.c b/ntpd/ntp_proto.c index eabad80aa..1e6b925a0 100644 --- a/ntpd/ntp_proto.c +++ b/ntpd/ntp_proto.c @@ -25,7 +25,7 @@ #include #endif -/*[Bug 3031] define automatic broadcastdelay cutoff preset */ +/* [Bug 3031] define automatic broadcastdelay cutoff preset */ #ifndef BDELAY_DEFAULT # define BDELAY_DEFAULT (-0.050) #endif @@ -177,6 +177,8 @@ int unpeer_crypto_early = 1; /* bad crypto (TEST9) */ int unpeer_crypto_nak_early = 1; /* crypto_NAK (TEST5) */ int unpeer_digest_early = 1; /* bad digest (TEST5) */ +int dynamic_interleave = DYNAMIC_INTERLEAVE; /* Bug 2978 mitigation */ + int kiss_code_check(u_char hisleap, u_char hisstratum, u_char hismode, u_int32 refid); enum nak_error_codes valid_NAK(struct peer *peer, struct recvbuf *rbufp, u_char hismode); static double root_distance (struct peer *); @@ -1633,8 +1635,14 @@ receive( if ( !L_ISZERO(&peer->dst) && L_ISEQU(&p_org, &peer->dst)) { /* Might be the start of an interleave */ - peer->flip = 1; - report_event(PEVNT_XLEAVE, peer, NULL); + if (dynamic_interleave) { + peer->flip = 1; + report_event(PEVNT_XLEAVE, peer, NULL); + } else { + msyslog(LOG_INFO, + "receive: Dynamic interleave from %s@%s denied", + hm_str, ntoa(&peer->srcadr)); + } } } else { L_CLR(&peer->aorg);