From: Harlan Stenn Date: Tue, 24 May 2016 12:05:06 +0000 (+0000) Subject: [Sec 3044] Spoofed server packets are partially processed. HStenn. X-Git-Tag: NTP_4_2_8P8~6 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3579143d18edfc2589f6f1b887b42cd53597147c;p=thirdparty%2Fntp.git [Sec 3044] Spoofed server packets are partially processed. HStenn. bk: 57444372VdmJbYqjSjCzBY-4vS_55g --- diff --git a/ChangeLog b/ChangeLog index 2e5c3b0ac..2c8e61dab 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,8 +1,9 @@ --- * [Sec 3042] Broadcast Interleave. HStenn. -* [Sec 3043] Autokey association reset. perlinger@ntp.org, stenn@ntp.org - (fixes [Sec 3044] and [Sec 3045], too) +* [Sec 3043] Autokey association reset. perlinger@ntp.org, stenn@ntp.org + - fixes [Sec 3044] (partially) and [Sec 3045], too. +* [Sec 3044] Spoofed server packets are partially processed. HStenn. * [Sec 3046] CRYPTO_NAK crash. stenn@ntp.org * [Bug 3038] NTP fails to build in VS2015. perlinger@ntp.org - provide build environment diff --git a/ntpd/ntp_proto.c b/ntpd/ntp_proto.c index 06cf42fff..7809fb4a3 100644 --- a/ntpd/ntp_proto.c +++ b/ntpd/ntp_proto.c @@ -2038,9 +2038,9 @@ receive( /* - * process_packet - Packet Procedure, a la Section 3.4.4 of the - * specification. Or almost, at least. If we're in here we have a - * reasonable expectation that we will be having a long term + * process_packet - Packet Procedure, a la Section 3.4.4 of RFC-1305 + * Or almost, at least. If we're in here we have a reasonable + * expectation that we will be having a long term * relationship with this host. */ void @@ -2060,8 +2060,10 @@ process_packet( double etemp, ftemp, td; #endif /* ASSYM */ +#if 0 sys_processed++; peer->processed++; +#endif p_del = FPTOD(NTOHS_FP(pkt->rootdelay)); p_offset = 0; p_disp = FPTOD(NTOHS_FP(pkt->rootdisp)); @@ -2074,6 +2076,39 @@ process_packet( pversion = PKT_VERSION(pkt->li_vn_mode); pstratum = PKT_TO_STRATUM(pkt->stratum); + /**/ + + /**/ + + /* + * Verify the server is synchronized; that is, the leap bits, + * stratum and root distance are valid. + */ + if ( pleap == LEAP_NOTINSYNC /* test 6 */ + || pstratum < sys_floor || pstratum >= sys_ceiling) + peer->flash |= TEST6; /* bad synch or strat */ + if (p_del / 2 + p_disp >= MAXDISPERSE) /* test 7 */ + peer->flash |= TEST7; /* bad header */ + + /* + * If any tests fail at this point, the packet is discarded. + * Note that some flashers may have already been set in the + * receive() routine. + */ + if (peer->flash & PKT_TEST_MASK) { + peer->seldisptoolarge++; + DPRINTF(1, ("packet: flash header %04x\n", + peer->flash)); + return; + } + + /**/ + +#if 1 + sys_processed++; + peer->processed++; +#endif + /* * Capture the header values in the client/peer association.. */ @@ -2108,27 +2143,7 @@ process_packet( } poll_update(peer, peer->hpoll); - /* - * Verify the server is synchronized; that is, the leap bits, - * stratum and root distance are valid. - */ - if ( pleap == LEAP_NOTINSYNC /* test 6 */ - || pstratum < sys_floor || pstratum >= sys_ceiling) - peer->flash |= TEST6; /* bad synch or strat */ - if (p_del / 2 + p_disp >= MAXDISPERSE) /* test 7 */ - peer->flash |= TEST7; /* bad header */ - - /* - * If any tests fail at this point, the packet is discarded. - * Note that some flashers may have already been set in the - * receive() routine. - */ - if (peer->flash & PKT_TEST_MASK) { - peer->seldisptoolarge++; - DPRINTF(1, ("packet: flash header %04x\n", - peer->flash)); - return; - } + /**/ /* * If the peer was previously unreachable, raise a trap. In any