From: Harlan Stenn Date: Tue, 6 Oct 2015 08:02:23 +0000 (+0000) Subject: Log incoming packets that fail TEST2. Harlan Stenn. X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3df59ba11df2a4978e29b7fd269b634deed60b97;p=thirdparty%2Fntp.git Log incoming packets that fail TEST2. Harlan Stenn. bk: 5613800fTrOavQElDsHywDtM6FR3zQ --- diff --git a/ChangeLog b/ChangeLog index 89bd387b2..93d35a7fd 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,7 +1,7 @@ --- * [Sec 2899] CVE-2014-9297 perlinger@ntp.org * [Sec 2901] Drop invalid packet before checking KoD. Check for all KoD's. - Danny Mayer. + Danny Mayer. Log incoming packets that fail TEST2. Harlan Stenn. * [Sec 2902] configuration directives "pidfile" and "driftfile" should be local-only. perlinger@ntp.org (patch by Miroslav Lichvar) * [Sec 2909] added missing call to 'free()' in ntp_crypto.c. perlinger@ntp.org diff --git a/ntpd/ntp_proto.c b/ntpd/ntp_proto.c index 7f47f8dbe..3dc713764 100644 --- a/ntpd/ntp_proto.c +++ b/ntpd/ntp_proto.c @@ -1306,11 +1306,17 @@ receive( * Check for bogus packet in basic mode. If found, switch to * interleaved mode and resynchronize, but only after confirming * the packet is not bogus in symmetric interleaved mode. + * + * This could also mean somebody is forging packets claiming to + * be from us, attempting to cause our server to KoD us. */ } else if (peer->flip == 0) { if (!L_ISEQU(&p_org, &peer->aorg)) { peer->bogusorg++; peer->flash |= TEST2; /* bogus */ + msyslog(LOG_INFO, + "receive: Unexpected origin timestamp from %s", + ntoa(&peer->srcadr)); if ( !L_ISZERO(&peer->dst) && L_ISEQU(&p_org, &peer->dst)) { peer->flip = 1; @@ -3768,7 +3774,7 @@ pool_xmit( pool->hostname)); else msyslog(LOG_ERR, - "unable to start pool DNS %s %m", + "unable to start pool DNS %s: %m", pool->hostname); return; }