From: Juergen Perlinger Date: Sun, 12 Feb 2017 08:49:29 +0000 (+0100) Subject: [Sec 3389] NTP-01-016: Denial of Service via Malformed Config X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4290590802103f0d2221045f88187f087302cea3;p=thirdparty%2Fntp.git [Sec 3389] NTP-01-016: Denial of Service via Malformed Config bk: 58a02199vI1qv8JAaprTc-gvvJ05Fg --- diff --git a/ChangeLog b/ChangeLog index 595a3d776..3babd383c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +--- +* [Sec 3389] NTP-01-016: Denial of Service via Malformed Config + (Pentest report 01.2017) + --- (4.2.8p9-win) 2017/02/01 Released by Harlan Stenn diff --git a/ntpd/ntp_config.c b/ntpd/ntp_config.c index c36a21896..e6dd3716e 100644 --- a/ntpd/ntp_config.c +++ b/ntpd/ntp_config.c @@ -361,6 +361,9 @@ static char * normal_dtoa(double); static u_int32 get_pfxmatch(const char **, struct masks *); static u_int32 get_match(const char *, struct masks *); static u_int32 get_logmask(const char *); +static int/*BOOL*/ is_refclk_addr(const address_node * addr); + + #ifndef SIM static int getnetnum(const char *num, sockaddr_u *addr, int complain, enum gnn_type a_type); @@ -1266,7 +1269,10 @@ create_peer_node( break; case T_Ttl: - if (option->value.u >= MAX_TTL) { + if (is_refclk_addr(addr)) { + msyslog(LOG_ERR, "'ttl' does not apply for refclocks"); + errflag = 1; + } else if (option->value.u >= MAX_TTL) { msyslog(LOG_ERR, "ttl: invalid argument"); errflag = 1; } else { @@ -1275,7 +1281,12 @@ create_peer_node( break; case T_Mode: - my_node->ttl = option->value.u; + if (is_refclk_addr(addr)) { + my_node->ttl = option->value.u; + } else { + msyslog(LOG_ERR, "'mode' does not apply for network peers"); + errflag = 1; + } break; case T_Key: @@ -4636,6 +4647,16 @@ save_and_apply_config_tree(int/*BOOL*/ input_from_file) #endif } +/* Hack to disambiguate 'server' statements for refclocks and network peers. + * Please note the qualification 'hack'. It's just that. + */ +static int/*BOOL*/ +is_refclk_addr( + const address_node * addr + ) +{ + return addr && addr->address && !strncmp(addr->address, "127.127.", 6); +} static void ntpd_set_tod_using( diff --git a/ntpd/ntp_proto.c b/ntpd/ntp_proto.c index 41744aa39..0432c497c 100644 --- a/ntpd/ntp_proto.c +++ b/ntpd/ntp_proto.c @@ -3719,8 +3719,9 @@ peer_xmit( } } peer->t21_bytes = sendlen; - sendpkt(&peer->srcadr, peer->dstadr, sys_ttl[peer->ttl], - &xpkt, sendlen); + sendpkt(&peer->srcadr, peer->dstadr, + sys_ttl[(peer->ttl >= sys_ttlmax) ? sys_ttlmax : peer->ttl], + &xpkt, sendlen); peer->sent++; peer->throttle += (1 << peer->minpoll) - 2; @@ -4030,8 +4031,9 @@ peer_xmit( exit (-1); } peer->t21_bytes = sendlen; - sendpkt(&peer->srcadr, peer->dstadr, sys_ttl[peer->ttl], &xpkt, - sendlen); + sendpkt(&peer->srcadr, peer->dstadr, + sys_ttl[(peer->ttl >= sys_ttlmax) ? sys_ttlmax : peer->ttl], + &xpkt, sendlen); peer->sent++; peer->throttle += (1 << peer->minpoll) - 2; @@ -4352,8 +4354,9 @@ pool_xmit( get_systime(&xmt_tx); pool->aorg = xmt_tx; HTONL_FP(&xmt_tx, &xpkt.xmt); - sendpkt(rmtadr, lcladr, sys_ttl[pool->ttl], &xpkt, - LEN_PKT_NOMAC); + sendpkt(rmtadr, lcladr, + sys_ttl[(pool->ttl >= sys_ttlmax) ? sys_ttlmax : pool->ttl], + &xpkt, LEN_PKT_NOMAC); pool->sent++; pool->throttle += (1 << pool->minpoll) - 2; DPRINTF(1, ("pool_xmit: at %ld %s->%s pool\n", @@ -4722,10 +4725,9 @@ init_proto(void) sys_stattime = current_time; orphwait = current_time + sys_orphwait; proto_clr_stats(); - for (i = 0; i < MAX_TTL; i++) { + for (i = 0; i < MAX_TTL; ++i) sys_ttl[i] = (u_char)((i * 256) / MAX_TTL); - sys_ttlmax = i; - } + sys_ttlmax = (MAX_TTL - 1); hardpps_enable = 0; stats_control = 1; }