From: Juergen Perlinger <perlinger@ntp.org>
Date: Fri, 13 Oct 2017 07:18:19 +0000 (+0200)
Subject: [Bug 3437] ntpd tries to open socket with AF_UNSPEC domain
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=485c8ba1a9245d168bdeaea09bf59bd9f30dedef;p=thirdparty%2Fntp.git

[Bug 3437] ntpd tries to open socket with AF_UNSPEC domain

bk: 59e068bbrtYfNZ4HJDedf2CkNHpeCw
---

diff --git a/ChangeLog b/ChangeLog
index a1a1cfae4..6c1763050 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+---
+* [Bug 3437] ntpd tries to open socket with AF_UNSPEC domain
+ - applied patch (with mods) by Miroslav Lichvar <perlinger@ntp.org>
+
 ---
 (4.2.8p10-win-beta1) 2017/03/21 Released by Harlan Stenn <stenn@ntp.org>
 (4.2.8p10)
diff --git a/ntpd/ntp_io.c b/ntpd/ntp_io.c
index fe62ec566..20ef13a0c 100644
--- a/ntpd/ntp_io.c
+++ b/ntpd/ntp_io.c
@@ -3960,6 +3960,17 @@ findlocalinterface(
 	DPRINTF(4, ("Finding interface for addr %s in list of addresses\n",
 		    stoa(addr)));
 
+	/* [Bug 3437] The dummy POOL peer comes in with an AF of
+	 * zero. This is bound to fail, but on the way to nowhere it
+	 * triggers a security incident on SELinux.
+	 *
+	 * Checking the condition and failing early is probably a good
+	 * advice, and even saves us some syscalls in that case.
+	 * Thanks to Miroslav Lichvar for finding this.
+	 */
+	if (AF_UNSPEC == AF(addr))
+		return NULL;
+
 	s = socket(AF(addr), SOCK_DGRAM, 0);
 	if (INVALID_SOCKET == s)
 		return NULL;