From: Juergen Perlinger <perlinger@ntp.org>
Date: Sat, 17 Oct 2015 21:19:57 +0000 (+0200)
Subject: [Bug 2945] Zero Origin Timestamp Bypass
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=589f185ac357bacf706c9d66ef1173da8ff6dbdb;p=thirdparty%2Fntp.git

[Bug 2945] Zero Origin Timestamp Bypass

bk: 5622bb7dRIhjq2EoFHGH3kfjeMY-Yw
---

diff --git a/ChangeLog b/ChangeLog
index b022ef6f6..e8ad1cc62 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,4 +1,6 @@
 ---
+* [Bug 2945] Zero Origin Timestamp Bypass. perlinger@ntp.org
+---
 (4.2.8p4-RC1) 2015/10/06 Released by Harlan Stenn <stenn@ntp.org>
 
 * [Bug 2332] (reopened) Exercise thread cancellation once before dropping
diff --git a/ntpd/ntp_proto.c b/ntpd/ntp_proto.c
index 44f66ef6d..ad5d5925a 100644
--- a/ntpd/ntp_proto.c
+++ b/ntpd/ntp_proto.c
@@ -1256,9 +1256,17 @@ receive(
 	 * Check for bogus packet in basic mode. If found, switch to
 	 * interleaved mode and resynchronize, but only after confirming
 	 * the packet is not bogus in symmetric interleaved mode.
+	 *
+	 * Since a cleared 'aorg' is the indication for 'no response
+	 * pending' we have to test this explicitely. Of course, should
+	 * 'aorg' be all-zero because this was the original transmit
+	 * time stamp, we will drop the reply. There's a sub-second slot
+	 * every 136 years where this *might* happen, so we ignore this
+	 * possible drop of a valid response.
 	 */
 	} else if (peer->flip == 0) {
-		if (!L_ISEQU(&p_org, &peer->aorg)) {
+		if (L_ISZERO(&peer->aorg) ||
+		    !L_ISEQU(&p_org, &peer->aorg)) {
 			peer->bogusorg++;
 			peer->flash |= TEST2;	/* bogus */
 			if (!L_ISZERO(&peer->dst) && L_ISEQU(&p_org,