From: Miroslav Lichvar <mlichvar@redhat.com>
Date: Mon, 15 Apr 2019 10:48:41 +0000 (+0200)
Subject: ntp: don't send response longer than request
X-Git-Tag: 4.0-pre1~55
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b8ee6d6e56395d795ee5366f1c3366b53d619efb;p=thirdparty%2Fchrony.git

ntp: don't send response longer than request

When sending a response in the server or passive mode, make sure the
response is not longer than the request to prevent amplification
attacks when resposes may contain extension fields (e.g. NTS).
---

diff --git a/ntp_core.c b/ntp_core.c
index bc24b181..21764f10 100644
--- a/ntp_core.c
+++ b/ntp_core.c
@@ -1120,6 +1120,12 @@ transmit_packet(NTP_Mode my_mode, /* The mode this machine wants to be */
            UTI_IsEqualAnyNtp64(&message.transmit_ts, &message.receive_ts,
                                &message.originate_ts, local_ntp_tx));
 
+  if (request_info && request_info->length < info.length) {
+    DEBUG_LOG("Response longer than request req_len=%d res_len=%d",
+              request_info->length, info.length);
+    return 0;
+  }
+
   ret = NIO_SendPacket(&message, where_to, from, info.length, local_tx != NULL);
 
   if (local_tx) {