From: Juergen Perlinger Date: Thu, 20 Oct 2016 07:21:04 +0000 (+0200) Subject: [Sec 3113] Broadcast Mode Poll Interval Enforcement DoS X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c6a04b16bc5e422d57ad478d9f06fb07e6f7241b;p=thirdparty%2Fntp.git [Sec 3113] Broadcast Mode Poll Interval Enforcement DoS bk: 58087060DCRnphupdSD9lErtsIGR4w --- diff --git a/ChangeLog b/ChangeLog index 0805467dc..c2b14f299 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +--- +* [Sec 3113] Broadcast Mode Poll Interval Enforcement DoS + - applied fix as suggested by Matthew Van Gundy + --- (4.2.8p8) 2016/06/02 Released by Harlan Stenn diff --git a/include/ntp.h b/include/ntp.h index 84c30d9fe..c5a46ef07 100644 --- a/include/ntp.h +++ b/include/ntp.h @@ -391,7 +391,7 @@ struct peer { * Statistic counters */ u_long timereset; /* time stat counters were reset */ - u_long timelastrec; /* last packet received time */ + u_long timelastrec; /* last packet received time, incl. trash */ u_long timereceived; /* last (clean) packet received time */ u_long timereachable; /* last reachable/unreachable time */ diff --git a/ntpd/ntp_proto.c b/ntpd/ntp_proto.c index 513b99f68..2dcbb43d7 100644 --- a/ntpd/ntp_proto.c +++ b/ntpd/ntp_proto.c @@ -1450,14 +1450,23 @@ receive( ++bail; } - /* too early? worth an error, too! */ + /* too early? worth an error, too! + * + * [Bug 3113] Ensure that at least one poll + * interval has elapsed since the last **clean** + * packet was received. We limit the check to + * **clean** packets to prevent replayed packets + * and incorrectly authenticated packets, which + * we'll discard, from being used to create a + * denial of service condition. + */ deadband = (1u << pkt->ppoll); if (FLAG_BC_VOL & peer->flags) deadband -= 3; /* allow greater fuzz after volley */ - if ((current_time - peer->timelastrec) < deadband) { + if ((current_time - peer->timereceived) < deadband) { msyslog(LOG_INFO, "receive: broadcast packet from %s arrived after %lu, not %lu seconds!", stoa(&rbufp->recv_srcadr), - (current_time - peer->timelastrec), + (current_time - peer->timereceived), deadband); ++bail; }