From: Juergen Perlinger Date: Mon, 16 Dec 2019 07:30:00 +0000 (+0100) Subject: [Sec 3592] DoS attack on client ntpd X-Git-Tag: NTP_4_2_8P13~11^2~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cff95e9e9ca749ad04da137f763c1a982c9d70a3;p=thirdparty%2Fntp.git [Sec 3592] DoS attack on client ntpd bk: 5df73278nIf5dNbaR_vTeCY43_h7Vg --- diff --git a/ChangeLog b/ChangeLog index 56a2d6023..8a033319b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,8 @@ * [Sec 3610] process_control() should bail earlier on short packets. stenn@ - Reported by Philippe Antoine +* [Sec 3592] DoS attack on client ntpd + - Reported by Miroslav Lichvar * [Bug 3620] memory leak in ntpq sysinfo - applied patch by Gerry Garvey * [Bug 3619] Honour drefid setting in cooked mode and sysinfo diff --git a/ntpd/ntp_proto.c b/ntpd/ntp_proto.c index c4272b8ca..dd00bf2cd 100644 --- a/ntpd/ntp_proto.c +++ b/ntpd/ntp_proto.c @@ -2958,7 +2958,7 @@ poll_update( u_char mpoll ) { - u_long next, utemp; + u_long next, utemp, limit; u_char hpoll; /* @@ -3002,6 +3002,15 @@ poll_update( */ utemp = current_time + max(peer->throttle - (NTP_SHIFT - 1) * (1 << peer->minpoll), ntp_minpkt); + + /*[Bug 3592] avoid unlimited postpone of next poll */ + limit = (2u << hpoll); + if (limit > 64) + limit -= (limit >> 2); + limit += peer->outdate; + if (limit < current_time) + limit = current_time; + if (peer->burst > 0) { if (peer->nextdate > current_time) return; @@ -3054,6 +3063,13 @@ poll_update( if (peer->throttle > (1 << peer->minpoll)) peer->nextdate += ntp_minpkt; } + + /*[Bug 3592] avoid unlimited postpone of next poll */ + if (peer->nextdate > limit) { + DPRINTF(1, ("poll_update: clamp reached; limit %lu next %lu\n", + limit, peer->nextdate)); + peer->nextdate = limit; + } DPRINTF(2, ("poll_update: at %lu %s poll %d burst %d retry %d head %d early %lu next %lu\n", current_time, ntoa(&peer->srcadr), peer->hpoll, peer->burst, peer->retry, peer->throttle,