From: Harlan Stenn Date: Fri, 23 Jan 2015 10:29:31 +0000 (+0000) Subject: [Sec 2672] Code cleanup: On some OSes ::1 can be spoofed... X-Git-Tag: NTP_4_2_8P1_RC1~5^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e278dc14794a4f4547552e0e0f7a7c8baaf34746;p=thirdparty%2Fntp.git [Sec 2672] Code cleanup: On some OSes ::1 can be spoofed... bk: 54c2228bpOp4_zrX9aGXdMEZJEGzkg --- diff --git a/ChangeLog b/ChangeLog index a11544298..32b7b34ae 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,7 @@ --- * [Bug 2617] Fix sntp Usage documentation section. +* [Sec 2672] Code cleanup: On some OSes ::1 can be spoofed... --- (4.2.8p1-beta5) 2015/01/07 Released by Harlan Stenn diff --git a/ntpd/ntp_io.c b/ntpd/ntp_io.c index f01088d4d..1ee7098ae 100644 --- a/ntpd/ntp_io.c +++ b/ntpd/ntp_io.c @@ -3482,26 +3482,24 @@ read_network_packet( ** Bug 2672: Some OSes (MacOSX and Linux) don't block spoofed ::1 */ - // temporary hack... if (AF_INET6 == itf->family) { - DPRINTF(1, ("Got an IPv6 packet, from <%s> (%d) to <%s> (%d)\n", + DPRINTF(2, ("Got an IPv6 packet, from <%s> (%d) to <%s> (%d)\n", stoa(&rb->recv_srcadr), IN6_IS_ADDR_LOOPBACK(PSOCK_ADDR6(&rb->recv_srcadr)), stoa(&itf->sin), !IN6_IS_ADDR_LOOPBACK(PSOCK_ADDR6(&itf->sin)) )); - } - if ( AF_INET6 == itf->family - && IN6_IS_ADDR_LOOPBACK(PSOCK_ADDR6(&rb->recv_srcadr)) - && !IN6_IS_ADDR_LOOPBACK(PSOCK_ADDR6(&itf->sin)) - ) { - packets_dropped++; - DPRINTF(1, ("DROPPING that packet\n")); - freerecvbuf(rb); - return buflen; + if ( IN6_IS_ADDR_LOOPBACK(PSOCK_ADDR6(&rb->recv_srcadr)) + && !IN6_IS_ADDR_LOOPBACK(PSOCK_ADDR6(&itf->sin)) + ) { + packets_dropped++; + DPRINTF(2, ("DROPPING that packet\n")); + freerecvbuf(rb); + return buflen; + } + DPRINTF(2, ("processing that packet\n")); } - DPRINTF(1, ("processing that packet\n")); /* * Got one. Mark how and when it got here,