From 62694dd92bf4db00f52b6db978c806c70ae032b6 Mon Sep 17 00:00:00 2001
From: Juergen Perlinger <perlinger@ntp.org>
Date: Thu, 20 Oct 2016 09:21:04 +0200
Subject: [PATCH] [Sec 3113] Broadcast Mode Poll Interval Enforcement DoS

bk: 58087060DCRnphupdSD9lErtsIGR4w
---
 ChangeLog        |  4 ++++
 include/ntp.h    |  2 +-
 ntpd/ntp_proto.c | 15 ++++++++++++---
 3 files changed, 17 insertions(+), 4 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 0805467dc6..c2b14f299f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+---
+* [Sec 3113] Broadcast Mode Poll Interval Enforcement DoS <perlinger@ntp.org>
+  - applied fix as suggested by Matthew Van Gundy
+ 
 ---
 (4.2.8p8) 2016/06/02 Released by Harlan Stenn <stenn@ntp.org>
 
diff --git a/include/ntp.h b/include/ntp.h
index 84c30d9fee..c5a46ef07e 100644
--- a/include/ntp.h
+++ b/include/ntp.h
@@ -391,7 +391,7 @@ struct peer {
 	 * Statistic counters
 	 */
 	u_long	timereset;	/* time stat counters were reset */
-	u_long	timelastrec;	/* last packet received time */
+	u_long	timelastrec;	/* last packet received time, incl. trash */
 	u_long	timereceived;	/* last (clean) packet received time */
 	u_long	timereachable;	/* last reachable/unreachable time */
 
diff --git a/ntpd/ntp_proto.c b/ntpd/ntp_proto.c
index 513b99f683..2dcbb43d7b 100644
--- a/ntpd/ntp_proto.c
+++ b/ntpd/ntp_proto.c
@@ -1450,14 +1450,23 @@ receive(
 				++bail;
 			}
 
-			/* too early? worth an error, too! */
+			/* too early? worth an error, too!
+			 *
+			 * [Bug 3113] Ensure that at least one poll
+			 * interval has elapsed since the last **clean**
+			 * packet was received.  We limit the check to
+			 * **clean** packets to prevent replayed packets
+			 * and incorrectly authenticated packets, which
+			 * we'll discard, from being used to create a
+			 * denial of service condition.
+			 */
 			deadband = (1u << pkt->ppoll);
 			if (FLAG_BC_VOL & peer->flags)
 				deadband -= 3;	/* allow greater fuzz after volley */
-			if ((current_time - peer->timelastrec) < deadband) {
+			if ((current_time - peer->timereceived) < deadband) {
 				msyslog(LOG_INFO, "receive: broadcast packet from %s arrived after %lu, not %lu seconds!",
 					stoa(&rbufp->recv_srcadr),
-					(current_time - peer->timelastrec),
+					(current_time - peer->timereceived),
 					deadband);
 				++bail;
 			}
-- 
2.47.3