From: Miroslav Lichvar Date: Wed, 13 Jan 2010 16:40:20 +0000 (+0100) Subject: Don't reply to invalid chronyc packets X-Git-Tag: 1.24~2 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=5e86eeacfb279ec3f7897f77be08d6679751cd61;p=thirdparty%2Fchrony.git Don't reply to invalid chronyc packets --- diff --git a/cmdmon.c b/cmdmon.c index 397f6a3a..408d96dc 100644 --- a/cmdmon.c +++ b/cmdmon.c @@ -1734,6 +1734,7 @@ read_from_cmd_socket(void *anything) int valid_ts; int authenticated; int localhost; + int allowed; unsigned short rx_command; unsigned long rx_message_token; unsigned long tx_message_token; @@ -1804,26 +1805,7 @@ read_from_cmd_socket(void *anything) assert(0); } - if ((!ADF_IsAllowed(access_auth_table, &remote_ip)) && - (!localhost)) { - /* The client is not allowed access, so don't waste any more time - on him. Note that localhost is always allowed access - regardless of the defined access rules - otherwise, we could - shut ourselves out completely! */ - - /* We ought to find another way to log this, there is an attack - here against the host because an adversary can just keep - hitting us with bad packets until our log file(s) fill up. */ - - LOG(LOGS_WARN, LOGF_CmdMon, "Command packet received from unauthorised host %s port %d", - UTI_IPToString(&remote_ip), - remote_port); - - tx_message.status = htons(STT_NOHOSTACCESS); - transmit_reply(&tx_message, &where_from); - - return; - } + allowed = ADF_IsAllowed(access_auth_table, &remote_ip) || localhost; if (read_length < offsetof(CMD_Request, data) || rx_message.pkt_type != PKT_TYPE_CMD_REQUEST || @@ -1831,7 +1813,8 @@ read_from_cmd_socket(void *anything) rx_message.res2 != 0) { /* We don't know how to process anything like this */ - CLG_LogCommandAccess(&remote_ip, CLG_CMD_BAD_PKT, cooked_now.tv_sec); + if (allowed) + CLG_LogCommandAccess(&remote_ip, CLG_CMD_BAD_PKT, cooked_now.tv_sec); return; } @@ -1839,7 +1822,8 @@ read_from_cmd_socket(void *anything) if (rx_message.version != PROTO_VERSION_NUMBER) { tx_message.status = htons(STT_NOHOSTACCESS); LOG(LOGS_WARN, LOGF_CmdMon, "Read packet with protocol version %d (expected %d) from %s:%hu", rx_message.version, PROTO_VERSION_NUMBER, UTI_IPToString(&remote_ip), remote_port); - CLG_LogCommandAccess(&remote_ip, CLG_CMD_BAD_PKT, cooked_now.tv_sec); + if (allowed) + CLG_LogCommandAccess(&remote_ip, CLG_CMD_BAD_PKT, cooked_now.tv_sec); if (rx_message.version >= PROTO_VERSION_MISMATCH_COMPAT) { tx_message.status = htons(STT_BADPKTVERSION); @@ -1850,13 +1834,34 @@ read_from_cmd_socket(void *anything) if (read_length != expected_length) { LOG(LOGS_WARN, LOGF_CmdMon, "Read incorrectly sized packet from %s:%hu", UTI_IPToString(&remote_ip), remote_port); - CLG_LogCommandAccess(&remote_ip, CLG_CMD_BAD_PKT, cooked_now.tv_sec); + if (allowed) + CLG_LogCommandAccess(&remote_ip, CLG_CMD_BAD_PKT, cooked_now.tv_sec); tx_message.status = htons(STT_BADPKTLENGTH); transmit_reply(&tx_message, &where_from); return; } + if (!allowed) { + /* The client is not allowed access, so don't waste any more time + on him. Note that localhost is always allowed access + regardless of the defined access rules - otherwise, we could + shut ourselves out completely! */ + + /* We ought to find another way to log this, there is an attack + here against the host because an adversary can just keep + hitting us with bad packets until our log file(s) fill up. */ + + LOG(LOGS_WARN, LOGF_CmdMon, "Command packet received from unauthorised host %s port %d", + UTI_IPToString(&remote_ip), + remote_port); + + tx_message.status = htons(STT_NOHOSTACCESS); + transmit_reply(&tx_message, &where_from); + + return; + } + rx_command = ntohs(rx_message.command); /* OK, we have a valid message. Now dispatch on message type and process it. */ @@ -1989,7 +1994,7 @@ read_from_cmd_socket(void *anything) tx_message.status = htons(STT_INVALID); tx_message.reply = htons(RPY_NULL); } else { - int allowed = 0; + allowed = 0; /* Check level of authority required to issue the command */ switch(permissions[rx_command]) {