[ntp:security] [Bug 1331] DoS with mode 7 packets

Dave Hart via the NTP Bugzilla bugzilla at ntp.org
Mon Oct 5 15:16:26 UTC 2009


http://bugs.ntp.org/1331



----------------------------------------------------------------------------
Additional Comments From hart at ntp.org (Dave Hart)
Submitted on 2009-10-05 15:16

Danny, re comment #8, I'm confused.  In comment #3 you quote Dmitri correctly 
noting the crux of the issue is ntpd responding to mode 7 responses.  Yet your 
ntp-dev-1331 has this code:

  ec = 0;
  if (   (++ec, INFO_SEQ(inpkt->auth_seq) != 0)
      || (++ec, INFO_ERR(inpkt->err_nitems) != 0)
      || (++ec, INFO_MBZ(inpkt->mbz_itemsize) != 0)
      || (++ec, rbufp->recv_length < REQ_LEN_HDR)
          ) {
                  return;
  }

  if (   (++ec, ISRESPONSE(inpkt->rm_vn_mode))
      || (++ec, ISMORE(inpkt->rm_vn_mode))
      || (++ec, INFO_VERSION(inpkt->rm_vn_mode) > NTP_VERSION)
      || (++ec, INFO_VERSION(inpkt->rm_vn_mode) < NTP_OLDVERSION)
          ) {
          msyslog(LOG_ERR, "process_private: INFO_ERR_FMT: test %d failed, pkt 
from %s", ec, stoa(srcadr));
          req_ack(srcadr, inter, inpkt, INFO_ERR_FMT);
          return;
  }

This fixes ntpd responding to runt packets and those with nonzero auth_seq, 
err_nitems, and mbz_itemsize, but it leaves the crux of the issue in place, by 
still logging and replying to responses.  I'm not talking about the version 
checks in the second if, I'm talking about the ISRESPONSE() test.  Why should 
ntpd log and reply to a response?  I would reopen the bug, but I'm not 
interested in playing bugzilla ping-pong.

-- 
Dave Hart <hart at ntp.org>



------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.


More information about the security mailing list