[ntp:security] [Bug 1331] DoS with mode 7 packets (CVE-2009-3563)

Dave Hart via the NTP Bugzilla bugzilla at ntp.org
Wed Oct 7 01:59:08 UTC 2009


Additional Comments From hart at ntp.org (Dave Hart)
Submitted on 2009-10-07 01:59

After studying how ntp_control.c handles similar issues with mode 6 packets, I 
have a slightly different fix prepared.  My patch leaves the original big if ( 
ec++, ... block intact, and changes its body in two ways.  First, for any of 
those initial sanity checks, a failure will not elicit a response.  This is the 
way mode 6 and mainline code deals with malformed packets.  Second, the msyslog 
is made conditional on NLOG_SYSEVENT and rate-limited to once per minute.  The 
rate limiting allows ntpd to log the fact of malformed or malicious packets in 
this path without risking flooding if, for example, a broadcast or multicast 
address ntpd is listening on is targeted.  In that situation, the fact that ntpd 
no longer responds may not be enough to stop the flood, as others sharing the 
address may be responding.

This is prepared as a ntp-stable delta pulled into ntp-dev in:


As it touches only ChangeLog and ntpd/ntp_request.c it would be trivial to make 
an equivalent freestanding ntp-dev-1331 if the decision is made to fix it in 
ntp-dev alone first.

Dave Hart <hart at ntp.org>

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

More information about the security mailing list