[ntp:security] [Bug 1331] DoS with mode 7 packets (CVE-2009-3563)

Dave Hart via the NTP Bugzilla bugzilla at ntp.org
Wed Oct 7 03:26:58 UTC 2009


Additional Comments From hart at ntp.org (Dave Hart)
Submitted on 2009-10-07 03:26

Danny, I agree it is important to keep the patch simple and focused.  If you 
compare my proposed patch with yours I think you'll see mine is simpler.  It 
does not split the early sanity checks into two parts, it does not rearrange the 
order of the tests, and thereby the meaning of the logged test numbers.

What it does do is keep to the ntpd practice in mode 6 and mainline processing 
of dropping malformed packets without a peep in responses, and add rate-limiting 
code to ensure the msyslog triggered by the big if statement happens no more 
than once per minute.

I stand by my proposed patch as a simpler, more focused fix and one that brings 
mode 7 handling in line with other packet input code paths in ntpd.

Please compare for yourself by browsing:


Dave Hart <hart at ntp.org>

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

More information about the security mailing list