[ntp:security] [Bug 1331] DoS with mode 7 packets (CVE-2009-3563)

Danny Mayer mayer at ntp.org
Wed Oct 7 03:47:46 UTC 2009


Dave Hart via the NTP Bugzilla wrote:
> Danny, I agree it is important to keep the patch simple and focused.  If you 
> compare my proposed patch with yours I think you'll see mine is simpler.  It 
> does not split the early sanity checks into two parts, it does not rearrange the 
> order of the tests, and thereby the meaning of the logged test numbers.
> 
Your changes are very different and do not differentiate between attack
and error.

The break is intentional and not accidental and is definitely simpler.
You are adding additional complexity that is unnecessary using
constructs that may not exist in earlier code. In fact they certainly
don't in xntp 3 and I need to keep that in mind when issuing the fix. I
really don't care that the test numbers changed since you should be
looking at the code anyway in order to figure out what broke if you are
logging this.

> What it does do is keep to the ntpd practice in mode 6 and mainline processing 
> of dropping malformed packets without a peep in responses, and add rate-limiting 
> code to ensure the msyslog triggered by the big if statement happens no more 
> than once per minute.
> 
> I stand by my proposed patch as a simpler, more focused fix and one that brings 
> mode 7 handling in line with other packet input code paths in ntpd.
> 

We can align code later but now is not the time.

No you are adding unnecessary complexity and I did look at your code.
Adding a bunch of additional code for logging purposes only is not
simpler. It begs the question of what is going to get logged and you
have not mapped out all the scenarios involved. The only other thing you
did was to drop ALL packets that fail the tests.

You are overcomplicating the matter which involves a simple issue which
I have fixed. Can we drop this please?

Danny


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



More information about the security mailing list