[ntp:security] [Bug 1331] DoS with mode 7 packets (CVE-2009-3563)

Danny Mayer mayer at ntp.org
Fri Oct 9 01:21:26 UTC 2009

Harlan Stenn wrote:
> There have been, as I recall, cases in the past where ntpdc has been
> changed in a way that was not backward compatible.  When I asked about
> this the feedback I got was "ntpdc is version-specific so it's OK to do
> this".

That's exactly what I'm talking about.

> I'm speaking in general - I looked at Dave's patch and since the patch I
> saw didn't change anything in the code expec to not issue an error
> response in some cases I still have no idea what you are going on about
> Danny.

See above. There is nothing wrong with responding to a mode7 packet
containing a newer version and saying it's not a supported version. This
is not a security issue which is why it's not a problem and it's
perfectly safe to respond to the packet. We are trying to fix a DOS
attack problem, not a version mismatch problem.


This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the security mailing list