[ntp:security] [Bug 1331] DoS with mode 7 packets (CVE-2009-3563)

Danny Mayer mayer at ntp.org
Fri Oct 9 01:24:32 UTC 2009

Dave Hart wrote:
> On Fri, Oct 9, 2009 at 12:22 AM, Danny Mayer <mayer at ntp.org> wrote:
>> No it isn't misplaced. current_time is not well controlled, can be
>> overwritten and other havoc can happen. After 30 years it's east to spot
>> potential trouble errors and anything that might affect the fix needs to
>> be avoided at all costs until after the fix has gone out and the change
>> examined from all sides. It should not be depended upon for a critical
>> fix.
> You sure are full of hot air on this point.  current_time is modified
> in exactly one place, timer().  Both timer() and process_private() run
> on ntpd's main thread, and there is simply no way for current_time to
> be modified while process_private() is running.  This may be a
> potential trouble error but it's not an error and it's not trouble.

You avoid potential trouble errors on a security patch. You need to make
sure you have zero risk in the patch.


This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the security mailing list