[ntp:security] [Bug 1331] DoS with mode 7 packets (CVE-2009-3563)

Danny Mayer mayer at ntp.org
Fri Oct 9 01:24:32 UTC 2009


Dave Hart wrote:
> On Fri, Oct 9, 2009 at 12:22 AM, Danny Mayer <mayer at ntp.org> wrote:
>> No it isn't misplaced. current_time is not well controlled, can be
>> overwritten and other havoc can happen. After 30 years it's east to spot
>> potential trouble errors and anything that might affect the fix needs to
>> be avoided at all costs until after the fix has gone out and the change
>> examined from all sides. It should not be depended upon for a critical
>> fix.
> 
> You sure are full of hot air on this point.  current_time is modified
> in exactly one place, timer().  Both timer() and process_private() run
> on ntpd's main thread, and there is simply no way for current_time to
> be modified while process_private() is running.  This may be a
> potential trouble error but it's not an error and it's not trouble.
> 

You avoid potential trouble errors on a security patch. You need to make
sure you have zero risk in the patch.

Danny

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



More information about the security mailing list