[ntp:security] [Pool] NTP CVE patches?

Danny Mayer mayer at ntp.org
Fri Oct 23 02:05:43 UTC 2015


This looks wrong. If you fail the origin timestamp test then the packet
is now dropped immediately and it never gets to the RATE KoD test. If it
does get to the RATE KoD test then the Origin Timestamp is valid. If
it's a RATE KoD then it obeys the backoff but all KoD's must be dropped.
I think you missed the fact that the failure of TEST2 now causes it to
immediately drop the packet. See the returns on line 1343 and 1365.

Danny

On 10/22/2015 12:57 PM, Miroslav Lichvar wrote:
> On Thu, Oct 22, 2015 at 09:13:04AM +0000, Harlan Stenn wrote:
>> Miroslav,
>>
>> Might I trouble you to open a bug report on this?
> 
> The problem with KoD is that the packet must be dropped when a TEST
> bit is set (i.e. some test failed). That's exactly the same as with
> normal packets. When the transmit timestamp is zero, TEST3 will fail
> and the packet must be dropped.
> 
> The problem with symmetric association is in the state variables. They
> need to be updated even when TEST2 failed, so the associaction can be
> properly initialized on both sides.
> 
> Anyway, I thought you had this patch from the BU people and were going
> to include it in 4.2.8p4.
> 
>>> diff -up ntp-4.2.6p5/ntpd/ntp_proto.c.kodtest ntp-4.2.6p5/ntpd/ntp_proto.c
>>> --- ntp-4.2.6p5/ntpd/ntp_proto.c.kodtest	2015-09-24 18:20:19.121981664 +
>>> 0200
>>> +++ ntp-4.2.6p5/ntpd/ntp_proto.c	2015-09-24 18:20:54.596594166 +0200
>>> @@ -1165,7 +1165,7 @@ receive(
>>>  	peer->ppoll = max(peer->minpoll, pkt->ppoll);
>>>  	if (hismode == MODE_SERVER && hisleap == LEAP_NOTINSYNC &&
>>>  	    hisstratum == STRATUM_UNSPEC && memcmp(&pkt->refid,
>>> -	    "RATE", 4) == 0) {
>>> +	    "RATE", 4) == 0 && !(peer->flash & PKT_TEST_MASK)) {
>>>  		peer->selbroken++;
>>>  		report_event(PEVNT_RATE, peer, NULL);
>>>  		if (pkt->ppoll > peer->minpoll)
>>>
>>> --zCKi3GIZzVBPywwA--
>>>
>>
> 



More information about the security mailing list